I am trying to configure mtls using kubernetes behind a load balancer and need some understanding if the syntax/semantics is correct.
Configuration looks like below:
Load balancer - k8s deployment(with caddy running on port 8443 and https). Trying to connect with load balancer fails. I didnt notice any issues when client_auth is commented out. Can you please let me know if the configfile looks correct and if port(:8443) can be used in place of hostname and access it using load balancer url?
2. Error messages and/or full log output:
I receive no response for below command.
curl -vvv --cert app-certificate.crt --key app-private.key --cacert [issuing-ca.pem|RootCA_G1.cer] https://rotterdam-caddyurl.com
The app certs and keys are generated through certificate manager for load balancer url.
3. Caddy version:
2.9.1
4. How I installed and ran Caddy:
Through Docker by adding certificate paths for TLS and MTLS
a. System environment:
Default alpine linux provided from caddy 2.9.1 docker image.
b. Command:
caddy run --config Caddyfile --adapter caddyfile
c. Service/unit/compose file:
d. My complete Caddy config:
{
servers {
strict_sni_host insecure_off
}
log {
format json
level DEBUG
}
# Sets the log level to DEBUG
debug
}
:8443 {
tls /etc/caddy/certs/tls.crt /etc/caddy/certs/tls.key {
protocols tls1.2 tls1.3
client_auth {
mode require_and_verify
trust_pool file /etc/image_certs/issuing-ca.pem /etc/image_certs/RootCA_G1.cer # CA that signed the client's certificate
}
}
respond "I am m---------tls"
}
I’m confused. You said you have Caddy running on ports 8443and443 (HTTPS)? Can you list your compose.yaml file or the command used to run Caddy on Docker?
I’ve never had 443 traffic forwarded to 8443, but it should be able to be done. Caddy’s documentation on valid addresses doesn’t specifically list :8443 as an option, but it does say that you could change the https_port default from 443. So you’d just add https_port 8443 to your global options, which should allow it to act like :443 in the valid address list.
I am using kubernetes deployment with load balancer service. The LB sends traffic from 443 to caddy container that runs on 8443. Right now, I am able to hit loadbalancer url and get response when client_auth mode set to request but when mode is require_and_verify, I cannot curl to load balancer as it throws below error
Did some researching myself. I believe that error is when Caddy is expecting and validating client certificates, but there’s some kind of problem in that process.
I’m not quite sure, and I’m having a hard time figuring out a specific cause. I’d double check those certificates. I’m not sure if you have add something to the Caddyfile within PKI.