Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

traefik doesn't detect/load changed certificates #3272

Closed
RonnyMaas opened this issue May 6, 2018 · 2 comments
Closed

traefik doesn't detect/load changed certificates #3272

RonnyMaas opened this issue May 6, 2018 · 2 comments
Labels
area/tls kind/bug/confirmed a confirmed bug (reproducible). priority/P2 need to be fixed in the future status/5-frozen-due-to-age

Comments

@RonnyMaas
Copy link

RonnyMaas commented May 6, 2018
edited by ldez

Do you want to request a feature or report a bug?

What did you do?

created a file backend with self-signed certificates

What did you expect to see?

That traefik detects and reloads new/changed certificates. (after touch of traefik.toml)

What did you see instead?

New/Changed certificates are not detect and are not getting loaded.

Output of traefik version: (What version of Traefik are you using?)

1.5.4 and 1.6.0

Version:      v1.6.0
Codename:     tetedemoine
Go version:   go1.10.1
Built:        2018-04-30_09:28:44PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

[file]
watch = true
logLevel = "DEBUG"
accessLogsFile = "/dev/stdout"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"

  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[backends]
  [backends.backend]
    [backends.backend1]
    url = "http://127.0.0.1:8080"
    weight = 2

[frontends]
  [frontends.frontend1]
  backend = "backend1"
  entrypoints = ["http", "https"]
    [frontends.frontend1.routes.test]

[[tls]]
  entryPoints = ["http", "https"]
  [tls.certificate]
    certFile = "/etc/traefik/frontend1.crt"
    keyFile = "/etc/traefik/frontend1.key"

If applicable, please paste the log output at DEBUG level (--logLevel=DEBUG switch)

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend1.key -out ./frontend1.crt -subj '/C=US/ST=Oregon/L=Portland/CN=CERT2'

In logs:
level=info msg="Skipping same configuration for provider file"

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend1.key -out ./frontend1.crt -subj '/C=US/ST=Oregon/L=Portland/CN=CERT1'

touch traefik.toml

May 06 05:20:38 traefik docker[3994]: time="2018-05-06T05:20:38Z" level=debug msg="Configuration received from provider file: {\"backends\":{\"backend\":{\"loadBalancer\":{\"method\":\"wrr\"}},\"backend1\":{\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend1\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend1\",\"routes\":{\"test\":{}},\"priority\":0,\"basicAuth\":null}},\"tls\":[{\"EntryPoints\":[\"http\",\"https\"],\"Certificate\":{\"CertFile\":\"/etc/traefik/frontend1.crt\",\"KeyFile\":\"/etc/traefik/frontend1.key\"}}]}"
May 06 05:20:38 traefik docker[3994]: time="2018-05-06T05:20:38Z" level=info msg="Skipping same configuration for provider file"

Create new cert with different common name:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend1.key -out ./frontend1.crt -subj '/C=US/ST=Oregon/L=Portland/CN=CERT2'

May 06 05:23:31 traefik docker[3994]: time="2018-05-06T05:23:31Z" level=debug msg="Configuration received from provider file: {\"backends\":{\"backend\":{\"loadBalancer\":{\"method\":\"wrr\"}},\"backend1\":{\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend1\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend1\",\"routes\":{\"test\":{}},\"priority\":0,\"basicAuth\":null}},\"tls\":[{\"EntryPoints\":[\"http\",\"https\"],\"Certificate\":{\"CertFile\":\"/etc/traefik/frontend1.crt\",\"KeyFile\":\"/etc/traefik/frontend1.key\"}}]}"
May 06 05:23:31 traefik docker[3994]: time="2018-05-06T05:23:31Z" level=info msg="Skipping same configuration for provider file"

touch traefik.toml

May 06 05:26:07 traefik docker[3994]: time="2018-05-06T05:26:07Z" level=debug msg="Configuration received from provider file: {\"backends\":{\"backend\":{\"loadBalancer\":{\"method\":\"wrr\"}},\"backend1\":{\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend1\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend1\",\"routes\":{\"test\":{}},\"priority\":0,\"basicAuth\":null}},\"tls\":[{\"EntryPoints\":[\"http\",\"https\"],\"Certificate\":{\"CertFile\":\"/etc/traefik/frontend1.crt\",\"KeyFile\":\"/etc/traefik/frontend1.key\"}}]}"
May 06 05:26:07 traefik docker[3994]: time="2018-05-06T05:26:07Z" level=info msg="Skipping same configuration for provider file"

