Closed cgebe closed 6 years ago
Thx for your interest in the project.
When I look at your logs, I can't see if it is really the default cert that we serve just after the acme cert adding. Are you sure this is the default cert ? Because as reminder, when you use the acme staging, you need to manually add the root certificate to have a valid certificate and it can be the reason of your failed request?
Can you verify which certificate is used in your client app?
Hey @Juliens I did not only test the staging env, i forgot to mention this at the top. The production environment makes no difference. By checking the cert my domain name is stated in the fields. So it is not the default cert, however it is not signed with a trusted store. Maybe the http-01 check fails and i get a staging cert in both environments. Sadly, i go over cert-manager now and didn't test further.
Thank you for your help - issue can be closed i think.
@juliens
Hi julian, I'm in a situation where I get certs issued from acme stage (I can see them in acme.json) but they are not used (as I can tell from the missing browser icon). My setting works fine with the productions server. According to your comment this seems to a expected behavior.
Because as reminder, when you use the acme staging, you need to manually add the root certificate to have a valid certificate
Can you expand a bit on what I need to do to manually add the root certificate?
Edit: @j0hnsmith thanks, auto-completion tricked me.
I think you meant @juliens
Do you want to request a feature or report a bug?
Bug
What did you do?
I set up Traefik as an ingress controller in my Kubernetes cluster. For this, i am using the helm chart with my configuration. I want to run the traefik dashboard on a subdomain with path protected by a ACME cert. After setting up everything (supposedly) correctly, Traefik uses the default cert, despite fetching the correct cert from ACME. Choosing onHostRule or stating the domain statically makes no difference. Please see the logs below.
In the following i replace my subdomain/path with:
test.example.com/traefik
What did you expect to see?
I expect Traefik to use the ACME cert as soon as it fetched it and does replace the default cert.
What did you see instead?
Traefik uses the default cert.
Output of
traefik version
: (What version of Traefik are you using?)1.6.5
What is your environment & configuration (arguments, toml, provider, platform, ...)?
traefik service
``` Name: ingress-controller-traefik Namespace: default Labels: app=traefik chart=traefik-1.35.0 heritage=Tiller release=ingress-controller Annotations:dashboard service
``` Name: ingress-controller-traefik-dashboard Namespace: default Labels: app=traefik chart=traefik-1.35.0 heritage=Tiller release=ingress-controller Annotations:dashboard ingress
``` Name: ingress-controller-traefik-dashboard Namespace: default Address: Default backend: default-http-backend:80 (traefik deployment
``` Name: ingress-controller-traefik Namespace: default CreationTimestamp: Sun, 22 Jul 2018 22:57:16 +0200 Labels: app=traefik chart=traefik-1.35.0 heritage=Tiller release=ingress-controller Annotations: deployment.kubernetes.io/revision=1 Selector: app=traefik,release=ingress-controller Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable StrategyType: RollingUpdate MinReadySeconds: 0 RollingUpdateStrategy: 1 max unavailable, 1 max surge Pod Template: Labels: app=traefik chart=traefik-1.35.0 heritage=Tiller release=ingress-controller Annotations: checksum/config=f3dbba5a6857f67f7d0e67c91fcae551c1cbebc7af1906a8ea0f289e54af24fc Service Account: ingress-controller-traefik Containers: ingress-controller-traefik: Image: traefik:1.6.5 Ports: 80/TCP, 8880/TCP, 443/TCP, 8080/TCP Host Ports: 0/TCP, 0/TCP, 0/TCP, 0/TCP Args: --configfile=/config/traefik.toml Limits: cpu: 100m memory: 30Mi Requests: cpu: 100m memory: 20Mi Liveness: tcp-socket :80 delay=10s timeout=2s period=10s #success=1 #failure=3 Readiness: tcp-socket :80 delay=10s timeout=2s period=10s #success=1 #failure=1 Environment:If applicable, please paste the log output in DEBUG level (
--logLevel=DEBUG
switch)logs
```shell time="2018-07-22T21:50:46Z" level=info msg="Using TOML configuration file /config/traefik.toml" time="2018-07-22T21:50:46Z" level=warning msg="web provider configuration is deprecated, you should use these options : api, rest provider, ping and metrics" time="2018-07-22T21:50:46Z" level=info msg="Traefik version v1.6.5 built on 2018-07-10_03:54:03PM" time="2018-07-22T21:50:46Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n" time="2018-07-22T21:50:46Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":true,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false}},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"traefik\":{\"Address\":\":8080\",\"TLS\":null,\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":null,\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":true,\"RootCAs\":null,\"Retry\":null,\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"Web\":{\"Address\":\":8080\",\"CertFile\":\"\",\"KeyFile\":\"\",\"ReadOnly\":false,\"Statistics\":null,\"Metrics\":null,\"Path\":\"/\",\"Auth\":null,\"Debug\":false},\"Docker\":null,\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":[\"default\"],\"LabelSelector\":\"traffic-type=external\",\"IngressClass\":\"traefik\"},\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":{\"EntryPoint\":\"traefik\",\"Dashboard\":true,\"Debug\":true,\"CurrentConfigurations\":null,\"Statistics\":null},\"Metrics\":null,\"Ping\":{\"EntryPoint\":\"traefik\"}}" time="2018-07-22T21:50:46Z" level=info msg="Preparing server http &{Address::80 TLS:Obviously, the reconnect of the client fails repeatedly. First due to bad cert (i guess from previous start ups) and then from unknown authority (this is weird since it should be the default cert now)