TLS not working

[aug70]

Do you want to request a feature or report a bug?

Bug

What did you do?

Deploy with tls config

What did you expect to see?

Normal operation with http redirecting to https

What did you see instead?

time="2018-11-24T04:57:18Z" level=error msg="Error configuring TLS for ingress kube-system/traefik-web-ui: secret kube-system/traefik-ui-tls-cert does not exist"

Output of traefik version: (What version of Traefik are you using?)

time="2018-11-24T04:57:18Z" level=info msg="Traefik version v1.7.4 built on 2018-10-30_10:44:30AM"

What is your environment & configuration (arguments, toml, provider, platform, ...)?

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-conf
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "INFO"
    defaultEntryPoints = ["http", "https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
        [entryPoints.http.redirect]
        entryPoint = "https"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          certFile = "/ssl/tls.crt"
          keyFile = "/ssl/tls.key"
    [kubernetes]

If applicable, please paste the log output in DEBUG level (--logLevel=DEBUG switch)

time="2018-11-24T04:57:18Z" level=info msg="Using TOML configuration file /config/traefik.toml"
time="2018-11-24T04:57:18Z" level=info msg="No tls.defaultCertificate given for https: using the first item in tls.certificates as a fallback."
time="2018-11-24T04:57:18Z" level=info msg="Traefik version v1.7.4 built on 2018-10-30_10:44:30AM"
time="2018-11-24T04:57:18Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
time="2018-11-24T04:57:18Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0xc0003e89c0 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000347c40} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2018-11-24T04:57:18Z" level=info msg="Preparing server https &{Address::443 TLS:0xc000490870 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000347c60} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2018-11-24T04:57:18Z" level=info msg="Starting server on :80"
time="2018-11-24T04:57:18Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2018-11-24T04:57:18Z" level=info msg="Starting server on :443"
time="2018-11-24T04:57:18Z" level=info msg="Starting provider *kubernetes.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\",\"IngressEndpoint\":null}"
time="2018-11-24T04:57:18Z" level=info msg="ingress label selector is: \"\""
time="2018-11-24T04:57:18Z" level=info msg="Creating in-cluster Provider client"
time="2018-11-24T04:57:18Z" level=error msg="Error configuring TLS for ingress kube-system/traefik-web-ui: secret kube-system/traefik-ui-tls-cert does not exist"
time="2018-11-24T04:57:18Z" level=info msg="Server configuration reloaded on :443"
time="2018-11-24T04:57:18Z" level=info msg="Server configuration reloaded on :80"
time="2018-11-24T04:57:18Z" level=warning msg="Endpoints not available for kube-system/traefik-web-ui"
time="2018-11-24T04:57:18Z" level=warning msg="Endpoints not available for kube-system/traefik-web-ui"
time="2018-11-24T04:57:20Z" level=info msg="Server configuration reloaded on :80"
time="2018-11-24T04:57:20Z" level=info msg="Server configuration reloaded on :443"

When I check the secret it's there...

kubectl get secret -n kube-system traefik-ui-tls-cert
NAME                  TYPE                DATA   AGE
traefik-ui-tls-cert   kubernetes.io/tls   2      20m

This has been mentioned in another ticket and closed without much investigation. (I'll reference the ticket here if I can find it)

[athoune]

I read secret kube-system/traefik-ui-tls-cert does not exist in your example.

[aug70]

@athoune yes. Are you asking a question? If you read the whole post, the secret exists -- proof at the bottom of the post. It's just Traefik doesn't see it or can't find it.

[dtomcej]

@aug70 Does the certificate actually work? or is it just the error message you are encountering?

There is a known issue: (#3667) That references that error message.

If you are finding that the certificate is not being loaded at all by traefik, I would check the RBAC that your traefik pod serviceAccount runs with. It is possible that traefik may not have the correct permissions to access those secrets, even if the serviceAccount you use to run kubectl does.

