Comments (9)
Hi @Daniel-dev22, thanks for your contribution :). This is an interesting proposal, let's see what the community thinks about it, and depending on the feedback, we might implement an enhancement in the future.
from traefik.
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.
from traefik.
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.
Can you share your MTLs configuration? Are you requiring and verifying the certificate?
MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.
from traefik.
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.
Can you share your MTLs configuration? Are you requiring and verifying the certificate?
MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.
This part of the configuration looks like this:
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
cert:
minVersion: VersionTLS12
sniStrict: true
clientAuth:
clientAuthType: RequireAndVerifyClientCert
caFiles:
- /etc/traefik/cert/device.ca.crt
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
tls:
options: cert
certresolver: letsencrypt
domains:
- main: "example.com"
sans:
- "*.example.com"
middlewares:
- gzip
http:
routers:
foo:
rule: Host(`example.com`)
entryPoints: https
service: foo
services:
foo:
loadBalancer:
servers:
- url: "http://server-foo:80"
It works fine on Chrome and other mobile browsers:
from traefik.
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.
Can you share your MTLs configuration? Are you requiring and verifying the certificate?
MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.
This part of the configuration looks like this:
tls: options: default: minVersion: VersionTLS12 sniStrict: true cert: minVersion: VersionTLS12 sniStrict: true clientAuth: clientAuthType: RequireAndVerifyClientCert caFiles: - /etc/traefik/cert/device.ca.crt entryPoints: http: address: ":80" https: address: ":443" http: tls: options: cert certresolver: letsencrypt domains: - main: "example.com" sans: - "*.example.com" middlewares: - gzip http: routers: foo: rule: Host(`example.com`) entryPoints: https service: foo services: foo: loadBalancer: servers: - url: "http://server-foo:80"
Not sure how I could have it setup incorrectly my server side has. This works where 1 traefik instance successfully communicates to the server side over MTLs. So I would assume if that works but the browser doesn't prompt it's setup partially correct? What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
tls:
stores:
default:
defaultGeneratedCert:
resolver: le
domain:
main: domain.net
options:
mtls-tunnel:
clientAuth:
# in PEM format. each file can contain multiple CAs.
caFiles:
- /etc/traefik/mtls/ca.pem
clientAuthType: RequireAndVerifyClientCert
Client side has
http:
mtls:
certificates:
- certFile: /etc/traefik/mtls/client.pem
keyFile: /etc/traefik/mtls/client-key.pem
from traefik.
What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crt
device.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
from traefik.
What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crtdevice.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store?
Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate.
Edit...
I think the reason I'm not getting prompted is because I didn't do exactly that I didn't add the traefik client cert to my device certificate store.. going to convert it to a p12 for Android and try that.
from traefik.
What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crtdevice.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store?
Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate.
Edit...
I think the reason I'm not getting prompted is because I didn't do exactly that I didn't add the traefik client cert to my device certificate store.. going to convert it to a p12 for Android and try that.
Yep that was it. Just added the client key and client cert into a p12 and installed on the client and it works now. I'm getting a prompt. Thank you for the sanity check @Scribing this can be closed now.
from traefik.
Just added the client key and client cert into a p12 and installed on the client and it works now.
👏
from traefik.
Related Issues (20)
- Traefik does not resolve TLS ingress if termination secret created after ingress HOT 1
- More resiliant approach for in-flight requests on terminating Pods HOT 5
- traefik_open_connections metric drifts down until negative HOT 8
- Service label in traefik_service_server_up metric is not human-readable HOT 4
- filter query params from logs HOT 1
- Dual Logging paths HOT 1
- rate limit middleware to support long latency requests HOT 1
- Log files not persisted on container restart HOT 2
- Cannot load rules / directives from config files HOT 6
- Can't upload docker images larger than 2GB via traefik 3.0 proxy HOT 8
- The final response code of my api service when using traefik error middleware is of main service ? - error service ? HOT 1
- provider=swarm - Gateway time-out Error code 504 HOT 1
- Kubernetes Ingress With Wildcard Host Doesn't Cover Hosts With Undescores (_) HOT 1
- Traefik V3 break on TCP Routers filter HOT 1
- Limit connections by a single IP address. HOT 5
- Support loading certificates from Cert-Manager HOT 1
- Post-Quantum Key Exchange support for HTTPS HOT 3
- To support HTTP Basic authentication for docker/swarm provider's endpoint HOT 1
- Environment Variables HOT 3
- Basic Auth Automatically encode Base64 - basicauth.users HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from traefik.