ACME certificate fetched but not used - instead default cert gets used

cgebe commented 6 years ago

Do you want to request a feature or report a bug?

Bug

What did you do?

I set up Traefik as an ingress controller in my Kubernetes cluster. For this, i am using the helm chart with my configuration. I want to run the traefik dashboard on a subdomain with path protected by a ACME cert. After setting up everything (supposedly) correctly, Traefik uses the default cert, despite fetching the correct cert from ACME. Choosing onHostRule or stating the domain statically makes no difference. Please see the logs below.

In the following i replace my subdomain/path with: test.example.com/traefik

What did you expect to see?

I expect Traefik to use the ACME cert as soon as it fetched it and does replace the default cert.

What did you see instead?

Traefik uses the default cert.

Output of `traefik version`: (What version of Traefik are you using?)

1.6.5

What is your environment & configuration (arguments, toml, provider, platform, ...)?

# traefik.toml
logLevel = "DEBUG"
InsecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  compress = true
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.tls]
[kubernetes]
namespaces = ["default"]
labelselector = "traffic-type=external"
ingressClass = "traefik"
[acme]
email = "cgb@example.com"
storage = "/acme/acme.json"
entryPoint = "https"
acmeLogging = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  [acme.httpChallenge]
  entryPoint = "http"
[[acme.domains]]
   main = "test.example.com"
[web]
address = ":8080"

traefik service

``` Name: ingress-controller-traefik Namespace: default Labels: app=traefik chart=traefik-1.35.0 heritage=Tiller release=ingress-controller Annotations: Selector: app=traefik,release=ingress-controller Type: NodePort IP: 10.97.26.133 Port: http 80/TCP TargetPort: http/TCP NodePort: http 80/TCP Endpoints: 10.244.3.106:80 Port: https 443/TCP TargetPort: https/TCP NodePort: https 443/TCP Endpoints: 10.244.3.106:443 Session Affinity: None External Traffic Policy: Cluster Events: ```

dashboard service

``` Name: ingress-controller-traefik-dashboard Namespace: default Labels: app=traefik chart=traefik-1.35.0 heritage=Tiller release=ingress-controller Annotations: Selector: app=traefik,release=ingress-controller Type: ClusterIP IP: 10.104.95.236 Port: http 80/TCP TargetPort: 8080/TCP Endpoints: 10.244.3.106:8080 Session Affinity: None Events: ```

dashboard ingress

``` Name: ingress-controller-traefik-dashboard Namespace: default Address: Default backend: default-http-backend:80 () Rules: Host Path Backends ---- ---- -------- test.example.com /traefik ingress-controller-traefik-dashboard:80 () Annotations: ingress.kubernetes.io/frontend-entry-points: http, https ingress.kubernetes.io/redirect-entry-point: https ingress.kubernetes.io/rule-type: PathPrefixStrip kubernetes.io/ingress.class: traefik Events: ```

traefik deployment

``` Name: ingress-controller-traefik Namespace: default CreationTimestamp: Sun, 22 Jul 2018 22:57:16 +0200 Labels: app=traefik chart=traefik-1.35.0 heritage=Tiller release=ingress-controller Annotations: deployment.kubernetes.io/revision=1 Selector: app=traefik,release=ingress-controller Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable StrategyType: RollingUpdate MinReadySeconds: 0 RollingUpdateStrategy: 1 max unavailable, 1 max surge Pod Template: Labels: app=traefik chart=traefik-1.35.0 heritage=Tiller release=ingress-controller Annotations: checksum/config=f3dbba5a6857f67f7d0e67c91fcae551c1cbebc7af1906a8ea0f289e54af24fc Service Account: ingress-controller-traefik Containers: ingress-controller-traefik: Image: traefik:1.6.5 Ports: 80/TCP, 8880/TCP, 443/TCP, 8080/TCP Host Ports: 0/TCP, 0/TCP, 0/TCP, 0/TCP Args: --configfile=/config/traefik.toml Limits: cpu: 100m memory: 30Mi Requests: cpu: 100m memory: 20Mi Liveness: tcp-socket :80 delay=10s timeout=2s period=10s #success=1 #failure=3 Readiness: tcp-socket :80 delay=10s timeout=2s period=10s #success=1 #failure=1 Environment: Mounts: /acme from acme (rw) /config from config (rw) Volumes: config: Type: ConfigMap (a volume populated by a ConfigMap) Name: ingress-controller-traefik Optional: false acme: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: Conditions: Type Status Reason ---- ------ ------ Available True MinimumReplicasAvailable Progressing True NewReplicaSetAvailable OldReplicaSets: ingress-controller-traefik-cdfd464bd (1/1 replicas created) NewReplicaSet: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ScalingReplicaSet 48m deployment-controller Scaled up replica set ingress-controller-traefik-cdfd464bd to 1 ```

