Traefik v2.4 Pebble root certificate authority file transfer options

mstaicu · November 12, 2021, 5:02pm

I'm trying to understand what are the available options of working in an ephemeral environment when it comes to sharing a root certificate authority file, mainly running a single node k8s cluster where I have traefik and pebble running and I want to be able to spin up pebble countless times. Obviously this will recreate the root certificate authority and I will have to update my traefik instance every single time. Is there a better way of doing this? Pebble exposes a URL path for getting the root CA, but I'm not sure that traefik's LEGO ACME client can be instructed to fetch it from there. Is this even a good idea?

For more details, I have my entire context written here

github.com/traefik/traefik

Traefik:v2.4 with letsencrypt/pebble

opened 02:14PM - 12 Nov 21 UTC

closed 03:23PM - 12 Nov 21 UTC

mstaicu

kind/question

### Welcome! - [X] Yes, I've searched similar issues on [GitHub](https://gith…ub.com/traefik/traefik/issues) and didn't find any. - [X] Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any. ### What did you do? Running a single node, local k8s cluster, with all resources in the same namespace, trying to get `traefik` to talk to `letsencrypt/pebble` to automate the certificate issuance in order to have a local development setup that runs over TLS, but I cannot get `traefik` to get the CA root certificates with which `pebble` signs its own leaf certificates and the newly requested certificates via ACME clients, such as `lego` which is part of `traefik` AFAIK ( if this is not the case, I apologies ) I also mention that I was led to believe that you can instruct `traefik` to reach out via HTTP and update its root CA store by using the two environment variables. Note that I have no other ideas on how a pod would reach out to another pod and get the root CA from there ### What did you see instead? There's a 50:50 changes that either I might have missed the relevant documentation, or `traefik`'s documentation is incomplete with regards to this aspect. I get an error when using these two environment variables with `traefik` The logs: ``` time="2021-11-12T14:13:17Z" level=error msg="Error in Go routine: error reading LEGO_CA_CERTIFICATES=\"/test/certs/pebble.minica.pem\": open /test/certs/pebble.minica.pem: no such file or directory" time="2021-11-12T14:13:17Z" level=error msg="Stack: goroutine 237 [running]:\nruntime/debug.Stack(0xc0000ee000, 0x343d39a, 0x17)\n\t/usr/local/golang/1.10.8/go/src/runtime/debug/stack.go:24 +0x9f\ngithub.com/traefik/traefik/v2/pkg/safe.defaultRecoverGoroutine(0x2d182e0, 0xc0008f6080)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/safe/routine.go:66 +0xb4\ngithub.com/traefik/traefik/v2/pkg/safe.GoWithRecover.func1.1(0x3558ca8)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/safe/routine.go:56 +0x5a\npanic(0x2d182e0, 0xc0008f6080)\n\t/usr/local/golang/1.10.8/go/src/runtime/panic.go:965 +0x1b9\ngithub.com/go-acme/lego/v4/lego.initCertPool(0x3430059)\n\t/home/semaphore/go/pkg/mod/github.com/go-acme/lego/v4@v4.4.0/lego/client_config.go:93 +0x3a5\ngithub.com/go-acme/lego/v4/lego.createDefaultHTTPClient(0xc0005c0540)\n\t/home/semaphore/go/pkg/mod/github.com/go-acme/lego/v4@v4.4.0/lego/client_config.go:78 +0x53\ngithub.com/go-acme/lego/v4/lego.NewConfig(...)\n\t/home/semaphore/go/pkg/mod/github.com/go-acme/lego/v4@v4.4.0/lego/client_config.go:49\ngithub.com/traefik/traefik/v2/pkg/provider/acme.(*Provider).getClient(0xc00004c3c0, 0x0, 0x0, 0x0)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/provider/acme/provider.go:232 +0x32a\ngithub.com/traefik/traefik/v2/pkg/provider/acme.(*Provider).resolveCertificate(0xc00004c3c0, 0x399b060, 0xc0009fc2a0, 0xc0003fd710, 0x9, 0x0, 0x0, 0x0, 0x3408d6e, 0x7, ...)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/provider/acme/provider.go:472 +0x2b6\ngithub.com/traefik/traefik/v2/pkg/provider/acme.