I have a K8s cluster working well, with a domain that has a custom SSL Cert, and all other subdomain use a Let's encrypt wildcard.
Now, I want to add another domain that will use custom SSL Cert, but it doesn't seem to work.
First, I create a configMap with .crt
and .key
files
kubectl create configmap traefik-sge-certificate --from-file=certificate/sge-prod.crt --from-file=certificate/sge-prod.key --dry-run -o yaml | kubectl apply -f -
Then I add my certs in traefik.toml
traefik.toml:
----
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ene-certificate/api.crt"
keyFile = "/etc/ene-certificate/api.key"
[[entryPoints.https.tls.certificates]]
certFile = "/etc/sge-certificate/sge-prod.crt"
keyFile = "/etc/sge-certificate/sge-prod.key"
[acme] # Automatically add Let's Encrypt Certificate.
storage= "/etc/certificate/acme.json"
email = "julien@company.fr"
entryPoint = "https"
onHostRule = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"
[acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = 0
[[acme.domains]]
main = "*.company.fr"
And now deployment:
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
volumes:
- name: traefik-certificate
persistentVolumeClaim:
claimName: traefik-certificate
- name: config
configMap:
name: traefik-config
- name: traefik-ene-certificate
configMap:
name: traefik-ene-certificate
- name: traefik-sge-certificate
configMap:
name: traefik-sge-certificate
containers:
- name: traefik
image: "traefik:1.7"
envFrom:
- secretRef:
name: traefik-env
volumeMounts:
- mountPath: "/etc/traefik/config"
name: config
- mountPath: "/etc/certificate"
name: traefik-certificate
- mountPath: "/etc/ene-certificate/api.crt"
name: traefik-ene-certificate
subPath: api.crt
- mountPath: "/etc/ene-certificate/api.key"
name: traefik-ene-certificate
subPath: api.key
- mountPath: "/etc/sge-certificate/sge-prod.crt"
name: traefik-sge-certificate
subPath: sge-prod.crt
- mountPath: "/etc/sge-certificate/sge-prod.key"
name: traefik-sge-certificate
subPath: sge-prod.key
args:
- --configfile=/etc/traefik/config/traefik.toml
- --api
- --kubernetes
But when I do that, there is 2 problems:
I checked the traefik logs, and it doesn't seem to have any issue.
What I also don't understand, is where is linked the custom SSL Cert with domain.
Can anybody tell me why this is happening, and how should I fix it ?
PD: I understand I should use secrets instead of configMaps, but first thing first !
What I also don't understand, is where is linked the custom SSL Cert with domain.
The Cert is issued for a specific domain. So, here is the link.
If you issue your cert for domain1.com
and then you try to use it on domain2.com
, Traefik will not be able to install it.
My error was to use another domain that the one attached to my certificates.
So, the config is OK, and now I can access the domain with my custom certs
Hope it helps others