If applicable, please paste the log output in DEBUG level (`--logLevel=DEBUG` switch)

logs

```shell time="2018-07-22T21:50:46Z" level=info msg="Using TOML configuration file /config/traefik.toml" time="2018-07-22T21:50:46Z" level=warning msg="web provider configuration is deprecated, you should use these options : api, rest provider, ping and metrics" time="2018-07-22T21:50:46Z" level=info msg="Traefik version v1.6.5 built on 2018-07-10_03:54:03PM" time="2018-07-22T21:50:46Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n" time="2018-07-22T21:50:46Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":true,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false}},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"traefik\":{\"Address\":\":8080\",\"TLS\":null,\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":null,\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":true,\"RootCAs\":null,\"Retry\":null,\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"Web\":{\"Address\":\":8080\",\"CertFile\":\"\",\"KeyFile\":\"\",\"ReadOnly\":false,\"Statistics\":null,\"Metrics\":null,\"Path\":\"/\",\"Auth\":null,\"Debug\":false},\"Docker\":null,\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":[\"default\"],\"LabelSelector\":\"traffic-type=external\",\"IngressClass\":\"traefik\"},\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":{\"EntryPoint\":\"traefik\",\"Dashboard\":true,\"Debug\":true,\"CurrentConfigurations\":null,\"Statistics\":null},\"Metrics\":null,\"Ping\":{\"EntryPoint\":\"traefik\"}}" time="2018-07-22T21:50:46Z" level=info msg="Preparing server http &{Address::80 TLS: Redirect:0xc420057e80 Auth: WhitelistSourceRange:[] WhiteList: Compress:true ProxyProtocol: ForwardedHeaders:0xc42002cc40} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s" time="2018-07-22T21:50:46Z" level=info msg="Preparing server https &{Address::443 TLS:0xc42043d780 Redirect: Auth: WhitelistSourceRange:[] WhiteList: Compress:true ProxyProtocol: ForwardedHeaders:0xc42002cc80} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s" time="2018-07-22T21:50:46Z" level=info msg="Starting server on :80" time="2018-07-22T21:50:50Z" level=info msg="Preparing server traefik &{Address::8080 TLS: Redirect: Auth: WhitelistSourceRange:[] WhiteList: Compress:false ProxyProtocol: ForwardedHeaders:0xc42002cca0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s" time="2018-07-22T21:50:50Z" level=info msg="Starting server on :443" time="2018-07-22T21:50:50Z" level=info msg="Starting server on :8080" time="2018-07-22T21:50:50Z" level=info msg="Starting provider configuration.providerAggregator {}" time="2018-07-22T21:50:50Z" level=info msg="Starting provider *kubernetes.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":[\"default\"],\"LabelSelector\":\"traffic-type=external\",\"IngressClass\":\"traefik\"}" time="2018-07-22T21:50:50Z" level=debug msg="Using Ingress label selector: \"traffic-type=external\"" time="2018-07-22T21:50:50Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"cgb@icewave.org\",\"ACMELogging\":true,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"/acme/acme.json\",\"EntryPoint\":\"https\",\"OnHostRule\":false,\"OnDemand\":false,\"DNSChallenge\":null,\"HTTPChallenge\":{\"EntryPoint\":\"http\"},\"Domains\":[{\"Main\":\"test.example.com\",\"SANs\":null}],\"Store\":{}}" time="2018-07-22T21:50:50Z" level=info msg="ingress label selector is: \"traffic-type=external\"" time="2018-07-22T21:50:50Z" level=info msg="Creating in-cluster Provider client" time="2018-07-22T21:50:50Z" level=info msg="Testing certificate renew..." time="2018-07-22T21:50:50Z" level=debug msg="Looking for provided certificate(s) to validate [\"test.example.com\"]..." time="2018-07-22T21:50:50Z" level=debug msg="Domains [\"test.example.com\"] need ACME