[aug70]

@dtomcej The certificate is legit and I use it in many other places but it's a wild card certificate 🤔

• I just diffed my traefik-rbac.yaml file against https://github.com/containous/traefik/blob/master/examples/k8s/traefik-rbac.yaml they are same.
• ui.yaml file same as this https://github.com/containous/traefik/blob/master/examples/k8s/ui.yaml plus this in the end.

  tls:
   - secretName: traefik-ui-tls-cert

• Here is how I create the secret:

kubectl create secret -n kube-system generic traefik-ui-tls-cert \
    --from-file=tls.key=<(cat myprivkey.pem) \
    --from-file=tls.crt=<(cat myfullchain.pem) \
    -oyaml --dry-run | \
    cat <(cat -) <(echo "type: kubernetes.io/tls") | \
    kubectl create -f -

• Also checked on minikube, same error...

Works just fine without https

[dtomcej]

@aug70 Can you try enabling the debug logs? I want to see the events provided by k8s.

Also of note: Is there a particular reason you are patching the secret type? I don't think it should matter, but can you try without patching the type, and leaving it Opaque?

Thanks!

[aug70]

time="2018-12-08T05:56:53Z" level=info msg="Using TOML configuration file /config/traefik.toml"
time="2018-12-08T05:56:53Z" level=info msg="No tls.defaultCertificate given for https: using the first item in tls.certificates as a fallback."
time="2018-12-08T05:56:53Z" level=info msg="Traefik version v1.7.5 built on 2018-12-03_11:01:00AM"
time="2018-12-08T05:56:53Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":false,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":[{\"CertFile\":\"/ssl/tls.crt\",\"KeyFile\":\"/ssl/tls.key\"}],\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false},\"DefaultCertificate\":{\"CertFile\":\"/ssl/tls.crt\",\"KeyFile\":\"/ssl/tls.key\"},\"SniStrict\":false},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":null,\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":false,\"RootCAs\":null,\"Retry\":null,\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"KeepTrailingSlash\":false,\"Web\":null,\"Docker\":null,\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\",\"IngressEndpoint\":null},\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":null,\"Metrics\":null,\"Ping\":null,\"HostResolver\":null}"
time="2018-12-08T05:56:53Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
time="2018-12-08T05:56:53Z" level=debug msg="Add certificate for domains *.my-domain.com"
time="2018-12-08T05:56:53Z" level=debug msg="Creating entry point redirect http -> https"
time="2018-12-08T05:56:53Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0xc0000e5fc0 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000418480} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2018-12-08T05:56:53Z" level=info msg="Preparing server https &{Address::443 TLS:0xc0002ed050 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000418520} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2018-12-08T05:56:53Z" level=info msg="Starting server on :80"
time="2018-12-08T05:56:53Z" level=debug msg="Add certificate for domains *.my-domain.com"
time="2018-12-08T05:56:53Z" level=info msg="Starting server on :443"
time="2018-12-08T05:56:53Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2018-12-08T05:56:53Z" level=info msg="Starting provider *kubernetes.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\",\"IngressEndpoint\":null}"
time="2018-12-08T05:56:53Z" level=debug msg="Using Ingress label selector: \"\""
time="2018-12-08T05:56:53Z" level=info msg="ingress label selector is: \"\""
time="2018-12-08T05:56:53Z" level=info msg="Creating in-cluster Provider client"
time="2018-12-08T05:56:53Z" level=debug msg="Received Kubernetes event kind *v1beta1.Ingress"
time="2018-12-08T05:56:53Z" level=error msg="Error configuring TLS for ingress kube-system/traefik-web-ui: secret kube-system/traefik-ui-tls-cert does not exist"
time="2018-12-08T05:56:53Z" level=debug msg="Configuration received from provider kubernetes: {}"
time="2018-12-08T05:56:53Z" level=debug msg="Add certificate for domains *.my-domain.com"
time="2018-12-08T05:56:53Z" level=info msg="Server configuration reloaded on :80"
time="2018-12-08T05:56:53Z" level=info msg="Server configuration reloaded on :443"
time="2018-12-08T05:56:53Z" level=debug msg="Received Kubernetes event kind *v1.Secret"
time="2018-12-08T05:56:53Z" level=warning msg="Endpoints not available for kube-system/traefik-web-ui"
time="2018-12-08T05:56:53Z" level=debug msg="Received Kubernetes event kind *v1.Secret"
time="2018-12-08T05:56:53Z" level=warning msg="Endpoints not available for kube-system/traefik-web-ui"
time="2018-12-08T05:56:53Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret"
time="2018-12-08T05:56:53Z" level=debug msg="Configuration received from provider kubernetes: {\"backends\":{\"traefik-my-machine.my-domain.com/\":{\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"traefik-my-machine.my-domain.com/\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"traefik-my-machine.my-domain.com/\",\"routes\":{\"/\":{\"rule\":\"PathPrefix:/\"},\"traefik-my-machine.my-domain.com\":{\"rule\":\"Host:traefik-my-machine.my-domain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null}}}"
