Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traefik serving default certificate on secondary TLS entrypoint instead of ACME certificate #4660

Closed
sandrinr opened this issue Mar 24, 2019 · 1 comment
Closed

Traefik serving default certificate on secondary TLS entrypoint instead of ACME certificate #4660

sandrinr opened this issue Mar 24, 2019 · 1 comment
Labels
area/acme resolution/duplicate status/5-frozen-due-to-age

Comments

@sandrinr
Copy link

Do you want to request a feature or report a bug?

Bug

What did you do?

I am trying to run a Traefik instance with three entrypoints: a http, https, and an additional TLS entrypoint which requires client TLS authentication. The instance shall use Let's Encrypt to generate valid certificates for the two TLS enabled entrypoints.

Note: The issue is not related to the TLS client auth part. The same also happens when just configuring two TLS entrypoints.

What did you expect to see?

The Let's Encrypt issued certificate when connecting to the "https" and "clientAuth" entrypoint. Both through the same domain and different port.

What did you see instead?

The "https" entrypoint is serving the the correct certificate. The "clientAuth" entrypoint is serving the "TRAEFIK DEFAULT CERT".

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.7.9
Codename:     maroilles
Go version:   go1.11.5
Built:        2019-02-11_11:36:32AM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

debug = false

logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"

[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]

[entryPoints.clientAuth]
address = ":8001"
compress = true
[entryPoints.clientAuth.tls]
[entryPoints.clientAuth.tls.ClientCA]
files = ["/data/caclientauth.pem"]
optional = false

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedByDefault = false

[acme]
email = "xxxxx@xxxxxxx"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"

Traefik is is running in a Docker container. The backend and frontend configuration is done via Docker labels in the backend services.

If applicable, please paste the log output in DEBUG level (--logLevel=DEBUG switch)