certificates generation for domains \"test.example.com\"." time="2018-07-22T21:50:50Z" level=debug msg="Loading ACME certificates [test.example.com]..." time="2018-07-22T21:50:50Z" level=debug msg="Configuration received from provider ACME: {}" time="2018-07-22T21:50:50Z" level=info msg="Server configuration reloaded on :80" time="2018-07-22T21:50:50Z" level=info msg="Server configuration reloaded on :443" time="2018-07-22T21:50:50Z" level=info msg="Server configuration reloaded on :8080" time="2018-07-22T21:50:51Z" level=debug msg="Received Kubernetes event kind *v1.Service" time="2018-07-22T21:50:51Z" level=debug msg="Configuration received from provider kubernetes: {\"backends\":{\"test.example.com/traefik\":{\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"test.example.com/traefik\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"test.example.com/traefik\",\"routes\":{\"/traefik\":{\"rule\":\"PathPrefixStrip:/traefik\"},\"test.example.com\":{\"rule\":\"Host:test.example.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[],\"redirect\":{\"entryPoint\":\"https\"}}}}" time="2018-07-22T21:50:51Z" level=debug msg="Creating frontend test.example.com/traefik" time="2018-07-22T21:50:51Z" level=debug msg="Wiring frontend test.example.com/traefik to entryPoint http" time="2018-07-22T21:50:51Z" level=debug msg="Creating route /traefik PathPrefixStrip:/traefik" time="2018-07-22T21:50:51Z" level=debug msg="Creating route test.example.com Host:test.example.com" time="2018-07-22T21:50:51Z" level=debug msg="Creating entry point redirect http -> https" time="2018-07-22T21:50:51Z" level=debug msg="Creating backend test.example.com/traefik" time="2018-07-22T21:50:51Z" level=debug msg="Creating load-balancer wrr" time="2018-07-22T21:50:51Z" level=debug msg="Creating entry point redirect http -> https" time="2018-07-22T21:50:51Z" level=debug msg="Frontend test.example.com/traefik redirect created" time="2018-07-22T21:50:51Z" level=debug msg="Wiring frontend test.example.com/traefik to entryPoint https" time="2018-07-22T21:50:51Z" level=debug msg="Creating route /traefik PathPrefixStrip:/traefik" time="2018-07-22T21:50:51Z" level=debug msg="Creating route test.example.com Host:test.example.com" time="2018-07-22T21:50:51Z" level=debug msg="Creating backend test.example.com/traefik" time="2018-07-22T21:50:51Z" level=debug msg="Creating load-balancer wrr" time="2018-07-22T21:50:51Z" level=info msg="Server configuration reloaded on :80" time="2018-07-22T21:50:51Z" level=info msg="Server configuration reloaded on :443" time="2018-07-22T21:50:51Z" level=info msg="Server configuration reloaded on :8080" time="2018-07-22T21:50:51Z" level=debug msg="Received Kubernetes event kind *v1.Secret" time="2018-07-22T21:50:51Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" time="2018-07-22T21:50:51Z" level=debug msg="Received Kubernetes event kind *v1.Secret" time="2018-07-22T21:50:51Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret" time="2018-07-22T21:51:00Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints" time="2018-07-22T21:51:00Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" time="2018-07-22T21:51:00Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints" time="2018-07-22T21:51:00Z" level=debug msg="Configuration received from provider kubernetes: {\"backends\":{\"test.example.com/traefik\":{\"servers\":{\"ingress-controller-traefik-84f498df9d-sq76f\":{\"url\":\"http://10.244.2.109:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"test.example.com/traefik\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"test.example.com/traefik\",\"routes\":{\"/traefik\":{\"rule\":\"PathPrefixStrip:/traefik\"},\"test.example.com\":{\"rule\":\"Host:test.example.