(*Provider).watchNewDomains.func1.2()\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/provider/acme/provider.go:433 +0xc5\ngithub.com/traefik/traefik/v2/pkg/safe.GoWithRecover.func1(0x3558ca8, 0xc0008fc500)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/safe/routine.go:59 +0x4f\ncreated by github.com/traefik/traefik/v2/pkg/safe.GoWithRecover\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/safe/routine.go:53 +0x49\n" ``` So, how does one use the `LEGO_CA_SERVER_NAME` and `LEGO_CA_CERTIFICATES`? ### What version of Traefik are you using? ``` Version: 2.4.14 Codename: livarot Go version: go1.16.7 Built: 2021-08-16T15:29:25Z OS/Arch: linux/amd64 ``` ### What is your environment & configuration? `traefik`'s deployment ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: traefik-depl spec: replicas: 1 selector: matchLabels: app: traefik template: metadata: labels: app: traefik spec: serviceAccountName: traefik-ingress-controller containers: - name: traefik image: traefik:v2.4 env: - name: LEGO_CA_SERVER_NAME value: pebble - name: LEGO_CA_CERTIFICATES value: /test/certs/pebble.minica.pem args: - --api=true - --api.dashboard=true - --accesslog - --entrypoints.http.address=:80 - --entrypoints.https.address=:443 # # Email address used for registration. # # Required # - --certificatesresolvers.le.acme.email=stuff@gmail.com # # Use a HTTP-01 ACME challenge. # # Optional (but recommended) # - --certificatesresolvers.le.acme.httpchallenge=true # # EntryPoint to use for the HTTP-01 challenges. # # Required # - --certificatesresolvers.le.acme.httpchallenge.entrypoint=http # - --certificatesresolvers.le.acme.caserver=https://pebble/dir - --providers.kubernetescrd --- apiVersion: v1 kind: Service metadata: name: traefik-srv spec: type: ClusterIP selector: app: traefik ports: - name: http protocol: TCP port: 80 targetPort: 80 --- apiVersion: v1 kind: Service metadata: name: traefik-lb-srv spec: type: LoadBalancer selector: app: traefik ports: - name: http protocol: TCP port: 80 targetPort: 80 - name: https protocol: TCP port: 443 targetPort: 443 --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: client-ingress-route-https spec: entryPoints: - https routes: - match: Host(`ticketing`) kind: Rule services: - name: client-srv port: 3000 tls: certResolver: le domains: - main: ticketing ``` `pebble`'s deployment ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: pebble-depl spec: replicas: 1 selector: matchLabels: app: pebble template: metadata: labels: app: pebble spec: containers: - name: pebble image: letsencrypt/pebble env: # https://github.com/letsencrypt/pebble#testing-at-full-speed - name: PEBBLE_VA_NOSLEEP value: "1" # https://github.com/letsencrypt/pebble#skipping-validation - name: PEBBLE_VA_ALWAYS_VALID value: "1" --- apiVersion: v1 kind: Service metadata: name: pebble-srv spec: type: ClusterIP selector: app: pebble ports: - name: pebble-http-api protocol: TCP port: 80 targetPort: 14000 - name: pebble-https-api protocol: TCP port: 443 targetPort: 14000 ``` ### If applicable, please paste the log output in DEBUG level _No response_

Topic		Replies	Views
Injecting custom certificate authority certificates for internal ACME server? Traefik v2 (latest) kubernetes-ingress , letsencrypt-acme	4	1942	September 29, 2022
Let's Encrypt x509: certificate signed by unknown authority Traefik v2 (latest) docker , letsencrypt-acme	14	6681	January 19, 2022
How to provide intermediate and root cert Traefik v2 (latest) letsencrypt-acme	3	2793	April 18, 2022
Design Patterns for Certificate Handling at Scale? Traefik v2 (latest) letsencrypt-acme	0	432	May 31, 2020
Unable to access automatically generated certificates from deployment/pod Traefik v2 (latest) file , letsencrypt-acme	1	370	September 23, 2020

Traefik v2.4 Pebble root certificate authority file transfer options

Related Topics