time="2019-03-24T17:45:39Z" level=info msg="Using TOML configuration file /traefik.toml"
time="2019-03-24T17:45:39Z" level=info msg="Traefik version v1.7.9 built on 2019-02-11_11:36:32AM"
time="2019-03-24T17:45:39Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":false,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"clientAuth\":{\"Address\":\":8001\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":[\"/data/caclientauth.pem\"],\"Optional\":false},\"DefaultCertificate\":null,\"SniStrict\":false},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false},\"DefaultCertificate\":null,\"SniStrict\":false},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":true,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":{\"Email\":\"xxxxxxx@xxxxxxxx\",\"Domains\":null,\"Storage\":\"acme.json\",\"StorageFile\":\"\",\"OnDemand\":false,\"OnHostRule\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"DNSChallenge\":null,\"HTTPChallenge\":{\"EntryPoint\":\"http\"},\"TLSChallenge\":null,\"DNSProvider\":\"\",\"DelayDontCheckDNS\":0,\"ACMELogging\":false,\"OverrideCertificates\":false,\"TLSConfig\":null},\"DefaultEntryPoints\":[\"https\",\"http\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":false,\"RootCAs\":null,\"Retry\":{\"Attempts\":0},\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"KeepTrailingSlash\":false,\"Web\":null,\"Docker\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false,\"Network\":\"\",\"SwarmModeRefreshSeconds\":15},\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":null,\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":null,\"Metrics\":null,\"Ping\":null,\"HostResolver\":null}"
time="2019-03-24T17:45:39Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
time="2019-03-24T17:45:39Z" level=debug msg="Setting Acme Certificate store from Entrypoint: https"
time="2019-03-24T17:45:39Z" level=info msg="Preparing server https &{Address::443 TLS:0xc000164a20 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:true ProxyProtocol:<nil> ForwardedHeaders:0xc000497fe0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-03-24T17:45:40Z" level=info msg="Preparing server clientAuth &{Address::8001 TLS:0xc000164b40 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:true ProxyProtocol:<nil> ForwardedHeaders:0xc000526020} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-03-24T17:45:40Z" level=info msg="Starting server on :443"
time="2019-03-24T17:45:40Z" level=debug msg="Creating entry point redirect http -> https"
time="2019-03-24T17:45:40Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0xc000373640 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:true ProxyProtocol:<nil> ForwardedHeaders:0xc000497fc0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-03-24T17:45:40Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2019-03-24T17:45:40Z" level=info msg="Starting server on :8001"
time="2019-03-24T17:45:40Z" level=info msg="Starting server on :80"
time="2019-03-24T17:45:40Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false,\"Network\":\"\",\"SwarmModeRefreshSeconds\":15}"
time="2019-03-24T17:45:40Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"xxxxxxx@xxxxxxx\",\"ACMELogging\":false,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"Storage\":\"acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":true,\"OnDemand\":false,\"DNSChallenge\":null,\"HTTPChallenge\":{\"EntryPoint\":\"http\"},\"TLSChallenge\":null,\"Domains\":null,\"Store\":{}}"
time="2019-03-24T17:45:40Z" level=info msg="Testing certificate renew..."
time="2019-03-24T17:45:40Z" level=debug msg="Configuration received from provider ACME: {}"
time="2019-03-24T17:45:40Z" level=debug msg="Provider connection established with docker 18.09.3 (API 1.39)"
time="2019-03-24T17:45:40Z" level=debug msg="Filtering disabled container /traefik"
time="2019-03-24T17:45:40Z" level=debug msg="originLabelsmap[traefik.frontend.rule:Host:example.domain.tld;PathPrefix:/app/ traefik.port:8001 com.docker.compose.config-hash:3b4bc6f476cbffc3184aca0162ec38ca91117ec87b8369be3b0a87bafc21eb49 com.docker.compose.oneoff:False com.docker.compose.project:apixxxxxxxxxx com.docker.compose.service:app traefik.docker.network:web com.docker.compose.container-number:1 com.docker.compose.version:1.23.2 traefik.enable:true traefik.frontend.entryPoints:clientAuth traefik.protocol:http]"
time="2019-03-24T17:45:40Z" level=debug msg="allLabelsmap[:map[traefik.enable:true traefik.frontend.entryPoints:clientAuth traefik.protocol:http traefik.docker.network:web traefik.frontend.rule:Host:example.domain.tld;PathPrefix:/app/ traefik.port:8001]]"
time="2019-03-24T17:45:40Z" level=debug msg="Filtering disabled container /ibgateway_ibgw_1"
time="2019-03-24T17:45:40Z" level=debug msg="Filtering disabled container /watchtower"
time="2019-03-24T17:45:40Z" level=debug msg="Filtering disabled container /postgres11"
time="2019-03-24T17:45:40Z" level=debug msg="originLabelsmap[com.docker.compose.service:app traefik.docker.network:web traefik.frontend.rule:Host:example.domain.tld;PathPrefix:/app/ traefik.port:8001 com.docker.compose.config-hash:3b4bc6f476cbffc3184aca0162ec38ca91117ec87b8369be3b0a87bafc21eb49 com.docker.compose.oneoff:False com.docker.compose.project:apixxxxxxxxxx traefik.frontend.entryPoints:clientAuth traefik.protocol:http com.docker.compose.container-number:1 com.docker.compose.version:1.23.2 traefik.enable:true]"
time="2019-03-24T17:45:40Z" level=debug msg="allLabelsmap[:map[traefik.docker.network:web traefik.frontend.rule:Host:example.domain.tld;PathPrefix:/app/ traefik.port:8001 traefik.enable:true traefik.frontend.entryPoints:clientAuth traefik.protocol:http]]"
time="2019-03-24T17:45:40Z" level=debug msg="Backend backend-app-apixxxxxxxxxx: no load-balancer defined, fallback to 'wrr' method"
time="2019-03-24T17:45:40Z" level=debug msg="Configuration received from provider docker: {\"backends\":{\"backend-app-apixxxxxxxxxx\":{\"servers\":{\"server-apixxxxxxxxxx-app-1-0f28ed37a2f50c41d8719ab92d0e89d1\":{\"url\":\"http://172.18.0.3:8001\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend-Host-example.domain.tld-PathPrefix-app-0\":{\"entryPoints\":[\"clientAuth\"],\"backend\":\"backend-app-apixxxxxxxxxx\",\"routes\":{\"route-frontend-Host-example.domain.tld-PathPrefix-app-0\":{\"rule\":\"Host:example.domain.tld;PathPrefix:/app/\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":null}}}"
time="2019-03-24T17:45:41Z" level=debug msg="Add certificate for domains example.domain.tld"
time="2019-03-24T17:45:41Z" level=info msg="Server configuration reloaded on :443"
time="2019-03-24T17:45:41Z" level=info msg="Server configuration reloaded on :8001"
time="2019-03-24T17:45:41Z" level=info msg="Server configuration reloaded on :80"
time="2019-03-24T17:45:41Z" level=debug msg="Wiring frontend frontend-Host-example.domain.tld-PathPrefix-app-0 to entryPoint clientAuth"
time="2019-03-24T17:45:41Z" level=debug msg="Creating backend backend-app-apixxxxxxxxxx"
time="2019-03-24T17:45:41Z" level=debug msg="Adding TLSClientHeaders middleware for frontend frontend-Host-example.domain.tld-PathPrefix-app-0"
time="2019-03-24T17:45:41Z" level=debug msg="Creating load-balancer wrr"
time="2019-03-24T17:45:41Z" level=debug msg="Creating server server-apixxxxxxxxxx-app-1-0f28ed37a2f50c41d8719ab92d0e89d1 at http://172.18.0.3:8001 with weight 1"
time="2019-03-24T17:45:41Z" level=debug msg="Creating retries max attempts 1"
time="2019-03-24T17:45:41Z" level=debug msg="Creating route route-frontend-Host-example.domain.tld-PathPrefix-app-0 Host:example.domain.tld;PathPrefix:/app/"
time="2019-03-24T17:45:41Z" level=debug msg="Add certificate for domains example.domain.tld"
time="2019-03-24T17:45:41Z" level=info msg="Server configuration reloaded on :80"
time="2019-03-24T17:45:41Z" level=info msg="Server configuration reloaded on :443"
time="2019-03-24T17:45:41Z" level=info msg="Server configuration reloaded on :8001"
time="2019-03-24T17:46:08Z" level=debug msg="Serving default cert for request: \"example.domain.tld\""
time="2019-03-24T17:46:08Z" level=debug msg="http: TLS handshake error from 194.230.194.29:64640: EOF"
time="2019-03-24T17:46:08Z" level=debug msg="Serving default cert for request: \"example.domain.tld\""
time="2019-03-24T17:46:13Z" level=debug msg="http2: server: error reading preface from client 194.230.194.29:64641: read tcp 172.18.0.2:8001->194.230.194.29:64641: read: connection reset by peer"
time="2019-03-24T17:46:16Z" level=debug msg="Serving default cert for request: \"example.domain.tld\""
@ldez
Copy link
Member

ldez commented Mar 24, 2019

Duplicate of #2710

@ldez ldez marked this as a duplicate of #2710 Mar 24, 2019
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/acme resolution/duplicate status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jbdoumenjou @sandrinr @ldez @traefiker