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[],\"redirect\":{\"entryPoint\":\"https\"}}}}" time="2018-07-22T21:51:00Z" level=debug msg="Creating frontend test.example.com/traefik" time="2018-07-22T21:51:00Z" level=debug msg="Wiring frontend test.example.com/traefik to entryPoint http" time="2018-07-22T21:51:00Z" level=debug msg="Creating route /traefik PathPrefixStrip:/traefik" time="2018-07-22T21:51:00Z" level=debug msg="Creating route test.example.com Host:test.example.com" time="2018-07-22T21:51:00Z" level=debug msg="Creating entry point redirect http -> https" time="2018-07-22T21:51:00Z" level=debug msg="Creating backend test.example.com/traefik" time="2018-07-22T21:51:00Z" level=debug msg="Creating load-balancer wrr" time="2018-07-22T21:51:00Z" level=debug msg="Creating server ingress-controller-traefik-84f498df9d-sq76f at http://10.244.2.109:8080 with weight 1" time="2018-07-22T21:51:00Z" level=debug msg="Creating entry point redirect http -> https" time="2018-07-22T21:51:00Z" level=debug msg="Frontend test.example.com/traefik redirect created" time="2018-07-22T21:51:00Z" level=debug msg="Wiring frontend test.example.com/traefik to entryPoint https" time="2018-07-22T21:51:00Z" level=debug msg="Creating route /traefik PathPrefixStrip:/traefik" time="2018-07-22T21:51:00Z" level=debug msg="Creating route test.example.com Host:test.example.com" time="2018-07-22T21:51:00Z" level=debug msg="Creating backend test.example.com/traefik" time="2018-07-22T21:51:00Z" level=debug msg="Creating load-balancer wrr" time="2018-07-22T21:51:00Z" level=debug msg="Creating server ingress-controller-traefik-84f498df9d-sq76f at http://10.244.2.109:8080 with weight 1" time="2018-07-22T21:51:00Z" level=info msg="Server configuration reloaded on :80" time="2018-07-22T21:51:00Z" level=info msg="Server configuration reloaded on :443" time="2018-07-22T21:51:00Z" level=info msg="Server configuration reloaded on :8080" time="2018-07-22T21:51:00Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:33984: remote error: tls: bad certificate" ... time="2018-07-22T21:51:02Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34008: remote error: tls: bad certificate" time="2018-07-22T21:51:02Z" level=debug msg="Building ACME client..." time="2018-07-22T21:51:02Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" time="2018-07-22T21:51:02Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34010: remote error: tls: bad certificate" ... time="2018-07-22T21:51:03Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34016: remote error: tls: bad certificate" time="2018-07-22T21:51:03Z" level=info msg=Register... time="2018-07-22T21:51:03Z" level=debug msg="legolog: [INFO] acme: Registering account for cgb@icewave.org" time="2018-07-22T21:51:03Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34018: remote error: tls: bad certificate" ... time="2018-07-22T21:51:03Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34024: remote error: tls: bad certificate" time="2018-07-22T21:51:03Z" level=debug msg="Using HTTP Challenge provider." time="2018-07-22T21:51:03Z" level=debug msg="legolog: [INFO][test.example.com] acme: Obtaining bundled SAN certificate" time="2018-07-22T21:51:03Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34026: remote error: tls: bad certificate" ... time="2018-07-22T21:51:04Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34034: remote error: tls: bad certificate" time="2018-07-22T21:51:04Z" level=debug msg="legolog: [INFO][test.example.