0

I apologize in advance if this issue has already been answered, but I could not find anything about it.

I use traefik version 2.2.1.

I have 2 routes safe.example.com and example.com each pointing to a different service: the first one is supposed to require a client certificate while the other does not.

I also want to use let'encrypt to obtain a certificate valid for both routes: CN: example.com, SAN: example.com, safe.example.com.

Traefik has two entrypoint: web (http) and websecure (https). The web entrypoint just redirects all the requests to websecure.

I would expect that the safe route to require a client certificate (safe TLS option) without compromising the certificate resolver (default TLS option): when I set the TLS option field at the router level, from what I read in the documentation https://docs.traefik.io/v2.2/routing/entrypoints/#tls the default configuration (applied at the entrypoint level) will not be applied at all. Am I right?

I did not want to mess up my configuration so before trying to apply this I wanted to be extra sure. Thanks in advance.

Here's my configuration:

  • static

[providers]

[providers.file]

directory = "/etc/traefik/dynamic/"

watch = true

[entryPoints]

[entryPoints.web]

address = ":80"

[entryPoints.web.http.redirections]

[entryPoints.web.http.redirections.entryPoint]

to = "websecure"

[entryPoints.websecure]

address = ":443"

[entryPoints.websecure.http.tls]

options = "default"

certResolver = "letsenc"

[[entryPoints.websecure.http.tls.domains]]

main = "example.com"

sans = ["safe.example.com"]

[api]

insecure = false

dashboard = true

debug = false

[certificatesResolvers]

[certificatesResolvers.letsenc]

[certificatesResolvers.letsenc.acme]

email = "admin@example.com"

storage = "/etc/traefik/acme.json"

[certificatesResolvers.letsenc.acme.httpChallenge]

entryPoint = "web"
  • dynamic

[http.routers]

[http.routers.app]

rule = "Host(`example.com`)"

service = "app"

entryPoints = ["websecure"]

[http.routers.safe]

rule = "Host(`safe.example.com`)"

service = "safe"

entryPoints = ["websecure"]

[http.routers.safe.tls]

options = "safe"

[http.services]

[http.services.app.loadBalancer]

[[http.services.app.loadBalancer.servers]]

url = "http://app:3000"

[http.services.safe.loadBalancer]

[[http.services.safe.loadBalancer.servers]]

url = "http://safe:3000"

[tls.options]

[tls.options.default]

minVersion = "VersionTLS12"

sniStrict = true

cipherSuites = [

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",

"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

]

[tls.options.safe]

minVersion = "VersionTLS12"

sniStrict = true

cipherSuites = [

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",

"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

]

[tls.options.safe.clientAuth]

caFiles = ["/etc/traefik/certs/ca.cert.pem"]

clientAuthType = "RequireAndVerifyClientCert"
pidario
  • 1
  • 4
  • I think this is not going to work. You can't have client certificates for Letsencrypt. At least not in a way to use them for `clientAuth`. See https://community.letsencrypt.org/t/can-i-create-client-certificates-for-a-received-letsencrypt-certificate/78627/2 – dmaixner Aug 21 '20 at 09:17
  • That's not what I asked, I'm already aware of that. My problem is that I'd like to have a server certificate valid for both routes, while only one route is protected by my self-signed certificate. Basically, I'm asking this because I want to keep my configuration as DRY as possible. – pidario Aug 21 '20 at 09:48

0 Answers0