K
Q

Traefik v2.2 on Digital Ocean Kubernetes, wildcard domain certificate works, but not with port number

10/25/2020

I am adding Traefik support for our Digital Ocean Kubernetes cluster, have used dnsChallenge to successfully get a wildcard SSL domain certificate from LetsEncrypt.

When I try to access sites with the same domain name, everything works well:

$ curl -v https://user.example.io
*   Trying 159.203.52.215:443...
* TCP_NODELAY set
* Connected to user.example.io (159.203.52.215) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /home/user/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=example.io
*  start date: Oct 23 15:49:19 2020 GMT
*  expire date: Jan 21 15:49:19 2021 GMT
*  subjectAltName: host "user.example.io" matched cert's "user.example.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: user.example.io
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-length: 40
< content-type: application/json; charset=utf-8
< date: Sun, 25 Oct 2020 03:07:06 GMT
< etag: W/"28-v4XAuYZPRDT3aiocGxlWbac4/oE"
< vary: Accept-Encoding
< x-powered-by: Express
< 
* Connection #0 to host user.example.io left intact
{"message":"User microservice"}

However, if it's sites with port number, like the Traefik dashboard, this will not work:

$ curl -v https://traefik.example.io:8080
*   Trying 159.203.52.215:8080...
* TCP_NODELAY set
* Connected to traefik.example.io (159.203.52.215) port 8080 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /home/user/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If it is without the port number 8080, the wildcard domain certificate will be used, but of course I will get a "404 Not Found"..

$ curl -v https://traefik.example.io
*   Trying 159.203.52.215:443...
* TCP_NODELAY set
* Connected to traefik.example.io (159.203.52.215) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /home/user/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=example.io
*  start date: Oct 23 15:49:19 2020 GMT
*  expire date: Jan 21 15:49:19 2021 GMT
*  subjectAltName: host "traefik.example.io" matched cert's "traefik.example.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: traefik.example.io
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< date: Sun, 25 Oct 2020 03:18:38 GMT
< content-length: 19
< 
404 page not found
* Connection #0 to host traefik.example.io left intact

BTW, the Traefik dashboard can be successfully accessed using http.

The following is my IngressRoute setting, I guess there must be some problems here:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: ingress-traefik
spec:
  entryPoints:
    - websecure

  routes:
  - match: Host(`example.io`) && Path('/')
    kind: Rule
    services:
    - name: example-com
      port: 443

  - match: Host(`traefik.example.io`)
    kind: Rule
    services:
    - name: traefik-example-com
      port: 8080

  tls:
    cetResolver: mlResolver
    domains:
    - main: example.io
      sans:
      - '*.example.io'

Can anyone find out what the problem might be?

** IngressRoute changed after @Jakub's advice (but still no luck) **

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: ingress-traefik
spec:
  entryPoints:
    - websecure

  routes:
  - match: Host(`traefik.example.io`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
    kind: Rule
    services:
    - name: api@internal
      kind: TraefikService

  - match: Host(`example.io`) && Path('/')
    kind: Rule
    services:
    - name: example.io
      port: 443

  tls:
    cetResolver: mlResolver
    domains:
    - main: example.io
      sans:
      - '*.example.io'

I have tried to curl both https://traefik.example.io/dashboard, https://traefik.example.io/api and https://traefik.example.io, all having the same results as before. (I had also tried to create a separate IngressRoute for dashboard, but the result did not change) 

$ curl -v https://traefik.example.io/dashboard
*   Trying 159.203.52.215:443...
* TCP_NODELAY set
* Connected to traefik.example.io (159.203.52.215) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /home/user/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=example.io
*  start date: Oct 23 15:49:19 2020 GMT
*  expire date: Jan 21 15:49:19 2021 GMT
*  subjectAltName: host "traefik.example.io" matched cert's "traefik.example.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /dashboard HTTP/1.1
> Host: traefik.example.io
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< date: Mon, 26 Oct 2020 15:44:12 GMT
< content-length: 19
< 
404 page not found
* Connection #0 to host traefik.example.io left intact
-- Ken Tsoi
digital-ocean
kubernetes
lets-encrypt
traefik
traefik-ingress

Similar Questions

How to find the container image path based on pod name or container ID
the kubelet version is higher than the control plane version
How to install add-ons after the initial install of Istio?
Does OpenEBS support arm64 architecture?
Identifying a node's zone from inside a Kubernetes pod/container

0 Answers