easylinux/Maison
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba6656108777458af8a2dee6d4c5dfa5c3c87ddc
Maison/arti-api/auth-service/pipeline/TRAEFIK-DRONE-TLS-FIX.md
Serge NOEL c3176e8d79 Initialisation depot
2026-02-10 12:12:11 +01:00

5.3 KiB
Raw Blame History

Traefik Certificate Fix for drone.aipice.local

The error indicates that Traefik is serving a default certificate instead of a proper certificate for drone.aipice.local.

🔍 Root Cause

x509: certificate is valid for a7b8f3b8fd415b0fbd62e803b96eec90.d8282a75d7bf97aa2eb0bd7c2d927f85.traefik.default, not drone.aipice.local

This means:

  • Traefik is using a default/fallback certificate
  • No proper certificate configured for drone.aipice.local
  • The domain doesn't match the certificate

🚀 Solutions

Solution 1: Create Proper IngressRoute for Drone

Create a proper Traefik IngressRoute for your Drone CI:

---
# drone-ingressroute.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: drone-ci
  namespace: drone  # Adjust to your Drone namespace
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`drone.aipice.local`)
    kind: Rule
    services:
    - name: drone-server  # Your Drone service name
      port: 80
  tls:
    certResolver: letsencrypt
    domains:
    - main: drone.aipice.local
---
# If you need a wildcard certificate for *.aipice.local
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-aipice-local
  namespace: drone
spec:
  secretName: wildcard-aipice-local-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: "*.aipice.local"
  dnsNames:
  - "aipice.local"
  - "*.aipice.local"

Solution 2: Update Drone Helm Values (if using Helm)

If you're using Helm to deploy Drone:

# drone-values.yaml
ingress:
  enabled: true
  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    cert-manager.io/cluster-issuer: letsencrypt
  hosts:
    - host: drone.aipice.local
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: drone-aipice-local-tls
      hosts:
        - drone.aipice.local

Solution 3: Manual Certificate Creation

Create a certificate manually for drone.aipice.local:

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: drone-aipice-local-cert
  namespace: drone
spec:
  secretName: drone-tls-secret
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: drone.aipice.local
  dnsNames:
  - drone.aipice.local
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: drone-secure
  namespace: drone
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`drone.aipice.local`)
    kind: Rule
    services:
    - name: drone-server
      port: 80
  tls:
    secretName: drone-tls-secret

🔧 Quick Fix Commands

# 1. Check current Drone IngressRoute
kubectl get ingressroute -A | grep drone

# 2. Check current certificates
kubectl get certificates -A | grep drone

# 3. Check Traefik logs for certificate issues
kubectl logs -n traefik deployment/traefik | grep drone

# 4. Apply the fixed IngressRoute
kubectl apply -f drone-ingressroute.yaml

# 5. Wait for certificate to be issued
kubectl get certificate -n drone -w

🕵️ Debugging Steps

Check Current Drone Service

# Find your Drone service
kubectl get svc -A | grep drone

# Check the service details
kubectl describe svc drone-server -n drone

Check Traefik Configuration

# Check Traefik dashboard for routing
kubectl port-forward -n traefik svc/traefik 8080:8080
# Visit http://localhost:8080 to see routes

# Check IngressRoutes
kubectl get ingressroute -A -o yaml | grep -A 20 drone

Verify Certificate Status

# Check certificate status
kubectl describe certificate -n drone

# Check certificate secret
kubectl get secret -n drone | grep tls

# Test certificate with openssl
openssl s_client -connect drone.aipice.local:443 -servername drone.aipice.local

🛠️ Alternative: Disable Certificate Verification

If you can't fix the certificate immediately, you can configure your Git service to skip certificate verification:

For Gitea

# In Gitea app.ini
[webhook]
SKIP_TLS_VERIFY = true
ALLOWED_HOST_LIST = private

For GitLab

# In gitlab.rb
gitlab_rails['webhook_timeout'] = 30
gitlab_rails['outbound_requests_whitelist'] = ['192.168.100.0/24']
gitlab_rails['webhook_ssl_verification'] = false

For GitHub (if self-hosted)

In webhook configuration:

  • ☐ Enable SSL verification (uncheck this)

🎯 Complete Working Example

Here's a complete working configuration:

---
# Complete Drone CI IngressRoute with proper TLS
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: drone-aipice-local
  namespace: drone
  labels:
    app: drone-server
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`drone.aipice.local`)
    kind: Rule
    services:
    - name: drone-server
      port: 80
    middlewares:
    - name: drone-headers
  tls:
    certResolver: letsencrypt
    domains:
    - main: drone.aipice.local
---
# Optional: Add security headers
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: drone-headers
  namespace: drone
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: https
    customResponseHeaders:
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff

Apply this configuration and your webhooks should work properly with valid TLS certificates!

Reference in New Issue View Git Blame Copy Permalink