time="2018-12-08T05:56:53Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:53Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:53Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:53Z" level=debug msg="Configuration received from provider kubernetes: {\"backends\":{\"traefik-my-machine.my-domain.com/\":{\"servers\":{\"traefik-ingress-controller-rt5kn\":{\"url\":\"http://10.1.83.5:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"traefik-my-machine.my-domain.com/\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"traefik-my-machine.my-domain.com/\",\"routes\":{\"/\":{\"rule\":\"PathPrefix:/\"},\"traefik-my-machine.my-domain.com\":{\"rule\":\"Host:traefik-my-machine.my-domain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null}}}"
time="2018-12-08T05:56:54Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:54Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:54Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:54Z" level=debug msg="Configuration received from provider kubernetes: {\"backends\":{\"traefik-my-machine.my-domain.com/\":{\"servers\":{\"traefik-ingress-controller-rt5kn\":{\"url\":\"http://10.1.83.5:8080\",\"weight\":1},\"traefik-ingress-controller-tv5lg\":{\"url\":\"http://10.1.77.16:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"traefik-my-machine.my-domain.com/\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"traefik-my-machine.my-domain.com/\",\"routes\":{\"/\":{\"rule\":\"PathPrefix:/\"},\"traefik-my-machine.my-domain.com\":{\"rule\":\"Host:traefik-my-machine.my-domain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null}}}"
time="2018-12-08T05:56:54Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:54Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:54Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:54Z" level=debug msg="Configuration received from provider kubernetes: {\"backends\":{\"traefik-my-machine.my-domain.com/\":{\"servers\":{\"traefik-ingress-controller-bgc5p\":{\"url\":\"http://10.1.31.4:8080\",\"weight\":1},\"traefik-ingress-controller-rt5kn\":{\"url\":\"http://10.1.83.5:8080\",\"weight\":1},\"traefik-ingress-controller-tv5lg\":{\"url\":\"http://10.1.77.16:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"traefik-my-machine.my-domain.com/\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"traefik-my-machine.my-domain.com/\",\"routes\":{\"/\":{\"rule\":\"PathPrefix:/\"},\"traefik-my-machine.my-domain.com\":{\"rule\":\"Host:traefik-my-machine.my-domain.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null}}}"
time="2018-12-08T05:56:55Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:55Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:55Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:55Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:55Z" level=debug msg="Add certificate for domains *.my-domain.com"
time="2018-12-08T05:56:55Z" level=debug msg="Wiring frontend traefik-my-machine.my-domain.com/ to entryPoint http"
time="2018-12-08T05:56:55Z" level=debug msg="Creating backend traefik-my-machine.my-domain.com/"
time="2018-12-08T05:56:55Z" level=debug msg="Adding TLSClientHeaders middleware for frontend traefik-my-machine.my-domain.com/"
time="2018-12-08T05:56:55Z" level=debug msg="Creating load-balancer wrr"
time="2018-12-08T05:56:55Z" level=debug msg="Creating server traefik-ingress-controller-bgc5p at http://10.1.31.4:8080 with weight 1"
time="2018-12-08T05:56:55Z" level=debug msg="Creating server traefik-ingress-controller-rt5kn at http://10.1.83.5:8080 with weight 1"
time="2018-12-08T05:56:55Z" level=debug msg="Creating server traefik-ingress-controller-tv5lg at http://10.1.77.16:8080 with weight 1"
time="2018-12-08T05:56:55Z" level=debug msg="Creating route / PathPrefix:/"
time="2018-12-08T05:56:55Z" level=debug msg="Creating route traefik-my-machine.my-domain.com Host:traefik-my-machine.my-domain.com"
time="2018-12-08T05:56:55Z" level=debug msg="Wiring frontend traefik-my-machine.my-domain.com/ to entryPoint https"
time="2018-12-08T05:56:55Z" level=debug msg="Creating backend traefik-my-machine.my-domain.com/"
time="2018-12-08T05:56:55Z" level=debug msg="Adding TLSClientHeaders middleware for frontend traefik-my-machine.my-domain.com/"
time="2018-12-08T05:56:55Z" level=debug msg="Creating load-balancer wrr"
time="2018-12-08T05:56:55Z" level=debug msg="Creating server traefik-ingress-controller-rt5kn at http://10.1.83.5:8080 with weight 1"
time="2018-12-08T05:56:55Z" level=debug msg="Creating server traefik-ingress-controller-tv5lg at http://10.1.77.16:8080 with weight 1"
time="2018-12-08T05:56:55Z" level=debug msg="Creating server traefik-ingress-controller-bgc5p at http://10.1.31.4:8080 with weight 1"
time="2018-12-08T05:56:55Z" level=debug msg="Creating route / PathPrefix:/"
time="2018-12-08T05:56:55Z" level=debug msg="Creating route traefik-my-machine.my-domain.com Host:traefik-my-machine.my-domain.com"
time="2018-12-08T05:56:55Z" level=debug msg="No entryPoint is defined to add the certificate MIIGCzCCBPOgAwIBAgISA0CUiZQjCkQ0GhkaYpjFej8sMA0GCS, it will be added to the default entryPoints: http, https"
time="2018-12-08T05:56:55Z" level=debug msg="Add certificate for domains *.my-domain.com"
time="2018-12-08T05:56:55Z" level=debug msg="Add certificate for domains *.my-domain.com"
time="2018-12-08T05:56:55Z" level=info msg="Server configuration reloaded on :443"
time="2018-12-08T05:56:55Z" level=debug msg="Certificates not added to non-TLS entryPoint http."
time="2018-12-08T05:56:55Z" level=info msg="Server configuration reloaded on :80"
time="2018-12-08T05:56:57Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:57Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints"
time="2018-12-08T05:56:57Z" level=debug msg="Received Kubernetes event kind *v1.Endpoints"

