Traefik only uses default certificate

daniel-lu · June 19, 2024, 4:49pm

im tying to setup my traefik in my k8s cluster.
the issue is that traefik will only use the default certificate.
no matter what i tried it wont serve the other certificate that is in the tlsstore. this is how its is configured:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: <name>
  namespace: <namespace>
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`subdomain.domain.com`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: <service>
          port: port
  tls:
    options:
      name: <tls_option_name>
      namespace: <namespace>
    store:
      name: <tls_store_name>
      namespace: <namespace>
	
	
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: <name>
  namespace: <namespace>
spec:
  entryPoints:
    - websecure
  routes:
    - match: HostRegexp(`subdomain.domain.com`) && PathPrefix(`/api.config.v1`)
      kind: Rule
      services:
        - name: <service>
          port: port
          scheme: h2c
  tls:
    options:
      name: <tls_option_name>
      namespace: <namespace>
    store:
      name: default -- this one is default now 
      namespace: <namespace>
---

how can i use multi certificates and not only the default one ?

bluepuma77 · June 19, 2024, 7:58pm

Did you read the post about cert-manager?

daniel-lu · June 25, 2024, 5:30pm

yes i did read it but i don't use Let’s Encrypt I supply my own certificates using the tls.store and tls.option (the tls.option is for mtls )

the funny thing is when I umake the default one the one I need it works but then all the other services under the wild card won't show up so I feel like the default one is the only one that works and the tls.store in my yaml is irrelevant, how can I fix that?

nicomengin · July 1, 2024, 11:53am

Hello @daniel-lu,

Only the default TLS store can be used yet as described in a note:

Any store definition other than the default one (named default) will be ignored, and there is therefore only one globally available TLS store.

On top of that the IngressRoute objects don't allow setting a TLS store.

In Kubernetes, you have two ways to set a TLS certificate:

In the IngressRoutes, using the option tls.secreName. Then you set the name of a secret in the same namespace as the IngressRoute.
Using a TLSStore where you set the list of the certificates you need. Both the TLS Store and the certificates must be defined in the same namespac (same namespace as Traefik fro example).

Topic		Replies	Views
Set default certificate into Kubernetes Traefik v2 kubernetes-crd	2	475	March 16, 2020
Multiple K8s Certificates via TLSStore(s) Traefik v2 kubernetes-ingress	0	499	June 11, 2020
Traefik's default TLS certificate instead of one from secret Traefik v3 (latest) kubernetes-ingress	1	305	June 27, 2024
Not able to configure traefik to serve my certificate when accessing over https Traefik v2 kubernetes-ingress	2	848	September 27, 2021
Traefik configuration issue with TLS certificates Traefik v3 (latest) kubernetes-crd , kubernetes-ingress	0	46	October 13, 2024

Traefik only uses default certificate

Related topics