Question

Traefik v2.2 on Digital Ocean Kubernetes, wildcard domain certificate works, but not with port number

Posted October 26, 2020 177 views
Let's EncryptKubernetes

I am adding Traefik support for our Digital Ocean Kubernetes cluster, have used dnsChallenge to successfully get a wildcard SSL domain certificate from LetsEncrypt.

When I try to access sites with the same domain name, everything works well:

    $ curl -v https://user.example.io
    *   Trying 159.203.52.215:443...
    * TCP_NODELAY set
    * Connected to user.example.io (159.203.52.215) port 443 (#0)
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /home/user/anaconda3/ssl/cacert.pem
      CApath: none
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
    * ALPN, server did not agree to a protocol
    * Server certificate:
    *  subject: CN=example.io
    *  start date: Oct 23 15:49:19 2020 GMT
    *  expire date: Jan 21 15:49:19 2021 GMT
    *  subjectAltName: host "user.example.io" matched cert's "user.example.io"
    *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    *  SSL certificate verify ok.
    > GET / HTTP/1.1
    > Host: user.example.io
    > User-Agent: curl/7.68.0
    > Accept: */*
    > 
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < content-length: 40
    < content-type: application/json; charset=utf-8
    < date: Sun, 25 Oct 2020 03:07:06 GMT
    < etag: W/"28-v4XAuYZPRDT3aiocGxlWbac4/oE"
    < vary: Accept-Encoding
    < x-powered-by: Express
    < 
    * Connection #0 to host user.example.io left intact
    {"message":"User microservice"}

However, if it’s sites with port number, like the Traefik dashboard, this will not work:

    $ curl -v https://traefik.example.io:8080
    *   Trying 159.203.52.215:8080...
    * TCP_NODELAY set
    * Connected to traefik.example.io (159.203.52.215) port 8080 (#0)
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /home/user/anaconda3/ssl/cacert.pem
      CApath: none
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (OUT), TLS alert, unknown CA (560):
    * SSL certificate problem: unable to get local issuer certificate
    * Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html

    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.

If it is without the port number 8080, the wildcard domain certificate will be used, but of course I will get a “404 Not Found”..

    $ curl -v https://traefik.example.io
    *   Trying 159.203.52.215:443...
    * TCP_NODELAY set
    * Connected to traefik.example.io (159.203.52.215) port 443 (#0)
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /home/user/anaconda3/ssl/cacert.pem
      CApath: none
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
    * ALPN, server did not agree to a protocol
    * Server certificate:
    *  subject: CN=example.io
    *  start date: Oct 23 15:49:19 2020 GMT
    *  expire date: Jan 21 15:49:19 2021 GMT
    *  subjectAltName: host "traefik.example.io" matched cert's "traefik.example.io"
    *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    *  SSL certificate verify ok.
    > GET / HTTP/1.1
    > Host: traefik.example.io
    > User-Agent: curl/7.68.0
    > Accept: */*
    > 
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 404 Not Found
    < content-type: text/plain; charset=utf-8
    < x-content-type-options: nosniff
    < date: Sun, 25 Oct 2020 03:18:38 GMT
    < content-length: 19
    < 
    404 page not found
    * Connection #0 to host traefik.example.io left intact

BTW, the Traefik dashboard can be successfully accessed using http.

The following is my IngressRoute setting, I guess there must be some problems here:

    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: ingressroutetls
      namespace: ingress-traefik
    spec:
      entryPoints:
        - websecure

      routes:
      - match: Host(`traefik.example.io`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
        kind: Rule
        services:
        - name: api@internal
          kind: TraefikService

      - match: Host(`example.io`) && Path('/')
        kind: Rule
        services:
        - name: example.io
          port: 443

      tls:
        cetResolver: mlResolver
        domains:
        - main: example.io
          sans:
          - '*.example.io'

Can anyone find out what the problem might be?

** modification **

Following the traefik documentation https://doc.traefik.io/traefik/operations/dashboard/#dashboard-router-rule, I had made the following modification but still no luck.

    ---
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
      name: ingressroutetls
      namespace: ingress-traefik
    spec:
      entryPoints:
        - websecure

      routes:
      - match: Host(`traefik.example.io`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
        kind: Rule
        services:
        - name: api@internal
          kind: TraefikService

      - match: Host(`example.io`) && Path('/')
        kind: Rule
        services:
        - name: example.io
          port: 443

      tls:
        cetResolver: mlResolver
        domains:
        - main: example.io
          sans:
          - '*.example.io'

I have tried to curl both https://traefik.example.io/dashboard, https://traefik.example.io/api and https://traefik.example.io, all having the same results as before. (I had also tried to create a separate IngressRoute for dashboard, but the result did not change)

    $ curl -v https://traefik.example.io/dashboard
    *   Trying 159.203.52.215:443...
    * TCP_NODELAY set
    * Connected to traefik.example.io (159.203.52.215) port 443 (#0)
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /home/user/anaconda3/ssl/cacert.pem
      CApath: none
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
    * ALPN, server did not agree to a protocol
    * Server certificate:
    *  subject: CN=example.io
    *  start date: Oct 23 15:49:19 2020 GMT
    *  expire date: Jan 21 15:49:19 2021 GMT
    *  subjectAltName: host "traefik.example.io" matched cert's "traefik.example.io"
    *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    *  SSL certificate verify ok.
    > GET /dashboard HTTP/1.1
    > Host: traefik.example.io
    > User-Agent: curl/7.68.0
    > Accept: */*
    > 
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 404 Not Found
    < content-type: text/plain; charset=utf-8
    < x-content-type-options: nosniff
    < date: Mon, 26 Oct 2020 15:44:12 GMT
    < content-length: 19
    < 
    404 page not found
    * Connection #0 to host traefik.example.io left intact
Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!