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/ICjo_OSsJbuwYmVqQ577P_Xqti0TplMWw4bTYsRCfBE" time="2018-07-22T21:51:04Z" level=debug msg="legolog: [INFO][test.example.com] acme: Trying to solve HTTP-01" time="2018-07-22T21:51:04Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34036: remote error: tls: bad certificate" time="2018-07-22T21:51:04Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34038: remote error: tls: bad certificate" time="2018-07-22T21:51:04Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34040: remote error: tls: bad certificate" time="2018-07-22T21:51:04Z" level=debug msg="Unable to split host and port: address test.example.com: missing port in address. Fallback to request host." time="2018-07-22T21:51:04Z" level=debug msg="Looking for an existing ACME challenge for token N880sj2XsBGHQEauVdVumg1f735GssRxS_3IOIfeJzU..." time="2018-07-22T21:51:04Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34042: remote error: tls: bad certificate" time="2018-07-22T21:51:04Z" level=debug msg="Unable to split host and port: address test.example.com: missing port in address. Fallback to request host." time="2018-07-22T21:51:04Z" level=debug msg="Looking for an existing ACME challenge for token N880sj2XsBGHQEauVdVumg1f735GssRxS_3IOIfeJzU..." time="2018-07-22T21:51:04Z" level=debug msg="Unable to split host and port: address test.example.com: missing port in address. Fallback to request host." time="2018-07-22T21:51:04Z" level=debug msg="Unable to split host and port: address test.example.com: missing port in address. Fallback to request host." time="2018-07-22T21:51:04Z" level=debug msg="Looking for an existing ACME challenge for token N880sj2XsBGHQEauVdVumg1f735GssRxS_3IOIfeJzU..." time="2018-07-22T21:51:04Z" level=debug msg="Looking for an existing ACME challenge for token N880sj2XsBGHQEauVdVumg1f735GssRxS_3IOIfeJzU..." time="2018-07-22T21:51:04Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34044: remote error: tls: bad certificate" ... time="2018-07-22T21:51:09Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34138: remote error: tls: bad certificate" time="2018-07-22T21:51:09Z" level=debug msg="legolog: [INFO][test.example.com] The server validated our request" time="2018-07-22T21:51:09Z" level=debug msg="legolog: [INFO][test.example.com] acme: Validations succeeded; requesting certificates" time="2018-07-22T21:51:09Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34140: remote error: tls: bad certificate" ... time="2018-07-22T21:51:27Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34276: remote error: tls: bad certificate" time="2018-07-22T21:51:28Z" level=debug msg="legolog: [INFO][test.example.com] Server responded with a certificate." time="2018-07-22T21:51:28Z" level=debug msg="Certificates obtained for domains [test.example.com]" time="2018-07-22T21:51:28Z" level=debug msg="Configuration received from provider ACME: {\"tls\":[{\"EntryPoints\":[\"https\"],\"Certificate\":{\"CertFile\":\"-----BEGIN CERTIFICATE-----\\nMIIG9DCCBdygAwIBAgITAPph6ViRK7y5y0HIODGAemZqxTANBgkqhkiG9w0BAQsF...\\nIA+me+wtMu+u5iPDnqFhigqhBMnomEVKeLVuI2htmh+aAiEAycWd2E7LRq2SsjJL\\n6tlT/GfrGm1kgfEzx4P8H4xVUFQwDQYJKoZIhvcNAQELBQADggEBAIMc7BWkKZMJ\\n8wOuogdNnRU/I2SHmQVh7j+p1n9FA5fYEWaUeiRF6Rk1yVUnNtSy/M2WmwsKCPSC\\nTT6jdfmMpFAj32wzlGNtSSTnLQ5guNwZMwpPSe9p20DpuShoeqn4wHg5DqxSiOk2\\nS29yc0FjA9rFfxFMsWjWGTCeHmTzbKrZoRbh0rbOHMmPi43tcvCrCLsL1ShFuLLX\\n9oygNX+bCte4290ITiymEqfePwUKq3EpllttabyenAvAHMUqStfyBQVrnp8sNpkU\\ncaVbiTtrqUb4pU9dEIBAFIiL1RApfrdGgGPOgWdx0mSU25E8YqhIIZ79opfkL1JF\\ng5pRj80V3/Q=\\n-----END CERTIFICATE-----\\n\\n-----BEGIN CERTIFICATE-----\\nMIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw\\...