Use of a default certificate with SNI enabled

Xitric · April 20, 2022, 7:58am

Edit: I was made aware that my original post could be interpreted as advertisement. I fail to see why this is the case, however I have removed all references to non-Traefik tools with the consequence of losing context for the problem.

We are trying to replace the Kubernetes manifest-based installation of Traefik with the Traefik Helm chart. Originally, using the manifest approach to installing Traefik, we configured certificates by mounting them into the Traefik container and pointing to them via the traefik.toml file:

[tls]
  [[tls.certificates]]
	certFile = "/certs/tls.crt"
	keyFile = "/certs/tls.key"
	stores = ["default"]
  [tls.stores]
	[tls.stores.default]
	  [tls.stores.default.defaultCertificate]
		certFile = "/certs/tls.crt"
		keyFile = "/certs/tls.key"
  [tls.options.default]
	minVersion = "VersionTLS12"
	sniStrict = true

As you can see, we have strict SNI enabled. In order to use the same certificate by default across all ingress routes, unless another certificate is specified, we have been required to point to the certificate twice.

Now we try to do this the Kubernetes CRD-way. Strict SNI is configured via a TLSOption resource:

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  labels:
    app.kubernetes.io/name: traefik
    helm.sh/chart: traefik-10.19.4
    app.kubernetes.io/managed-by: Helm
spec:
  minVersion: VersionTLS12
  sniStrict: true

For the certificate, we understand that we can use a TLSStore resource:

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  labels:
    app.kubernetes.io/name: traefik
    helm.sh/chart: traefik-10.19.4
    app.kubernetes.io/managed-by: Helm
spec:
  defaultCertificate:
    secretName: "our-certificate-secret"

But as one might expect, this does not work as long as strict SNI is enabled. If we disable strict SNI, the certificate works as expected. We can see in the source code that Traefik explicitly skips checking the default certificate for a hostname match if strict SNI is enabled. So the question is, how does one replicate the following piece of configuration with Traefik CRDs and/or the cli arguments:

[tls]
  [[tls.certificates]]
	certFile = "/certs/tls.crt"
	keyFile = "/certs/tls.key"
	stores = ["default"]

Furthermore, we have noticed that if we configure a single IngressRoute to use our certificate, that certificate also becomes available to other IngressRoutes. For instance, the following:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: "traefik-ping"
  annotations:
    kubernetes.io/ingress.class: "traefik-internal"
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`something.something`) && Path(`/ping`)
    services:
    - kind: Service
      name: "traefik-ping"
      namespace: "traefik"
      port: 9000
  tls:
    secretName: "our-certificate-secret"

Will also enable other IngressRoutes without a tls section to use the same certificate (assuming the certificate matches the hostnames). We do not like this approach to making our certificate available, since it means that deleting the ping route will break TLS for other unrelated IngressRoutes.

Note: Our Traefik ping IngressRoute is only available on a private virtual network behind our client-facing gateways.

sapenugo · May 31, 2022, 11:23am

I am also facing the issue, TLS Certificated configured for one ingressroute are available for other Ingress Routes as well. Is this because all the certificates stored in the default TLSStore? Is there any solution to overcome this ?

bitsofinfo.g · June 9, 2022, 2:10am

@Xitric - ever get this working? trying to disable old TLS versions and cannot figure it out

Xitric · June 9, 2022, 4:43pm

Edit: This post was also reported as advertisement. There are no references to non-Traefik tools or forums, so I fail to see the issue. If it comes off as advertisement, I would love to know why. Otherwise I cannot improve my posts in future discussions.

@sapenugo Yes, you are correct that the IngressRoutes share certificates beause they are stored in the default TLSStore (which is in fact the only TLS store that exists). So there does not seem to be a way to overcome that, i.e. make certificates visible to only specific IngressRoutes. Unless of course you use separate Traefik ingress controllers.

@bitsofinfo.g We got into contact with the Traefik maintainers on GitHub about the inability to configure the default TLS store outside of IngressRoutes, and they were quite positive about adding that ability to the TLSStore CRD. You may refer to:

I see that Traefik 2.7.0 has been released since this feature was merged - maybe it is available in that. But I think it may not be available until 2.8.0. We still have yet to try it out ourselves due to other priorities right now! But I am excited to try it.

system · June 12, 2022, 4:44pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to configure default tls certificate on kubernetes? Traefik v2 kubernetes-crd	1	1099	October 22, 2020
Strange behavior in multi-traefik Kubernetes cluster Traefik v2 kubernetes-crd	0	304	September 15, 2022
Traefik configuration issue with TLS certificates Traefik v3 (latest) kubernetes-crd , kubernetes-ingress	0	46	October 13, 2024
Set default certificate into Kubernetes Traefik v2 kubernetes-crd	2	475	March 16, 2020
Tlsstore not working with kubernetes-crd for self-signed certificate Traefik v2 kubernetes-crd	5	1749	August 31, 2021

Use of a default certificate with SNI enabled

Related topics