Traefik Rancher Problem

Traefik Traefik v2
1

Hello,

I use traffic with rancher an install with a helm chart, but I always get this error and don't know why??

time="2023-06-30T18:28:39Z" level=info msg="Configuration loaded from flags."
2023-06-30T18:28:43.392262621Z time="2023-06-30T18:28:43Z" level=error msg="Unable to obtain ACME certificate for domains "mohs-home.de,*.mohs-home.de"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=netcup.acme routerName=websecure-local-nginx-mohs-home-de-nginx-mohs-home-de@kubernetes rule="Host(nginx.mohs-home.de) && PathPrefix(/)" error="cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get "https://acme-staging-v02.api.letsencrypt.org/directory\": tls: failed to verify certificate: x509: certificate is valid for 5d0f84413b92972e4be8765fa0e9ccba.93668c7f913dda4f2e55031c01600c84.traefik.default, not acme-staging-v02.api.letsencrypt.org"

Can anyone help me?
best regards Jan

2

I recommend to add the k8s tag to your post.

3

What are you trying to achieve? It seems you want to use wildcard certs. That only works with dnsChallenge.

I would interpret the error as LE is trying a tlsChallenge with Traefik, which delivers a custom Traefik cert.

Share your full Traefik static and dynamic config.

4 
traefik-config.yaml
http:
  middlewares:
    headers-default:
      headers:
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
        X-Forwarded-Proto: https
5

traefik-helm-chart.yaml


additionalArguments:
  - --providers.file.filename=/data/traefik-config.yaml
  - --entrypoints.websecure.http.tls.certresolver=netcup
  - --entrypoints.websecure.http.tls.domains[0].main=mohs-home.de
  - --entrypoints.websecure.http.tls.domains[0].sans=*.mohs-home.de
  - --certificatesresolvers.netcup.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
  # comment the line above when going to production
  - --certificatesresolvers.netcup.acme.dnschallenge.provider=netcup
  - --certificatesresolvers.netcup.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
  - --certificatesresolvers.netcup.acme.storage=/certs/acme.json
  - --certificatesresolvers.netcup.acme.dnschallenge.delayBeforeCheck=600
  - --serversTransport.insecureSkipVerify=true
  # you will need to add an annotation to ingresses you create kubernetes.io/ingress.class traefik-external
  # otherwise it will not servce those requests
  - --providers.kubernetesingress.ingressclass=traefik-external
  #- --log.level=DEBUG

deployment:
  enabled: true
  # Number of pods of the deployment
  replicas: 1
  # Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
  annotations: {}
  # Additional pod annotations (e.g. for mesh injection or prometheus scraping)
  podAnnotations: {}
  # Additional containers (e.g. for metric offloading sidecars)
  additionalContainers: []
  # Additional initContainers (e.g. for setting file permission as shown below)
  initContainers:
    # The "volume-permissions" init container is required if you run into permission issues.
    # Related issue: https://github.com/containous/traefik/issues/6972
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /certs/*"]
      volumeMounts:
        - name: data
          mountPath: /certs
  # Custom pod DNS policy. Apply if `hostNetwork: true`
  # dnsPolicy: ClusterFirstWithHostNet

ports:
  web:
    redirectTo: websecure
env:
  - name: NETCUP_API_KEY # or CF_API_KEY, see for more details - https://doc.traefik.io/traefik/https/acme/#providers
    value: "xxx"
  - name: NETCUP_API_PASSWORD
    value: "xxx"
  - name: NETCUP_CUSTOMER_NUMBER
    value: "xxx"
ingressRoute:
  dashboard:
    enabled: true
persistence:
  enabled: true
# make sure this claim is existed
  existingClaim: acme-json-certs
  accessMode: ReadWriteOnce
  size: 128Mi
  path: /certs
volumes:
  - mountPath: /data
    name: traefik-config
    type: configMap
# without this, ingress get stuck on initializing
providers:
  kubernetesCRD:
    enabled: true
    namespaces: []
  kubernetesIngress:
    enabled: true
    namespaces: []
    publishedService:
      enabled: true
rbac:
  enabled: true

service:
  enabled: true
  type: LoadBalancer
  # Additional annotations (e.g. for cloud provider specific config)
  annotations: {}
  # Additional service labels (e.g. for filtering Service by custom labels)
  labels: {}
  # Additional entries here will be added to the service spec. Cannot contains
  # type, selector or ports entries.
  spec:
    # externalTrafficPolicy: Cluster
    # loadBalancerIP: "192.168.100.231" # this should be your Metal LB IP
    # clusterIP: "2.3.4.5"
  loadBalancerSourceRanges: []
    # - 192.168.0.1/32
    # - 172.16.0.0/16
  externalIPs: []
    # - 1.2.3.4

# securityContext:
#   capabilities:
#     drop: [ALL]
#   readOnlyRootFilesystem: false
#   runAsGroup: 65532
#   runAsNonRoot: true
#   runAsUser: 65532

# podSecurityContext:
#   fsGroup: 65532
root@k3s-s01:/home/mohs#
6

Yes i want to use dns challange with netcup, and yes i want to use a wildcard cert.

best regards Jan