Traefik requests certificate with incorrect SANs on ec2

natalian98 commented 6 months ago

Bug Description

When deployed on aws ec2 instance, traefik requests certificates with uncorrect SANs. This can be verified by decoding the cert:

root@traefik-public-0:/opt/traefik/juju# cat server.cert 
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIUewoFmlz7RaE7EDf3iyYAjHX6f2cwDQYJKoZIhvcNAQEL
BQAwOTELMAkGA1UEBhMCVVMxKjAoBgNVBAMMIXNlbGYtc2lnbmVkLWNlcnRpZmlj
YXRlcy1vcGVyYXRvcjAeFw0yNDAzMDQxNDIyMTBaFw0yNTAzMDQxNDIyMTBaMFYx
JTAjBgNVBAMMHGlwLTEwLTY0LTE0MC00NC5lYzIuaW50ZXJuYWwxLTArBgNVBC0M
JDgwNzMzZTMxLTBiMjMtNDIwZS1hNDVkLWJiY2NiYTM1NjA4YjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKYSvV0WcPSgAYlouexl/Vrvi1Wd3ggDf5C7
u8CXS7oaZBSDjVaxqj5D1ejV3QzUnjbfYvRAqzazL9fcv1lUZrYIYCnjl8Zux6Ht
sHv1mJkCsbC2AJV9bG/qkeQ1R/axhAfyWDCW79CwBXrrWKMmHwo+RAxSa4oB2zdP
pDVvIHBEqEGJeyhjBBFiwx0yKE5eJ3PT6hxEk1Ltt6P3BzX8tCIdNirKYXht5HXy
Abd9Q3eV2lHHeHgtsAzsHveX7RG/D/DYgf5hAA0b2s/tj2ma1DUSPTpWrjCjUw49
Yp/QOSC4Bg74BB3grwxkXE1UX+qXsGZ3SQKWPNAGMUayZ+wrub0CAwEAAaN4MHYw
IQYDVR0jBBowGIAWBBS4jXxp7LPPbuwE+0j7qv4wW2CDrzAdBgNVHQ4EFgQUeKfh
8NmjdxZD2U9tEFrqiqNKYWAwJwYDVR0RBCAwHoIcaXAtMTAtNjQtMTQwLTQ0LmVj
Mi5pbnRlcm5hbDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAKpRakZiAF
IgiLrxYRWikTSC8qvXruBkcjq5D94oW8VS/46Rk6CcL1p3KtpIcqpjWrGrTHN3Cu
RW32EJnsik1efM27Gjlr6vSn3zyUFUXvUpaSsc3E/ebCSvZG3EQ0bb2G26qy3pLR
Xs75gAlcxzBskfXUkjWZzSRuNQeGRW1c2FtdrTCxlrsk0NAEfYANHe7+1FBQxBc6
edeMCA85RtflzOYO6pQbRrrLF+Yb8HzG7k/zk4e48A3V5wanrncgw/J7ph5xf6Pp
mhNSytPln1n6y1dfZSTPVgM8NzDDQXas2rz0DxAFMsmRG6EroNg39Ut2KwLOixeb
ozsaN1+NFNmj
-----END CERTIFICATE-----

The common name and subject alternative name is ip-10-64-140-44.ec2.internal instead of just 10.64.140.44 - the ip assigned by metallb. Due to this, other charms don't trust the certificate. The issue can be reproduced by launching those tests on an ec2 instance. The login flow will fail with login.OAuthLogin(NewTransportWithCode) error in grafana:

2024-02-29T14:36:54.394Z [grafana] logger=context userId=0 orgId=0 uname= t=2024-02-29T14:36:54.394347388Z level=error msg=login.OAuthLogin(NewTransportWithCode) error="Post \"https://10.64.140.44/test-bundle-hydra/oauth2/token\": x509: cannot validate certificate for 10.64.140.44 because it doesn't contain any IP SANs"

I made a quick test with SAN hardcoded to ["10.64.140.44"]. The certificate was issued correctly and I was able to complete the flow.

root@traefik-public-0:/opt/traefik/juju# cat server.cert
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIUPTYNWHMP95TpZAwCX6be7InIG4swDQYJKoZIhvcNAQEL
BQAwOTELMAkGA1UEBhMCVVMxKjAoBgNVBAMMIXNlbGYtc2lnbmVkLWNlcnRpZmlj
YXRlcy1vcGVyYXRvcjAeFw0yNDAzMDUxMTA2MDFaFw0yNTAzMDUxMTA2MDFaMEYx
FTATBgNVBAMMDDEwLjY0LjE0MC40NDEtMCsGA1UELQwkMTc1NjhhNzQtNDdjOS00
N2JlLWFkYzMtMGZmY2VmODYxNTNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAq/Zkjz5adE6VEpdBrSfBQqK86RgxJz+823NOY0maQIc6sOnaVpaqfWKD
sfNWDAsNS+Fa0fyNR8cLeyu15ZmTMOuuzdIjZ2NfkI45jj4aP6Bk5fLQ5HOHiVt+
cf1S5lOmai9dwjvSdwBJRkLcre0I6jaIhNxCW9AOJY4sBFDdV9yRuVbWsShlGgJT
3CLt9OsdkLinSu/NvppGMh1gwd126bzERMOxD62NyMNiatscMrv8e+yV+7WVfTxi
skSRJfgN46b4h5qn5Yi00icKjOpwNjzn00GD/B/bWXWfnR4IuZf3qB5C2X4kvUXs
q4juJHt8axM1rYsBRBuphrX/7Sl2SwIDAQABo2AwXjAhBgNVHSMEGjAYgBYEFMk4
3IPpaaAWe5Lmo8hmjgx7r+EBMB0GA1UdDgQWBBQLFeVz6kgK8I+2P9P4DoxUhauF
oTAPBgNVHREECDAGhwQKQIwsMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEB
ACHC53+mttb+dZEAcCrtbNrMA1qC0bbcB2tn2bomZhvJEnGctmACBAfqf0X4STtN
xGdcF7bD+Xn0h57lyRMCFyKX/hT050Z+DjD0kloKRY6o5BN1cZyLSbAf457GyFca
qetAK1K/EIdhhUKs0weC5vIyO735RkA6xLudO1KDvdcX5VBU6braXUx0clZFScpJ
+NgwIgS15EHe3UThjYnciZs9hg/p0r/DASNJ6ReVUg40tDNyNsGU6FI6vNb20o/7
Zgeurydpv6pXyssLCn/bse1LFtpfw0HWC/6q7khUqUsygphLoIJnZogTQQYVFJ0F
bh2sViT+2dlSWosW+RegPBU=
-----END CERTIFICATE-----

To Reproduce

juju deploy identity-platform --channel edge --trust
juju deploy grafana-k8s --channel edge --trust

juju relate grafana-k8s:ingress traefik-public
juju relate grafana-k8s:grafana-dashboard traefik-public
juju relate grafana-k8s:certificates self-signed-certificates
juju relate grafana-k8s:receive-ca-cert self-signed-certificates
juju relate grafana-k8s:oauth hydra

Environment

microk8s 1.28-stable, metallb enabled juju 3.1/stable

Relevant log output

n/a

Additional context

No response

simskij commented 4 months ago

This is likely resolved by https://github.com/canonical/traefik-k8s-operator/pull/354. Can you please retry with the latest revision in edge? If it's still a problem, feel free to reopen the issue.

natalian98 commented 1 month ago

The issue still occurs, both in latest/edge (rev203) and latest/stable (rev194). @simskij Could you reopen it? I'm not a repo collaborator so I can't do it. Thank you.

canonical / traefik-k8s-operator