Traefik returning wrong certificate

bobby · April 9, 2020, 10:13pm

Hi

I've got the following setup:

3 mgmt nodes
2 worker nodes
all nodes have privately signed certs provided by my client's company ca system
none of the certs have SANs

When hitting the dashboard, I'll get an invalid cert error on my browser on every 3rd refresh. The browser is telling me that the cert is from one of the mgmt nodes (the same one). The same problem occurs when hitting the dashboard on the worker nodes.

The same problem happens when I deploy a goofy whoami stack so it isn't strictly related to the dashboard. Every 3rd refresh gives me a cert error because traefik is using the mgmt cert instead of the node's cert.

Any ideas?

Thanks!

swarm deploy

version: "3.6"

services:
  traefik:
    image: traefik:v2.2
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --api=true
      - --providers.file.directory=/providers
      - --providers.file.watch=true
      - --log.level=DEBUG
      - --log.filePath=/var/log/traefik.log
    networks:
      - traefik
    ports:
      - 7080:80
      - 7443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/certs:/etc/certs:ro
      - /var/log:/var/log
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.enable=true
        - traefik.http.routers.traefik.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)
        - traefik.http.routers.traefik.entrypoints=websecure
        - traefik.http.routers.traefik.tls=true
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.services.dummy-svc.loadbalancer.server.port=9999
      configs:
        - source: traefik-local-certs
          target: /providers/local-certs.toml

networks:
  traefik:
    external: true

local-certs.toml

[tls]
  # mgmt
  [[tls.certificates]]
    certFile = "/etc/certs/server.cer"
    keyFile = "/etc/certs/server.key"

  # worker 1
  [[tls.certificates]]
    certFile = "/etc/certs/server-w-1.cer"
    keyFile = "/etc/certs/server-w-1.key"

  # worker 2
  [[tls.certificates]]
    certFile = "/etc/certs/server-w-2.cer"
    keyFile = "/etc/certs/server-w-2.key"

  [tls.options]
    [tls.options.default]
      minVersion = "VersionTLS12"

    [tls.stores]
      [tls.stores.default]
        [tls.stores.default.defaultCertificate]
          # mgmt
          certFile = "/etc/certs/server.cer"
          keyFile  = "/etc/certs/server.key"

bobby · April 17, 2020, 9:43pm

Anyone have any ideas?

bobby · April 27, 2020, 5:22pm

Still struggling to get this to work...

SantoDE · April 28, 2020, 1:22pm

Hey,

are you sure, that your manager nodes have all access to the same files and stuff?

Topic		Replies	Views
I keep getting bad cert Traefik v2 (latest) docker-swarm	0	305	November 23, 2019
My certificatesResolvers wasn't created when I want to use it Traefik v2 (latest) docker-swarm	1	578	November 5, 2019
SSL cert invalid [Traefik v2.2.8] Traefik v2 (latest) docker-swarm , letsencrypt-acme	5	933	September 6, 2020
Error with custom TLS certs Traefik v2 (latest) docker-swarm	3	9693	April 18, 2022
TLS handshake error - unknown certificate Traefik v2 (latest) docker-swarm	6	29529	April 25, 2020

Traefik returning wrong certificate

Related Topics