Installing 2 custom TLS Certs with Traefik / K8s

1/20/2020

I have a K8s cluster working well, with a domain that has a custom SSL Cert, and all other subdomain use a Let's encrypt wildcard.

Now, I want to add another domain that will use custom SSL Cert, but it doesn't seem to work.

First, I create a configMap with .crt and .key files

kubectl create configmap traefik-sge-certificate --from-file=certificate/sge-prod.crt --from-file=certificate/sge-prod.key --dry-run -o yaml | kubectl apply -f -

Then I add my certs in traefik.toml

traefik.toml:
----
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/ene-certificate/api.crt"
      keyFile = "/etc/ene-certificate/api.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/sge-certificate/sge-prod.crt"
      keyFile = "/etc/sge-certificate/sge-prod.key"

[acme] # Automatically add Let's Encrypt Certificate.
  storage= "/etc/certificate/acme.json"
  email = "julien@company.fr"
   entryPoint = "https"
   onHostRule = true
   caServer = "https://acme-v02.api.letsencrypt.org/directory"
    [acme.dnsChallenge]
    provider = "route53"
    delayBeforeCheck = 0
[[acme.domains]]
  main = "*.company.fr"

And now deployment:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-deployment
  labels:
    app: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
        - name: traefik-certificate
          persistentVolumeClaim:
            claimName: traefik-certificate
        - name: config
          configMap:
            name: traefik-config
        - name: traefik-ene-certificate
          configMap:
            name: traefik-ene-certificate
        - name: traefik-sge-certificate
          configMap:
            name: traefik-sge-certificate
      containers:
      - name: traefik
        image: "traefik:1.7"
        envFrom:
          - secretRef:
              name: traefik-env
        volumeMounts:
          - mountPath: "/etc/traefik/config"
            name: config
          - mountPath: "/etc/certificate"
            name: traefik-certificate
          - mountPath: "/etc/ene-certificate/api.crt"
            name: traefik-ene-certificate
            subPath: api.crt
          - mountPath: "/etc/ene-certificate/api.key"
            name: traefik-ene-certificate
            subPath: api.key           
          - mountPath: "/etc/sge-certificate/sge-prod.crt"
            name: traefik-sge-certificate
            subPath: sge-prod.crt
          - mountPath: "/etc/sge-certificate/sge-prod.key"
            name: traefik-sge-certificate
            subPath: sge-prod.key           

        args:
        - --configfile=/etc/traefik/config/traefik.toml
        - --api
        - --kubernetes

But when I do that, there is 2 problems:

  • My new app: https://sge.company.fr is using wildcard certificates, instead of custom ones ( the purpose of this operation)
  • The app that was using the custom certificates api.crt (previously working well with custom SSL cert ) are not using wildcard certs, this is a regression.

I checked the traefik logs, and it doesn't seem to have any issue.

What I also don't understand, is where is linked the custom SSL Cert with domain.

Can anybody tell me why this is happening, and how should I fix it ?

PD: I understand I should use secrets instead of configMaps, but first thing first !

-- Juliatzin
kubernetes
ssl
traefik
traefik-ingress

1 Answer

1/21/2020

What I also don't understand, is where is linked the custom SSL Cert with domain.

The Cert is issued for a specific domain. So, here is the link.

If you issue your cert for domain1.com and then you try to use it on domain2.com, Traefik will not be able to install it.

My error was to use another domain that the one attached to my certificates.

So, the config is OK, and now I can access the domain with my custom certs

Hope it helps others

-- Juliatzin
Source: StackOverflow