[BUG] Regression on TLS auth to Crowdsec
mathieuHa opened this issue Β· comments
Describe the bug π
Version 1.1.13 of the plugin could use TLS auth for the bouncer to the LAPI using the exemple tls-auth.
Version 1.3.0 returns an error validating the certificate of the LAPI
traefik | DEBUG: CrowdsecBouncerTraefikPlugin: 2024/05/01 17:06:27 ServeHTTP:handleNoStreamCache ip:172.22.0.1 isBanned:t crowdsecQuery url:https://crowdsec:8080/v1/decisions?ip=172.22.0.1&banned=true Get "https://crowdsec:8080/v1/decisions?ip=172.22.0.1&banned=true": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "CrowdSec Test CA Intermediate")
Expected behavior π
Plugin is still able to validate LAPI certificate
Context π
Version (please complete the following information):
- OS: [All]
- Traefik version: [ 3.0.0]
- Plugin version: [>1.1.13-1.3.0]
To Reproduce
make run_tls
make run_tls
docker compose -f examples/tls-auth/docker-compose.yml exec -it crowdsec bash
cscli bouncer list
Expected result:
It was due to a "race".
Traefik only load plugin configuration on startup, and the certificate is generated at that time.
If certificate is changed after Traefik is started, another restart is necessary.