[aug70]

More logs attached...
traefik-ingress.log

@dtomcej I tried with Opaque secret, result is same. level=error msg="Error configuring TLS for ingress kube-system/traefik-web-ui-ingress: secret kube-system/traefik-ui-tls-cert does not exist"

Name:traefik-ui-tls-cert
Namespace:kube-system
Creation Time: 2018-12-18T17:06 UTC
Type:Opaque

[dtomcej]

I am reviewing these logs, and it appears that the certificate is found, and applied. The certificate is loaded asynchronously with the ingress, so there is a period of time that the secret will log as "not found" before the k8s api provides it. This issue is logged in: #3667.

time="2018-12-18T16:38:45Z" level=debug msg="Received Kubernetes event kind *v1beta1.Ingress"
time="2018-12-18T16:38:45Z" level=error msg="Error configuring TLS for ingress kube-system/traefik-web-ui-ingress: secret kube-system/traefik-ui-tls-cert does not exist"
time="2018-12-18T16:38:45Z" level=debug msg="Configuration received from provider kubernetes: {}"
time="2018-12-18T16:38:45Z" level=info msg="Server configuration reloaded on :80"
time="2018-12-18T16:38:45Z" level=info msg="Server configuration reloaded on :443"
time="2018-12-18T16:38:45Z" level=debug msg="Received Kubernetes event kind *v1.Secret"
<--------Secret is now loaded, and no more error log ---------->
time="2018-12-18T16:38:45Z" level=debug msg="Received Kubernetes event kind *v1.Secret"
time="2018-12-18T16:38:45Z" level=debug msg="Skipping Kubernetes event kind *v1.Secret"
<---------If Secret was not loaded, the error message would repeat here ----->
time="2018-12-18T16:38:45Z" level=debug msg="Configuration received from provider kubernetes: {\"backends\":{\"my.server.com\":{\"servers\":{\"traefik-ingress-controller-df74c\":{\"url\":\"http://172.17.0.8:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"my.server.com\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"my.server.com\",\"routes\":{\"my.server.com\":{\"rule\":\"Host:my.server.com\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null}}}"

The issue that you appear to be reporting is that the http -> https redirect does not work.

