Traefik serve default traefik cert on non existent router

hilne · December 14, 2021, 3:34pm

HI,
I use traefik v2 with DNSchallenge and wildcard domain like all my docker routers exposed have the same wildcard domain.
For theses routers, all work well but when I curl a non existent router, I get default traefik cert with 404 not found

curl -ks https://<REPLACED>:443 -vvv
*   Trying <REPLACED>:443...
* TCP_NODELAY set
* Connected to <REPLACED> (<REPLACED>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Dec 14 14:43:25 2021 GMT
*  expire date: Dec 14 14:43:25 2022 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b70e814e30)
> GET / HTTP/2
> Host: <REPLACED>
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404 
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Tue, 14 Dec 2021 15:05:16 GMT
< 
404 page not found

Is it a security problem, maybe leak of information ? (traefik version ? )
Could I block the connection for non existent router, this way I wont serve a cert for TLS connection ?
Or maybe it's the default behavior of traefik and it's ok :).

Thanks for your time.

Best regards.

Topic		Replies	Views
Wildcard certificate not used despite being correct Traefik v2 (latest) docker	7	1375	November 9, 2023
Configuring Cert SSL Wildcard Docker got me 404 page not found Traefik v2 (latest) docker	0	593	April 21, 2021
Docker, Traefik v2, SSL cannot set default cert Traefik v2 (latest) docker	2	578	October 15, 2019
TLS handshake error - unknown certificate Traefik v2 (latest) docker-swarm	6	29787	April 25, 2020
Remote error: tls: unknown certificate Traefik v2 (latest) docker	3	1813	November 9, 2023

Traefik serve default traefik cert on non existent router

Related Topics