\\n/zjFMx7Y4l/sQb9fL4JHMwEgv/zmcYpIaMVU+ufExJN4/hXpogMzsnUXufLN7yEs\\nyL+2pQSCb4Kuemk34f3Unj8PkKombTwfOQG/+Pp/ylkFDRkIon21PfoTljGyfse+\\ngsf4IP3Q/0C+npMkdVg+18WeEEGR5ESmbVgZvacZVyM+xukbAQ4kliyE2vrP\\n-----END RSA PRIVATE KEY-----\\n\"}}]}" time="2018-07-22T21:51:28Z" level=debug msg="Creating frontend test.example.com/traefik" time="2018-07-22T21:51:28Z" level=debug msg="Wiring frontend test.example.com/traefik to entryPoint http" time="2018-07-22T21:51:28Z" level=debug msg="Creating route /traefik PathPrefixStrip:/traefik" time="2018-07-22T21:51:28Z" level=debug msg="Creating route test.example.com Host:test.example.com" time="2018-07-22T21:51:28Z" level=debug msg="Creating entry point redirect http -> https" time="2018-07-22T21:51:28Z" level=debug msg="Creating backend test.example.com/traefik" time="2018-07-22T21:51:28Z" level=debug msg="Creating load-balancer wrr" time="2018-07-22T21:51:28Z" level=debug msg="Creating server ingress-controller-traefik-84f498df9d-sq76f at http://10.244.2.109:8080 with weight 1" time="2018-07-22T21:51:28Z" level=debug msg="Creating entry point redirect http -> https" time="2018-07-22T21:51:28Z" level=debug msg="Frontend test.example.com/traefik redirect created" time="2018-07-22T21:51:28Z" level=debug msg="Wiring frontend test.example.com/traefik to entryPoint https" time="2018-07-22T21:51:28Z" level=debug msg="Creating route /traefik PathPrefixStrip:/traefik" time="2018-07-22T21:51:28Z" level=debug msg="Creating route test.example.com Host:test.example.com" time="2018-07-22T21:51:28Z" level=debug msg="Creating backend test.example.com/traefik" time="2018-07-22T21:51:28Z" level=debug msg="Creating load-balancer wrr" time="2018-07-22T21:51:28Z" level=debug msg="Creating server ingress-controller-traefik-84f498df9d-sq76f at http://10.244.2.109:8080 with weight 1" time="2018-07-22T21:51:28Z" level=debug msg="Add certificate for domains test.example.com" time="2018-07-22T21:51:28Z" level=info msg="Server configuration reloaded on :80" time="2018-07-22T21:51:28Z" level=info msg="Server configuration reloaded on :443" time="2018-07-22T21:51:28Z" level=info msg="Server configuration reloaded on :8080" time="2018-07-22T21:51:28Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34280: remote error: tls: unknown certificate authority" ... time="2018-07-22T21:51:32Z" level=debug msg="http2: server: error reading preface from client 10.244.1.0:34308: remote error: tls: unknown certificate authority" ```

Obviously, the reconnect of the client fails repeatedly. First due to bad cert (i guess from previous start ups) and then from unknown authority (this is weird since it should be the default cert now)

juliens commented 6 years ago

Thx for your interest in the project.

When I look at your logs, I can't see if it is really the default cert that we serve just after the acme cert adding. Are you sure this is the default cert ? Because as reminder, when you use the acme staging, you need to manually add the root certificate to have a valid certificate and it can be the reason of your failed request?

Can you verify which certificate is used in your client app?

cgebe commented 6 years ago

Hey @Juliens I did not only test the staging env, i forgot to mention this at the top. The production environment makes no difference. By checking the cert my domain name is stated in the fields. So it is not the default cert, however it is not signed with a trusted store. Maybe the http-01 check fails and i get a staging cert in both environments. Sadly, i go over cert-manager now and didn't test further.

Thank you for your help - issue can be closed i think.

ibayer commented 5 years ago

@juliens

Hi julian, I'm in a situation where I get certs issued from acme stage (I can see them in acme.json) but they are not used (as I can tell from the missing browser icon). My setting works fine with the productions server. According to your comment this seems to a expected behavior.

Because as reminder, when you use the acme staging, you need to manually add the root certificate to have a valid certificate

Can you expand a bit on what I need to do to manually add the root certificate?

Edit: @j0hnsmith thanks, auto-completion tricked me.

j0hnsmith commented 5 years ago

I think you meant @juliens

traefik / traefik