Can you provide us with the result of a curl -v http://my.server.com please?

[aug70]

@dtomcej

The issue that you appear to be reporting is that the http -> https redirect does not work.

If your above statement is correct, then the following is a very confusing log message and must be corrected too... msg="Error configuring TLS for ingress kube-system/traefik-web-ui-ingress: secret kube-system/traefik-ui-tls-cert does not exist"

Here is the output you asked for.

Redirect works, so not sure why you think redirect doesn't work -> curl2.txt
Https doesn't work -> curl.txt

[dtomcej]

Ah, sorry @aug70, I misread the issue. I thought the redirect was not working also.

I read your curl.txt file, and it shows that you connected with TLS 1.2 successfully...

The only issue that appears is the 502, but that is a completely different issue altogether.

Can you confirm that with curl you are able to connect to traefik on your certificate domains?

[aug70]

Yes, this is not a redirect issue. I can connect with curl and I see redirect working.

[aug70]

@dtomcej I'm not sure what are you waiting from me? I have added all the log files that I could possibly add to this issue. This is not a redirect problem! It's a problem with TLS (https endpoint). You should focus on this error message:

time="2018-11-24T04:57:18Z" level=error msg="Error configuring TLS for ingress kube-system/traefik-web-ui: secret kube-system/traefik-ui-tls-cert does not exist"

Once this is resolved, there won't be any problems (neither redirect nor 502) This seems like a primal functionality for traefik on kubernetes. I'm surprised that it doesn't work and also surprised that you reduced priority to P2.

[dtomcej]

Hello @aug70 .

From your results:

s curl -v https://my.server.com/
*   Trying 10.225.192.55...
* TCP_NODELAY set
* Connected to my.server.com (10.225.192.55) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.server.com
*  start date: Dec  8 03:46:35 2018 GMT
*  expire date: Mar  8 03:46:35 2019 GMT
*  subjectAltName: host "my.server.com" matched cert's "*.server.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ea1034e840)

At this point, your client is connected via TLS. There are no issues with TLS, or the certificate.

> GET / HTTP/2
> Host: my.server.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!

At this point, your client has sent a request to traefik successfully.

< HTTP/2 502
< content-type: text/plain; charset=utf-8
< content-length: 11
< date: Fri, 21 Dec 2018 05:23:44 GMT
<
* Connection #0 to host my.server.com left intact
Bad Gateway

This result is that your backend is not responding properly. Traefik cannot connect to the pods on your service defined in your ingress.

I would try curling your service and service port that you have defined in your ingress to see if it responds correctly.

[traefiker]

Thanks for opening this issue!

We need further information to better understand the problem you're facing 🤔

Could you please join us on our Slack workspace and reach out to us on the (#support channel)?

We're looking forward to talking to you there!

[aug70]

This is trying to connect to Traefik admin UI that runs on port 8080.

[dtomcej]

@yniknafs Your image shows that the secret kube-system/traefik-ui-tls-cert exists, not default/traefik-ui-tls-cert, as shown in your logs:

time="2019-02-01T21:12:16Z" level=error msg="Error configuring TLS for ingress default/ingress: secret default/traefik-ui-tls-cert does not exist"

Also of note, you have configured traefik to listen on port 443 for TLS via the config, but have not exposed this port as a containerport.

I am going to mark your comment as off-topic, so as not to confuse the OP in this issue.

[arcln]

I had the exact same problem. But it was not because of Traefik's configuration.
I solved it when I noticed that I had another reverse proxy before Traefik that was decrypting the TLS requests before they were sent to my cluster. This way, Traefik was receiving plain HTTP requests on port 443.

However, even if this is working now, I'm still having this error:

Error configuring TLS for ingress default/traefik-dashboard-ingress: secret default/traefik-ui-tls-cert does not exist

Might be related to #4711 ?

[haf]

Trying to get this working with docker-for-desktop; same problem as above; https://stackoverflow.com/questions/55777815/traefik-not-finding-tls-secret

[cuneytcalishkan]

Hello,
I have the kubernetes ingress installed and running since January 2019 and it was all fine until today that I had to renew the certificates and did a restart on the ingress controller pods. I followed the documentation on https://docs.traefik.io/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress back in the time and it all worked well.

