Traefik SSL Let's Encrypty in Kubernetes Ingress

Traefik Traefik v1
, ,
1

Hi!
I'm testing in the Google Cloud. I tried to use Treafik as Ingress Controller. I follow:

kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

helm install --namespace kube-system --name traefik --values traefik-helm1-6.yml stable/traefik

With this config (traefik-helm1-6.yml ):

imageTag: 1.6
ssl:
    enabled: true
    enforced: true
acme:
    enabled: true
    email: "xxxxx@gmail.com"
    staging: false
    persistence.enabled: true
    challengeType: http-01
dashboard:
    enabled: true
    domain: "xxxx.org"

But when access to the dashboard or a service of the pod whoami, it show insecure and taking a look of the cert it show that it is issued by and for for the domain: *.example.com

And in the logs of the pod Traefik:

{"level":"error","msg":"Unable to obtain ACME certificate for domains \"xxxx.org\" detected thanks to rule \"Host:xxxx.org\" : cannot obtain certificates: acme: Error -\u003e One or more domains had a problem:\n[xxxx.org] acme: Error 400 - urn:ietf:params:acme:error:connection - Fetching http://xxxx.org/.well-known/acme-challenge/4u9zRDHQrEiPQM57WYPMbZg6k2_fKKGZZCrdGXTZFA8: Timeout during connect (likely firewall problem)\n","time":"2019-09-24T09:53:33Z"}

I've been looking for answers but nothing, the documentation doesn't help much. Anything helps!! Thanks!

2

You likely need to open the port in your firewall.
Go to https://console.cloud.google.com/networking/firewalls and create a rule that will allow access on ports 80 and 443 for the nodes traefik is running on. Save it, and restart traefik.

However, I will say this. Helm is likely abstracting away too many of the details, and you aren't going to get a lot of insight. By writing out the deployment or daemonset object yourself you will find a lot of options you can enable/disable to help you understand WHY an error happens and how to mitigate it in the future. As someone who struggled with this exact topic, I couldn't recommend rolling your own more!

Also, DNS challenge is something to look into...

3

Hello @redxlus,

What version of the helm chart are you using?

The helm chart hasn't supported Traefik 1.6 for a long time. I would be extremely hesitant to be using a version of Traefik that is ~20 versions older than current, especially to start off with. The chart may not be compatable with the older version of Traefik.

I would advise using the stable version of Traefik that is specified in the default for your chart version.

1 Like