Charts: [stable/traefik] Unable to get acme to work
```apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: cheese
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: stilton.example.com
http:
paths:
- path: /
backend:
serviceName: stilton
- path: /
servicePort: http
apiVersion: v1
kind: Service
metadata:
name: stilton
spec:
ports:
- name: http
targetPort: 80
port: 80 - name: https
targetPort: 80
port: 443
selector:
app: cheese
task: stilton
````
and acme
acme:
enabled: true
email: [email protected]
staging: true
# Save ACME certs to a persistent volume. WARNING: If you do not do this, you will re-request
# certs every time a pod (re-)starts and you WILL be rate limited!
persistence:
enabled: true
## If defined, volume.beta.kubernetes.io/storage-class: <storageClass>
## Default: volume.alpha.kubernetes.io/storage-class: default
##
# storageClass:
accessMode: ReadWriteOnce
size: 1Gi
However, I can't get https to work. http is fine though.
Can anyone help me check to see what I did wrong here?
Thank you in advance.
tuananh
All 2 comments
There's an unavoidable chicken and egg (sort of) problem that I've been bitten by a time or two before. It may be affecting you as well.
First, refer to the installation steps in this chart's readme: https://github.com/kubernetes/charts/blob/master/stable/traefik/README.md#installing-the-chart
After installing the chart, create DNS records for applicable domains to direct inbound traffic to the load balancer.
The doc goes on to describes how to obtain the load balancer's IP or resolvable DNS name. You probably have already gone on to create the necessary DNS record(s). _However..._
Note the doc also says this:
If ACME support is enabled, it is only after this step is complete that Traefik will be able to successfully use the ACME protocol to obtain certificates from Let's Encrypt.
To elaborate on that...
The specific type of ACME challenge that Traefik (as configured by this chart) uses to obtain a cert involves (roughly) Traefik serving a token at some particular URL relative to the domain(s) in question. When Traefik attempts to to get a cert from Let's Encrypt, it basically says "if you can hit this URL on this domain and get back token x, then that's your proof that I own that domain." That process cannot succeed until you've created the relevant DNS record(s). Therein lies the problem...
You needed to install the chart to procure a load balancer with a public IP in front of Traefik. And only then were you able to create records in DNS. Upon installing the chart, however, Traefik started _immediately_ (i.e. _before_ you created the records) and the first (several?) attempts at verifying domain ownership would therefore have failed. I'm really not sure how Traefik deals with this. Does it make continued attempt to reconcile this? I'm not sure, but it certainly does not seem so.
My best advice is to delete the Traefik pod and allow the deployment to create a replacement for it. If what I have described _is_ the source of your problem, then I would expect that effective restart to square everything away.
Note that Traefik added support just recently for another sort of ACME challenge that involves Traefik placing a token in a TXT record in DNS and Let's Encrypt verifying domain ownership by merely querying DNS. (To do this, obviously, Traefik needs to be configured with credentials that permit it to add records to applicable hosted zone(s) at your DNS provider. Support for a dozen or so common DNS providers is built in). I've already opened an issue with the intention of adding support for this to the chart, as it would alleviate the whole chicken and egg problem I described above. See https://github.com/kubernetes/charts/issues/281
krancour
on 5 Apr 2017
@krancour thanks. I haven't got the chance to try the above as i switch to nginx-ingress.
Maybe I should close this for now.
tuananh
on 7 Apr 2017
Related issues
harshmehta93
路
3Comments
mluedke
路
3Comments
jungopro
路
3Comments
vsliouniaev
路
3Comments
out-of-band
路
3Comments
Most helpful comment
There's an unavoidable chicken and egg (sort of) problem that I've been bitten by a time or two before. It may be affecting you as well.
First, refer to the installation steps in this chart's readme: https://github.com/kubernetes/charts/blob/master/stable/traefik/README.md#installing-the-chart
The doc goes on to describes how to obtain the load balancer's IP or resolvable DNS name. You probably have already gone on to create the necessary DNS record(s). _However..._
Note the doc also says this:
To elaborate on that...
The specific type of ACME challenge that Traefik (as configured by this chart) uses to obtain a cert involves (roughly) Traefik serving a token at some particular URL relative to the domain(s) in question. When Traefik attempts to to get a cert from Let's Encrypt, it basically says "if you can hit this URL on this domain and get back token x, then that's your proof that I own that domain." That process cannot succeed until you've created the relevant DNS record(s). Therein lies the problem...
You needed to install the chart to procure a load balancer with a public IP in front of Traefik. And only then were you able to create records in DNS. Upon installing the chart, however, Traefik started _immediately_ (i.e. _before_ you created the records) and the first (several?) attempts at verifying domain ownership would therefore have failed. I'm really not sure how Traefik deals with this. Does it make continued attempt to reconcile this? I'm not sure, but it certainly does not seem so.
My best advice is to delete the Traefik pod and allow the deployment to create a replacement for it. If what I have described _is_ the source of your problem, then I would expect that effective restart to square everything away.
Note that Traefik added support just recently for another sort of ACME challenge that involves Traefik placing a token in a TXT record in DNS and Let's Encrypt verifying domain ownership by merely querying DNS. (To do this, obviously, Traefik needs to be configured with credentials that permit it to add records to applicable hosted zone(s) at your DNS provider. Support for a dozen or so common DNS providers is built in). I've already opened an issue with the intention of adding support for this to the chart, as it would alleviate the whole chicken and egg problem I described above. See https://github.com/kubernetes/charts/issues/281