Traefik version v1.7.14 built on 2019-08-14_09:46:58AM
GKE version 1.11.10-gke.5 , thinking that it might be caused by outdated GKE version, I have just upgraded to version 1.13.7-gke.24 and still the same issue

I have tried to see the outout when the secret does not exist for real and the output is completely different, secret-does-not-exist.txt.

For the case when the secret exists but the server is not started, secret-not-found.txt.

Any ideas are welcome.

P.S. I have already tried changing the order of the entry points property as defaultentrypoints=https,http but didn't work for me.

[jmaerki]

Similar story here: got the "does not exist" after replacing the certs. I can get/describe the certs with --as system:serviceaccount:kube-system:traefik-ingress-controller. In my case, interestingly, the old certs are still being presented by Traefik, even though I've killed the pods multiple times and have even made changes to the traefik daemonset. This is rather confusing since traefik doesn't get any persistent storage anywhere in the configuration. I assume "--kubernetes" places them somewhere in k8s' etcd. I've tried 1.7.9 and 17.24.

[barrowkwan]

@jmaerki I wonder if you have this issue resolved? we are facing the same issue where traefik kept serving the old cert. thanks

[HoffiMuc]

after I did change the sequence/order in the traefik configMap of traefik.toml (having now the [entryPoints.https] section before the [entryPoints.http] section)

    [entryPoints]
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
      [entryPoints.http]
      address = ":80"
      compress = true
      [entryPoints.prometheus]
      address = ":9100"

and doing a

curl -v -L --cacert root.ca --key vault.key --cert vault.crt  https://vault.iac.local/v1/sys/seal-status

I see:

$  kubectl -n kube-system logs pod/traefik-...
{"level":"debug","msg":"Skipping status update on ingress vault/vault","time":"2020-06-10T18:03:56Z"}
{"level":"debug","msg":"Skipping Kubernetes event kind *v1.Endpoints","time":"2020-06-10T18:03:56Z"}
{"Request":"{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/v1/sys/seal-status\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.64.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"vault.iac.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.3:62985\",\"RequestURI\":\"/v1/sys/seal-status\",\"TLS\":null}","level":"debug","msg":"vulcand/oxy/roundrobin/rr: begin ServeHttp on request","time":"2020-06-10T18:03:58Z"}
{"ForwardURL":{"Scheme":"https","Opaque":"","User":null,"Host":"10.42.4.7:8200","Path":"","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":""},"Request":"{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/v1/sys/seal-status\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.64.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"vault.iac.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.3:62985\",\"RequestURI\":\"/v1/sys/seal-status\",\"TLS\":null}","level":"debug","msg":"vulcand/oxy/roundrobin/rr: Forwarding this request to URL","time":"2020-06-10T18:03:58Z"}
{"Request":"{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"10.42.4.7:8200\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.64.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"vault.iac.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.3:62985\",\"RequestURI\":\"/v1/sys/seal-status\",\"TLS\":null}","level":"debug","msg":"vulcand/oxy/forward: begin ServeHttp on request","time":"2020-06-10T18:03:58Z"}
{"Request":"{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"10.42.4.7:8200\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.64.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"vault.iac.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.3:62985\",\"RequestURI\":\"/v1/sys/seal-status\",\"TLS\":null}","level":"debug","msg":"vulcand/oxy/forward/http: begin ServeHttp on request","time":"2020-06-10T18:03:58Z"}
{"level":"debug","msg":"Upstream ResponseWriter of type *pipelining.writerWithoutCloseNotify does not implement http.CloseNotifier. Returning dummy channel.","time":"2020-06-10T18:03:58Z"}
{"level":"debug","msg":"'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, not 10.42.4.7","time":"2020-06-10T18:03:58Z"}
{"level":"debug","msg":"vulcand/oxy/forward/http: Round trip: https://10.42.4.7:8200, code: 500, Length: 21, duration: 3.797741ms tls:version: 303, tls:resume:false, tls:csuite:c02f, tls:server:vault.iac.local","time":"2020-06-10T18:03:58Z"}
{"Request":"{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"10.42.4.7:8200\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.64.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"vault.iac.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.3:62985\",\"RequestURI\":\"/v1/sys/seal-status\",\"TLS\":null}","level":"debug","msg":"vulcand/oxy/forward/http: completed ServeHttp on request","time":"2020-06-10T18:03:58Z"}
{"Request":"{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"10.42.4.7:8200\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.64.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"vault.iac.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.3:62985\",\"RequestURI\":\"/v1/sys/seal-status\",\"TLS\":null}","level":"debug","msg":"vulcand/oxy/forward: completed ServeHttp on request","time":"2020-06-10T18:03:58Z"}
{"Request":"{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/v1/sys/seal-status\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"],\"User-Agent\":[\"curl/7.64.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"vault.iac.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.42.2.3:62985\",\"RequestURI\":\"/v1/sys/seal-status\",\"TLS\":null}","level":"debug","msg":"vulcand/oxy/roundrobin/rr: completed ServeHttp on request","time":"2020-06-10T18:03:58Z"}
{"level":"debug","msg":"Received Kubernetes event kind *v1.Endpoints","time":"2020-06-10T18:03:59Z"}
{"level":"debug","msg":"Skipping status update on ingress vault/vault","time":"2020-06-10T18:03:59Z"}
{

