-
-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FQDNs with trailing period/dot resulting in SSL Error #9157
Comments
Hi @firstdorsal Thanks for using Traefik and opening the issue here. We have discussed that topic internally and seems that it works as expected. As you have already noticed there is a warning in the log file saying that the trailing dot in the Host matching rule should be removed. Once the dot will be removed Traefik will automatically obtain a valid certificate for the given domain and present it accordingly. In your case, because there is no certificate for the given domain, Traefik presented the default certificate - this is also expected behavior. |
Like said here #4622 (comment) it should be possible (according to RFC) to use an absolute domain name. This works fine with nginx but not with traefik :/ It had been fixed(#4763) but is now not working anymore. |
Thanks for your comment, we will have to look at that issue and consider how we can address that aspect. |
Hello @firstdorsal,
The certificate lookup (during the client hello) is based on the TLS SNI and not the Host header.
The host matcher is able to match against a trailing dot FQDN.
This debug log indicates that the FQDN form is not allowed, which means that the certificate resolver will not resolve a certificate for the domain with the trailing dot. This is why no certificate in the TLS store is matching |
Just to be sure, did you experienced a change in the behavior of the host matcher? And if so, between which versions of Traefik? In any case, I was wrong in my previous message: In your case, the The correct command should be: And here is the explanation why: after taking a closer look, it is not possible to use an FQDN as the server name during a TLS handshake, as mentioned in RFC6066:
And as this is enforced in the golang stdlib, which Traefik relies on to establish a TLS connection, this kind of failure during the TLS handshake is to be expected if a FQDN servername is used. But, to conclude, FQDNs are therefore not possible to use with TLS. |
Welcome!
What did you do?
I tried setting up a router with a rule matching a trailing dot/period:
What did you see instead?
What version of Traefik are you using?
traefik:v2.7.0
What is your environment & configuration?
See: #4622 and #4011
I know that it is possible to set another default cert but I suppose this should also just work by hostname matching.
If applicable, please paste the log output in DEBUG level
time="2022-07-02T16:28:24Z" level=warning msg="FQDN detected, please remove the trailing dot: ico.y.gy." routerName=shields@docker rule="Host(
ico.y.gy.
)" providerName=default.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"The text was updated successfully, but these errors were encountered: