Trying to use alternate certificate with Consul KV

eadderley · September 14, 2021, 3:44pm

Hi.

We're using Consul Catalog for routing and Consul K/V for doing certs. Our tags in Catalog look like so:

      tags = [
        "mortar-static",
        "traefik.enable=true",
        "traefik.http.routers.mortar-static-http.rule=Host(`mortar-static.service.restoffqdn`)",
        "traefik.http.routers.mortar-static-http.entrypoints=web",
        "traefik.http.routers.mortar-static-http.middlewares=mortar-static-http-redirector",
        "traefik.http.middlewares.mortar-static-http-redirector.redirectscheme.scheme=https",
        "traefik.http.routers.mortar-static-https.rule=Host(`mortar-static.service.restoffqdn`)",
        "traefik.http.routers.mortar-static-https.entrypoints=websecure",
        "traefik.http.routers.mortar-static-https.tls=true",
      ]

And our certs are served via a wildcard signed by our internal CA by default from Consul KV:

kv/traefik/tls/certificates/0/certfile
kv/traefik/tls/certificates/0/keyfile

That all works by default. I am now trying to figure out how to get a second service using a different, external certificate.

I'm kind of lost going through the documentation how I would tell traefik to use a different cert in this case.

cakiwi · September 14, 2021, 6:41pm

Hi @eadderley

Just add a new index:

kv/traefik/tls/certificates/1/certfile
kv/traefik/tls/certificates/1/keyfile
kv/traefik/tls/certificates/2/certfile
kv/traefik/tls/certificates/2/keyfile

eadderley · September 14, 2021, 6:56pm

Thanks @cakiwi

I already tried that and it didn't work. Thinking about it, is it because the wildcard is first and so is getting matched before the more specific further down?

cakiwi · September 14, 2021, 7:54pm

Looking at the code in certificate_store.go

If there is already a cached certificate that matches it will be selected. Otherwise the matching certificate should be selected over a wildcard.

I haven't verified this myself. A contributor would be able to give a definitve answer.

eadderley · September 14, 2021, 8:05pm

Huh.

After some digging I found the problem - the combined ca-crt wasn't properly formed, so this was user error. Thanks for being 2nd set of eyes, @cakiwi !

cakiwi · September 14, 2021, 9:09pm

I also did a test with the file provider, once I added the matching cert it was used in preference over the wildcard certificate.

The file provider was updated with the existing traefik instance, no restart.

system · September 17, 2021, 9:09pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Complex configuration assistance Traefik v1 consul , consul-catalog	1	512	May 15, 2020
Use consul to configure your certificates with Traefik v2 and Swarm Traefik v2 (latest) consul-catalog	4	3850	April 27, 2020
Setup TLS/SSL, need help Traefik v2 (latest) kubernetes-ingress	3	670	April 16, 2021
Use a existant certificate for Traefik Traefik v2 (latest) docker	3	1436	January 18, 2021
Cert Resolver using private wildcard cert Traefik v2 (latest) docker	3	1250	March 16, 2021

Trying to use alternate certificate with Consul KV

Related Topics