2

I'm creating the following ingress resource in a K3s cluster which uses Traefik 2.6.2 as its ingress controller.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app-ing
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  tls:
  - hosts:
    - "my-app.mydomain.com"
    secretName: mydomain-cert
  rules:
  - host: "my-app.mydomain.com"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app-service
            port:
              name: http

And the secret mydomain-cert is created and present in the same namespace (default in this case).

kubectl describe secret mydomain-cert
Name:         mydomain-cert
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  5603 bytes
tls.key:  1704 bytes

The certificate is valid through end of the year and signed by Let's Encrypt. I also see the route created and healthy in Traefik's dashboard. However, when I hit the endpoint through browser (https://my-app.mydomain.com 1), I get an invalid certificate error. The certificate being used is not the one referenced through the ingress resource, but Traefik's default auto-generated cert.

This wasn't a problem till recently. I had to rebuild my K3s cluster after which I started seeing this issue. I wonder if that meant getting a new version of Traefik and thus a change in how I should configure the ingress.

Amir Keibi
  • 1,991
  • 28
  • 45

1 Answers1

1

Facing the same issue, I could solve it by generating another certificate with the right CN.

Traefik seems to only use a certificate that matches your hostname. In my case, the (valid) certificate I had did not match mine.

So generating a new one that matches your hostname "my-app.mydomain.com" should solve the issue

Source: last note of https://doc.traefik.io/traefik/v1.7/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress that says:

The field hosts in the TLS configuration is ignored. Instead, the domains provided by the certificate are used for this purpose. It is recommended to not use wildcard certificates as they will match globally.

NB: the link above also provides a handy command-line to generate a self-signed certificate with the hostname of your choice as CN.

Mossroy
  • 710
  • 6
  • 11