Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add parameter to configure TLS entrypoints with ca-bundle file #984

Closed
nmengin opened this issue Dec 21, 2016 · 3 comments
Closed

Add parameter to configure TLS entrypoints with ca-bundle file #984

nmengin opened this issue Dec 21, 2016 · 3 comments
Labels
kind/proposal a proposal that needs to be discussed. status/5-frozen-due-to-age

Comments

@nmengin
Copy link
Contributor

nmengin commented Dec 21, 2016
edited by ldez

Environment & configuration

Traefik version : 1.1.1

Environment : Docker 1.10.3 with swarm cluster (not swarm mode), Traefik in a container (from custom centos:7 image)

Configuration

  • Traefik.toml
traefikLogsFile = "/var/log/traefik/traefik.log"
accessLogsFile = "/var/log/traefik/access.log"
logLevel = "INFO"
defaultEntryPoints = ["http", "https"]
[entryPoints]
   [entryPoints.http]
   address = ":80"
     [entryPoints.http.redirect]
       entryPoint = "https"
  [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
         CertFile = "/certs/traefik/cert.pem"
         KeyFile = "/certs/traefik/key.pem"
[web]
address = ":8080"
  • Command line :

--docker=true --docker.endpoint="tcp://xxxx:3376" --docker.exposedbydefault=false --docker.domain="foo.io" --docker.tls=true --docker.tls.ca=/certs/docker/ca.pem --docker.tls.cert=/certs/docker/cert.pem --docker.tls.key=/certs/docker/key.pem

What would I do?

I would like to use ca-bundle file and certificate file as I currently do with my Apache server.

Apache configuration :

SSLCertificateFile /etc/pki/tls/certs/foo.crt
SSLCertificateKeyFile /etc/pki/tls/private/foo.key
SSLCertificateChainFile /etc/pki/tls/certs/foo.ca-bundle

The SSLCertificateChainFile argument does not exist into Traefik TLS configuration.

Actually Apache concatenate the SSLCertificateChainFile and SSLCertificateFile as we have to do manually for Traefik.

Proposal

I suggest to add a new argument into Traefik TLS entrypoint configuration to allow users to submit CA-bundle file as below.

[[entryPoints.https.tls.certificates]]
         CaBundleFile = "/certs/traefik/ca-bundle.pem"
         CertFile = "/certs/traefik/cert.pem"
         KeyFile = "/certs/traefik/key.pem"

The CertFile and CaBundleFile files may be concatenated before to be processed by the crypto librarie.
@emilevauge emilevauge added the kind/proposal a proposal that needs to be discussed. label Dec 21, 2016
@emilevauge
Copy link
Member

Ping @dtomcej

@dtomcej
Copy link
Contributor

dtomcej commented Dec 21, 2016

My opinion is that if a CA bundle is required, it should be appended to the user certificate (as you would for intermediate certificates). I think that having a separate section for CAs would be more confusing, since they would have to be tracked separately, but served with the user certificate.

I think that it is not an unfair expectation for users to concatenate the user, intermediate and CA certs if required into a single PEM.

@nmengin
Copy link
Contributor Author

nmengin commented Dec 23, 2016
edited

I solved the problem with a little script ran when the container is started.
It detects if there is a CA file and cert files and concatenates them.

@nmengin nmengin closed this as completed Dec 23, 2016
@geraldcroes geraldcroes mentioned this issue Sep 12, 2018
Closed
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/proposal a proposal that needs to be discussed. status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@emilevauge @nmengin @dtomcej @traefiker