Traefik v2 TLSStore not used and no error messages in the logs

Question

Environment

• Traefik-Version: 2.10.5
• Kuberntes-Version: 1.27.4

Given configurations

1. Secret: ingress-controller-traefik-cluster-cert

   apiVersion: v1
   kind: Secret
   metadata:
     name: ingress-controller-traefik-cluster-cert
     namespace: kube-system
   type: kubernetes.io/tls
   data:
     tls.crt: LS0t # ... snip
     tls.key: LS0t # ... snip
   

2. TLSStore ingress-controller-traefik-default

   apiVersion: traefik.io/v1alpha1
   kind: TLSStore
   metadata:
     name: ingress-controller-traefik-default
     namespace: kube-system
   spec:
     defaultCertificate:
       secretName: ingress-controller-traefik-cluster-cert
     certificates:
       - secretName: ingress-controller-traefik-cluster-cert
   

3. IngressRoute my-app-https

   apiVersion: traefik.io/v1alpha1
   kind: IngressRoute
   metadata:
     name: my-app-https
     certificates:
       - secretName: ingress-controller-traefik-cluster-cert
   

4. IngressRoute my-app-https

   apiVersion: traefik.io/v1alpha1
   kind: IngressRoute
   metadata:
     name: my-app-https
     namespace: my-namespace
     namespace: kube-system
   spec:
     entryPoints:
       - https
     routes:
       - kind: Rule
         match: Host(`my-domain.com`) && PathPrefix(`/my-app`)
         services:
           - name: my-app
             port: 80
     tls:
       store:
         name: ingress-controller-traefik-default
   

Test scenario

1. Insecure

   • Command:

     curl --insecure https://my-domain.com/my-app
     

   • Actual result:

     {"status":200,"ok":true}
     

2. Regular

   • Command:

     curl https://my-domain.com/my-app
     

   • Actual result:

     curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - [..]
     More details here: https://curl.se/docs/sslcerts.html
     
     curl failed to verify the legitimacy of the server and therefore could not
     establish a secure connection to it. To learn more about this situation and
     how to fix it, please visit the web page mentioned above.
     

   • Issuer: TRAEFIK DEFAULT CERT

My question

The target certificate is not picked-up from the secret ingress-controller-traefik-cluster-cert and I do not see any meaningful message in the logs of traefik. Also not log level debug gives me a hint so far. I only see:

time="2023-11-19T21:56:25Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=kube-system-ingress-controller-traefik-default

What I'm doing wrong?

Thanks already in advance. spec: entryPoints: - https routes: - kind: Rule match: Host(my-domain.com) && PathPrefix(/my-app) services: - name: my-app port: 80 tls: store: name: ingress-controller-traefik-default ```

Test scenario

1. Insecure

   • Command:

     curl --insecure https://my-domain.com/my-app
     

   • Actual result:

     {"status":200,"ok":true}
     

2. Regular

   • Command:

     curl https://my-domain.com/my-app
     

   • Actual result:

     curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - [..]
     More details here: https://curl.se/docs/sslcerts.html
     
     curl failed to verify the legitimacy of the server and therefore could not
     establish a secure connection to it. To learn more about this situation and
     how to fix it, please visit the web page mentioned above.
     

   • Issuer: TRAEFIK DEFAULT CERT

My question

The target certificate is not picked-up from the secret ingress-controller-traefik-cluster-cert and I do not see any meaningful message in the logs of traefik. Also not log level debug gives me a hint so far. I only see:

time="2023-11-19T21:56:25Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=kube-system-ingress-controller-traefik-default

What I'm doing wrong?

Thanks already in advance.