But if I change the name of the certificate in the traefik.toml file change is detected and loaded.

cp frontend1.crt frontend.crt
cp frontend1.key frontend.key

May 06 05:46:39 traefik docker[3994]: time="2018-05-06T05:46:39Z" level=info msg="Skipping same configuration for provider file"

sed -i 's/\/frontend1/\/frontend/g' traefik.toml

# As shown below renaming cert in traefik.toml makes traefik detect and load copied certs.

May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Configuration received from provider file: {\"backends\":{\"backend\":{\"loadBalancer\":{\"method\":\"wrr\"}},\"backend1\":{\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend1\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend1\",\"routes\":{\"test\":{}},\"priority\":0,\"basicAuth\":null}},\"tls\":[{\"EntryPoints\":[\"http\",\"https\"],\"Certificate\":{\"CertFile\":\"/etc/traefik/frontend.crt\",\"KeyFile\":\"/etc/traefik/frontend.key\"}}]}"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Creating frontend frontend1"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Wiring frontend frontend1 to entryPoint http"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=error msg="Error creating route for frontend frontend1: error parsing rule: empty rule"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=error msg="Skipping frontend frontend1..."
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Add certificate for domains CERT2"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Validation of load balancer method for backend backend failed: invalid load-balancing method ''. Using default method wrr."
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Validation of load balancer method for backend backend1 failed: invalid load-balancing method ''. Using default method wrr."
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Configuration received from provider file: {\"backends\":{\"backend\":{\"loadBalancer\":{\"method\":\"wrr\"}},\"backend1\":{\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend1\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend1\",\"routes\":{\"test\":{}},\"priority\":0,\"basicAuth\":null}},\"tls\":[{\"EntryPoints\":[\"http\",\"https\"],\"Certificate\":{\"CertFile\":\"/etc/traefik/frontend.crt\",\"KeyFile\":\"/etc/traefik/frontend.key\"}}]}"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Add certificate for domains CERT2"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=info msg="Server configuration reloaded on :8080"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=debug msg="Certificates not added to non-TLS entryPoint http."
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=info msg="Server configuration reloaded on :80"
May 06 05:47:56 traefik docker[3994]: time="2018-05-06T05:47:56Z" level=info msg="Server configuration reloaded on :443"
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=debug msg="Creating frontend frontend1"
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=debug msg="Wiring frontend frontend1 to entryPoint http"
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=error msg="Error creating route for frontend frontend1: error parsing rule: empty rule"
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=error msg="Skipping frontend frontend1..."
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=debug msg="Add certificate for domains CERT2"
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=info msg="Server configuration reloaded on :8080"
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=debug msg="Certificates not added to non-TLS entryPoint http."
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=info msg="Server configuration reloaded on :80"
May 06 05:47:58 traefik docker[3994]: time="2018-05-06T05:47:58Z" level=info msg="Server configuration reloaded on :443"
@RonnyMaas RonnyMaas changed the title traefik doesn't detect/load hanged certificates traefik doesn't detect/load changed certificates May 6, 2018
@juliens juliens added kind/bug/confirmed a confirmed bug (reproducible). priority/P2 need to be fixed in the future and removed status/0-needs-triage labels May 7, 2018
@ldez ldez added the area/tls label May 7, 2018
@ffilippopoulos ffilippopoulos mentioned this issue Oct 4, 2018
Open
@ffilippopoulos ffilippopoulos mentioned this issue Oct 11, 2018
Merged
1 task
@george-angel george-angel mentioned this issue Jan 2, 2019
Open
@Starfox64
Copy link

#4022 fixes this

@ldez
Copy link
Member

ldez commented Feb 16, 2019

Closed by #4022

@ldez ldez closed this as completed Feb 16, 2019
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/tls kind/bug/confirmed a confirmed bug (reproducible). priority/P2 need to be fixed in the future status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@juliens @Starfox64 @RonnyMaas @ldez @traefiker