Traefik's default TLS certificate instead of one from secret

Hello,

I can't figure out why Traefik doesn't serve a certificate from a secret as configured in IngressRoute manifest. Traefik serves it's default certificate instead.

Here is IngressRoute manifest:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: test-nginx
  namespace: test
  annotations: 
    kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`10.1.0.71`)
      kind: Rule
      services:
        - name: test-nginx
          port: 80
  tls:
    secretName: admin-local-tls

The secret exists in the same namespace, here is description from kubectl:

$ kubectl get secret admin-local-tls -n test -o yaml
apiVersion: v1
data:
  ca.crt: LS0t....
  tls.crt: LS0tL.....
  tls.key: LS0tLS1CRUdJT.....
kind: Secret
metadata:
  annotations:
    cert-manager.io/alt-names: 10.1.0.71
    cert-manager.io/certificate-name: admin-local
    cert-manager.io/common-name: 10.1.0.70
    cert-manager.io/ip-sans: 10.1.0.71
    cert-manager.io/issuer-group: ""
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: vault-cluster-issuer
    cert-manager.io/uri-sans: ""
  creationTimestamp: "2024-06-06T09:18:10Z"
  labels:
    controller.cert-manager.io/fao: "true"
  name: admin-local-tls
  namespace: test
  resourceVersion: "11426168"
  uid: 210f0e72-90ea-46a8-9a96-267d2e07a59d
type: kubernetes.io/tls

Why traefik doesn't use it?

P.S. I already did hard refresh with clear cash in the browser, still Traefik's own default certificate.

P.P.S. If I switch to http protocol (entryPoints: [web] and remove tls) then everything works, web-page opens, so the routing itself works

EDIT:
I also checked the certificate in the secret for CN and SANs, it seems to be valid:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:17:74:6f:rest omitted
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = D......
        Validity
            Not Before: Jun  6 09:24:30 2024 GMT
            Not After : Sep  4 09:25:00 2024 GMT
        Subject: CN = 10.1.0.70
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:c8:rest omitted
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                E2:00:E8:B6:rest omitted
            X509v3 Authority Key Identifier: 
                46:CD:B6:41:rest omitted
            Authority Information Access: 
                CA Issuers - URI:http://omitted
            X509v3 Subject Alternative Name: 
                DNS:10.1.0.71, IP Address:10.1.0.71
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://omitted
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        9d:a7:c6:rest omitted

So, there is a line X509v3 Subject Alternative Name with the value DNS:10.1.0.71, IP Address:10.1.0.71 and therefore I expect that the certificate matches configuration of IngressRoute and Traefik should use it (and do not use own default cert from the store)

1 Like

As of now (June 2024), the certificate lookup is based only on the serverName (see Traefik provides default TLS certificate instead of one from a secret · Issue #10793 · traefik/traefik · GitHub)

1 Like