# Traefik Certificate Fix for drone.aipice.local The error indicates that Traefik is serving a default certificate instead of a proper certificate for `drone.aipice.local`. ## 🔍 Root Cause ``` x509: certificate is valid for a7b8f3b8fd415b0fbd62e803b96eec90.d8282a75d7bf97aa2eb0bd7c2d927f85.traefik.default, not drone.aipice.local ``` This means: - Traefik is using a default/fallback certificate - No proper certificate configured for `drone.aipice.local` - The domain doesn't match the certificate ## 🚀 Solutions ### Solution 1: Create Proper IngressRoute for Drone Create a proper Traefik IngressRoute for your Drone CI: ```yaml --- # drone-ingressroute.yaml apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: drone-ci namespace: drone # Adjust to your Drone namespace spec: entryPoints: - websecure routes: - match: Host(`drone.aipice.local`) kind: Rule services: - name: drone-server # Your Drone service name port: 80 tls: certResolver: letsencrypt domains: - main: drone.aipice.local --- # If you need a wildcard certificate for *.aipice.local apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: wildcard-aipice-local namespace: drone spec: secretName: wildcard-aipice-local-tls issuerRef: name: letsencrypt kind: ClusterIssuer commonName: "*.aipice.local" dnsNames: - "aipice.local" - "*.aipice.local" ``` ### Solution 2: Update Drone Helm Values (if using Helm) If you're using Helm to deploy Drone: ```yaml # drone-values.yaml ingress: enabled: true className: traefik annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" cert-manager.io/cluster-issuer: letsencrypt hosts: - host: drone.aipice.local paths: - path: / pathType: Prefix tls: - secretName: drone-aipice-local-tls hosts: - drone.aipice.local ``` ### Solution 3: Manual Certificate Creation Create a certificate manually for `drone.aipice.local`: ```yaml --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: drone-aipice-local-cert namespace: drone spec: secretName: drone-tls-secret issuerRef: name: letsencrypt kind: ClusterIssuer commonName: drone.aipice.local dnsNames: - drone.aipice.local --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: drone-secure namespace: drone spec: entryPoints: - websecure routes: - match: Host(`drone.aipice.local`) kind: Rule services: - name: drone-server port: 80 tls: secretName: drone-tls-secret ``` ## 🔧 Quick Fix Commands ```bash # 1. Check current Drone IngressRoute kubectl get ingressroute -A | grep drone # 2. Check current certificates kubectl get certificates -A | grep drone # 3. Check Traefik logs for certificate issues kubectl logs -n traefik deployment/traefik | grep drone # 4. Apply the fixed IngressRoute kubectl apply -f drone-ingressroute.yaml # 5. Wait for certificate to be issued kubectl get certificate -n drone -w ``` ## 🕵️ Debugging Steps ### Check Current Drone Service ```bash # Find your Drone service kubectl get svc -A | grep drone # Check the service details kubectl describe svc drone-server -n drone ``` ### Check Traefik Configuration ```bash # Check Traefik dashboard for routing kubectl port-forward -n traefik svc/traefik 8080:8080 # Visit http://localhost:8080 to see routes # Check IngressRoutes kubectl get ingressroute -A -o yaml | grep -A 20 drone ``` ### Verify Certificate Status ```bash # Check certificate status kubectl describe certificate -n drone # Check certificate secret kubectl get secret -n drone | grep tls # Test certificate with openssl openssl s_client -connect drone.aipice.local:443 -servername drone.aipice.local ``` ## 🛠️ Alternative: Disable Certificate Verification If you can't fix the certificate immediately, you can configure your Git service to skip certificate verification: ### For Gitea ```ini # In Gitea app.ini [webhook] SKIP_TLS_VERIFY = true ALLOWED_HOST_LIST = private ``` ### For GitLab ```ruby # In gitlab.rb gitlab_rails['webhook_timeout'] = 30 gitlab_rails['outbound_requests_whitelist'] = ['192.168.100.0/24'] gitlab_rails['webhook_ssl_verification'] = false ``` ### For GitHub (if self-hosted) In webhook configuration: - ☐ Enable SSL verification (uncheck this) ## 🎯 Complete Working Example Here's a complete working configuration: ```yaml --- # Complete Drone CI IngressRoute with proper TLS apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: drone-aipice-local namespace: drone labels: app: drone-server spec: entryPoints: - websecure routes: - match: Host(`drone.aipice.local`) kind: Rule services: - name: drone-server port: 80 middlewares: - name: drone-headers tls: certResolver: letsencrypt domains: - main: drone.aipice.local --- # Optional: Add security headers apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: drone-headers namespace: drone spec: headers: customRequestHeaders: X-Forwarded-Proto: https customResponseHeaders: X-Frame-Options: DENY X-Content-Type-Options: nosniff ``` Apply this configuration and your webhooks should work properly with valid TLS certificates!