Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traefik 1.7 does not serve provided TLS certificate when combined with LetsEncrypt and cluster mode #3939

Closed
JamesGuthrie opened this issue Sep 27, 2018 · 5 comments
Closed

Traefik 1.7 does not serve provided TLS certificate when combined with LetsEncrypt and cluster mode #3939

JamesGuthrie opened this issue Sep 27, 2018 · 5 comments
Assignees
@juliens
Labels
area/acme area/tls kind/bug/confirmed a confirmed bug (reproducible). priority/P0 needs hot fix status/5-frozen-due-to-age
Milestone
1.7

Comments

@JamesGuthrie
Copy link

JamesGuthrie commented Sep 27, 2018
edited

Do you want to request a feature or report a bug?

Bug

What did you do?

I configured traefik with a provided certificate for mydomain.com, and to issue a wildcard cert for *.mydomain.com with LetsEncrypt.

What did you expect to see?

I expect to receive the provided certificate when I navigate to mydomain.com, and the LetsEncrypt cert when I navigate to foo.mydomain.com.

What did you see instead?

When I navigate to mydomain.com I receive an SSL error, when I navigate to foo.mydomain.com I get the LetsEncrypt wildcard cert. When I configure traefik without LetsEncrypt, it works.

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.7.0
Codename:     maroilles
Go version:   go1.11
Built:        2018-09-24_09:57:21AM
OS/Arch:      linux/amd64

Configuration

Using cluster mode with etcd, docker swarm config is as follows:

    - "storeconfig"
    - "--accesslog=true"
    - "--accessLog.format=json"
    - "--traefikLog=true"
    - "--traefikLog.format=json"
    - "--defaultentrypoints=http,https"
    - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
    - "--entrypoints=Name:https Address::443 TLS:/run/secrets/mydomain.cert.pem,/run/secrets/mydomain.key.pem TLS.MinVersion:VersionTLS11 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
    - "--api"
    - "--docker"
    - "--docker.swarmmode=true"
    - "--docker.domain=mydomain.com"
    - "--docker.watch=true"
    - "--acme=true"
    - "--acme.acmelogging=true"
    - "--acme.email=admin@mydomain.com"
    - "--acme.entrypoint=https"
    - "--acme.storage=/traefik/acme/account"
    - "--acme.dnschallenge=true"
    - "--acme.httpchallenge=false"
    - "--acme.dnschallenge.provider=route53"
    - "--acme.domains=*.mydomain.com"
    - "--acme.onhostrule=true"
    - "--etcd"
    - "--etcd.endpoint=etcd:2379"
    - "--etcd.watch=true"
    - "--etcd.prefix=/traefik"
    - "--etcd.useAPIV3=true"

Additional debugging information

I was able to track this down in the code, and come up with two potential fixes, but I'm not sure if either are the "correct" fix.

Fix 1:
Comment out this line of code. Apparently the TLSConfig is captured during CreateClusterConfig here and here. When the Certificates array is later accessed here, it's empty.

Fix 2:
Apply the following change:

diff --git a/acme/acme.go b/acme/acme.go
index d9c90137..c3f98f95 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -131,6 +131,7 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 
 	tlsConfig.GetCertificate = a.getCertificate
 	a.TLSConfig = tlsConfig
+	a.TLSConfig.BuildNameToCertificate()
 
 	listener := func(object cluster.Object) error {
 		account := object.(*Account)

This way, when the Certificates entry of the TLSConfig is emptied, the NameToCertificate entry is still populated.
JamesGuthrie added a commit to JamesGuthrie/traefik that referenced this issue Sep 27, 2018
@JamesGuthrie
Initialize NameToCertificate in acme
0ca6bc8 
When the Certficates entry of the TLSConfig is cleared, the
NameToCertificate entry remains, ensuring that acme getCertificate can
retrieve the configured certificates.

Fixes traefik#3939
@ldez ldez added priority/P0 needs hot fix area/acme kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. area/tls and removed status/0-needs-triage labels Sep 27, 2018
@ldez ldez mentioned this issue Sep 27, 2018
Closed
@juliens
Copy link
Member

juliens commented Sep 27, 2018

Thanks for reporting this issue.

Could you provide us your logs in debug mode, and your entire configuration? (do you use cluster mode?)

@JamesGuthrie
Copy link
Author

@juliens I've updated the issue with our config (yes, I'm using cluster mode with etcd and docker swarm providers). I can/could provide a subset of the logs, is there anything that you would like to see in particular? I did not find the debug logs particularly helpful in determining the underlying issue, so I instrumented the code with additional logs in order to try and get to the bottom of the issue.

@stoinov
Copy link
Contributor

stoinov commented Sep 27, 2018
edited

I can confirm the same issue manifests in a very basic configuration without swarm setup. Here is the relevant part of my config:

    [[entryPoints.https.tls.certificates]]
      certFile = "tls/cert.pem"
      keyFile = "tls/key.pem"
[acme]
email = "user@domain.com"
storage = "tls/acme.json"
entryPoint = "https"
acmeLogging = true

This used to work before the 1.7 update. DEBUG logs do not return any error messages - just normal initialization.

@loopway
Copy link

loopway commented Sep 27, 2018

I have a similar cluster config and can confirm that traefik 1.7.0 does not even serve the default self signed certificate if SNI does not match the letsencrypt configured domains. works with v1.6.6.

@ldez ldez added kind/bug/confirmed a confirmed bug (reproducible). and removed kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. labels Sep 28, 2018
@juliens juliens changed the title Traefik 1.7 does not serve provided TLS certificate when combined with LetsEncrypt Traefik 1.7 does not serve provided TLS certificate when combined with LetsEncrypt and cluster mode Sep 28, 2018
@juliens juliens mentioned this issue Sep 28, 2018
Merged
@traefiker
Copy link
Contributor

Closed by #3946.

@traefiker traefiker added this to the 1.7 milestone Sep 28, 2018
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@juliens juliens

Labels
area/acme area/tls kind/bug/confirmed a confirmed bug (reproducible). priority/P0 needs hot fix status/5-frozen-due-to-age
Projects
None yet
Milestone
1.7
Development

No branches or pull requests
6 participants
@juliens @stoinov @JamesGuthrie @ldez @loopway @traefiker