mstaicu
November 12, 2021, 5:02pm
1
I'm trying to understand what are the available options of working in an ephemeral environment when it comes to sharing a root certificate authority file, mainly running a single node k8s cluster where I have traefik and pebble running and I want to be able to spin up pebble countless times. Obviously this will recreate the root certificate authority and I will have to update my traefik instance every single time. Is there a better way of doing this? Pebble exposes a URL path for getting the root CA, but I'm not sure that traefik's LEGO ACME client can be instructed to fetch it from there. Is this even a good idea?
For more details, I have my entire context written here
opened 02:14PM - 12 Nov 21 UTC
closed 03:23PM - 12 Nov 21 UTC
kind/question
### Welcome!
- [X] Yes, I've searched similar issues on [GitHub](https://gith… ub.com/traefik/traefik/issues) and didn't find any.
- [X] Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
### What did you do?
Running a single node, local k8s cluster, with all resources in the same namespace, trying to get `traefik` to talk to `letsencrypt/pebble` to automate the certificate issuance in order to have a local development setup that runs over TLS, but I cannot get `traefik` to get the CA root certificates with which `pebble` signs its own leaf certificates and the newly requested certificates via ACME clients, such as `lego` which is part of `traefik` AFAIK ( if this is not the case, I apologies )
I also mention that I was led to believe that you can instruct `traefik` to reach out via HTTP and update its root CA store by using the two environment variables. Note that I have no other ideas on how a pod would reach out to another pod and get the root CA from there
### What did you see instead?
There's a 50:50 changes that either I might have missed the relevant documentation, or `traefik`'s documentation is incomplete with regards to this aspect. I get an error when using these two environment variables with `traefik`
The logs:
```
time="2021-11-12T14:13:17Z" level=error msg="Error in Go routine: error reading LEGO_CA_CERTIFICATES=\"/test/certs/pebble.minica.pem\": open /test/certs/pebble.minica.pem: no such file or directory"
time="2021-11-12T14:13:17Z" level=error msg="Stack: goroutine 237 [running]:\nruntime/debug.Stack(0xc0000ee000, 0x343d39a, 0x17)\n\t/usr/local/golang/1.10.8/go/src/runtime/debug/stack.go:24 +0x9f\ngithub.com/traefik/traefik/v2/pkg/safe.defaultRecoverGoroutine(0x2d182e0, 0xc0008f6080)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/safe/routine.go:66 +0xb4\ngithub.com/traefik/traefik/v2/pkg/safe.GoWithRecover.func1.1(0x3558ca8)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/safe/routine.go:56 +0x5a\npanic(0x2d182e0, 0xc0008f6080)\n\t/usr/local/golang/1.10.8/go/src/runtime/panic.go:965 +0x1b9\ngithub.com/go-acme/lego/v4/lego.initCertPool(0x3430059)\n\t/home/semaphore/go/pkg/mod/github.com/go-acme/lego/v4@v4.4.0/lego/client_config.go:93 +0x3a5\ngithub.com/go-acme/lego/v4/lego.createDefaultHTTPClient(0xc0005c0540)\n\t/home/semaphore/go/pkg/mod/github.com/go-acme/lego/v4@v4.4.0/lego/client_config.go:78 +0x53\ngithub.com/go-acme/lego/v4/lego.NewConfig(...)\n\t/home/semaphore/go/pkg/mod/github.com/go-acme/lego/v4@v4.4.0/lego/client_config.go:49\ngithub.com/traefik/traefik/v2/pkg/provider/acme.(*Provider).getClient(0xc00004c3c0, 0x0, 0x0, 0x0)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/provider/acme/provider.go:232 +0x32a\ngithub.com/traefik/traefik/v2/pkg/provider/acme.(*Provider).resolveCertificate(0xc00004c3c0, 0x399b060, 0xc0009fc2a0, 0xc0003fd710, 0x9, 0x0, 0x0, 0x0, 0x3408d6e, 0x7, ...)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/provider/acme/provider.go:472 +0x2b6\ngithub.com/traefik/traefik/v2/pkg/provider/acme.(*Provider).watchNewDomains.func1.2()\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/provider/acme/provider.go:433 +0xc5\ngithub.com/traefik/traefik/v2/pkg/safe.GoWithRecover.func1(0x3558ca8, 0xc0008fc500)\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/safe/routine.go:59 +0x4f\ncreated by github.com/traefik/traefik/v2/pkg/safe.GoWithRecover\n\t/home/semaphore/go/src/github.com/traefik/traefik/pkg/safe/routine.go:53 +0x49\n"
```
So, how does one use the `LEGO_CA_SERVER_NAME` and `LEGO_CA_CERTIFICATES`?
### What version of Traefik are you using?
```
Version: 2.4.14
Codename: livarot
Go version: go1.16.7
Built: 2021-08-16T15:29:25Z
OS/Arch: linux/amd64
```
### What is your environment & configuration?
`traefik`'s deployment
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-depl
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.4
env:
- name: LEGO_CA_SERVER_NAME
value: pebble
- name: LEGO_CA_CERTIFICATES
value: /test/certs/pebble.minica.pem
args:
- --api=true
- --api.dashboard=true
- --accesslog
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
#
# Email address used for registration.
#
# Required
#
- --certificatesresolvers.le.acme.email=stuff@gmail.com
#
# Use a HTTP-01 ACME challenge.
#
# Optional (but recommended)
#
- --certificatesresolvers.le.acme.httpchallenge=true
#
# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=http
#
- --certificatesresolvers.le.acme.caserver=https://pebble/dir
- --providers.kubernetescrd
---
apiVersion: v1
kind: Service
metadata:
name: traefik-srv
spec:
type: ClusterIP
selector:
app: traefik
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: traefik-lb-srv
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
- name: https
protocol: TCP
port: 443
targetPort: 443
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: client-ingress-route-https
spec:
entryPoints:
- https
routes:
- match: Host(`ticketing`)
kind: Rule
services:
- name: client-srv
port: 3000
tls:
certResolver: le
domains:
- main: ticketing
```
`pebble`'s deployment
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: pebble-depl
spec:
replicas: 1
selector:
matchLabels:
app: pebble
template:
metadata:
labels:
app: pebble
spec:
containers:
- name: pebble
image: letsencrypt/pebble
env:
# https://github.com/letsencrypt/pebble#testing-at-full-speed
- name: PEBBLE_VA_NOSLEEP
value: "1"
# https://github.com/letsencrypt/pebble#skipping-validation
- name: PEBBLE_VA_ALWAYS_VALID
value: "1"
---
apiVersion: v1
kind: Service
metadata:
name: pebble-srv
spec:
type: ClusterIP
selector:
app: pebble
ports:
- name: pebble-http-api
protocol: TCP
port: 80
targetPort: 14000
- name: pebble-https-api
protocol: TCP
port: 443
targetPort: 14000
```
### If applicable, please paste the log output in DEBUG level
_No response_