note in the middle:

{"level":"debug","msg":"Upstream ResponseWriter of type *pipelining.writerWithoutCloseNotify does not implement http.CloseNotifier. Returning dummy channel.","time":"2020-06-10T18:03:58Z"}
{"level":"debug","msg":"'500 Internal Server Error' caused by: x509: certificate is valid for 127.0.0.1, not 10.42.4.7","time":"2020-06-10T18:03:58Z"}

my self-signed cert is valid for DNS:vault, DNS:vault.vault, DNS:vault.vault.svc, DNS:vault.vault.svc.iac.local, DNS:localhost, DNS:vault.iac.local, IP Address:127.0.0.1

so it should be also valid for the host: vault.iac.local in my ingress definition:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
    meta.helm.sh/release-name: vault
    meta.helm.sh/release-namespace: vault
  name: vault
spec:
  rules:
  - host: vault.iac.local
    http:
      paths:
      - backend:
          serviceName: vault
          servicePort: 8200
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - vault.iac.local
    secretName: vault-tls-ingress
status:
  loadBalancer:
    ingress:
    - ip: 192.168.64.5

curl'ing the according service directly using the same cert files (via a port-forward: kubectl -n vault port-forward service/vault 8200:8200 8201:8201 does work

$ curl -L --cacert localK3s_root.ca --key vault.key --cert vault.crt  https://localhost:8200/v1/sys/seal-status
Handling connection for 8200
{"type":"shamir","initialized":true,"sealed":true,"t":1,"n":1,"progress":0,"nonce":"","version":"1.4.2","migration":false,"recovery_seal":false,"storage_type":"file"}

but via ingress:

$ curl -v -L --cacert root.ca --key vault.key --cert vault.crt  https://vault.iac.local/v1/sys/seal-status
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=vault.vault.svc
*  start date: Jun 10 13:18:17 2020 GMT
*  expire date: Jun 10 13:18:17 2021 GMT
*  subjectAltName: host "vault.iac.local" matched cert's "vault.iac.local"
*  issuer: CN=k3s-server-ca@1591795223
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ff9cf00d600)
> GET /v1/sys/seal-status HTTP/2
> Host: vault.iac.local
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 500
< vary: Accept-Encoding
< content-type: text/plain; charset=utf-8
< content-length: 21
< date: Wed, 10 Jun 2020 18:15:57 GMT
<
* Connection #0 to host vault.iac.local left intact
Internal Server Error* Closing connection 0

gives me the 500 Internal Server Error* Closing connection 0 and the traefik ingress logs error with x509: certificate is valid for 127.0.0.1, not 10.42.4.7 mentioned above.

I don't understand:

• why for my ingress the controller falls back to the default cert
• it uses the traefik ingress controller ip as host

[nmengin]

This issue targets Traefik v1, which is not maintained anymore.
I close it, please open a new one if you experience the same issue with a more recent version.