Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP/3 not working #10686

Open
2 tasks done
kaaax0815 opened this issue May 3, 2024 · 1 comment
Open
2 tasks done

HTTP/3 not working #10686

kaaax0815 opened this issue May 3, 2024 · 1 comment
Assignees
@juliens
Labels
area/http3 kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed.

Comments

@kaaax0815
Copy link

Welcome!

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

Upgrade to v3.

What did you see instead?

// curl 8.7.1 curl --http3 -vvvv https://wireguard.redacted
* Host wireguard.redacted:443 was resolved.
* IPv6: redacted::1
* IPv4:redacted
*   Trying [redacted::1]:443...
* QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
*   Tryingredacted:443...
* QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
*   Trying [redacted::1]:443...
* Connected to wireguard.redacted (redacted::1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
* ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
* Failed to connect to wireguard.redacted port 443 after 10219 ms: Failed sending data to the peer
* Closing connection
curl: (55) SSL certificate problem: unable to get local issuer certificate

What version of Traefik are you using?

Version: 3.0.0
Codename: beaufort
Go version: go1.22.2
Built: 2024-04-29T14:25:59Z
OS/Arch: linux/amd64

What is your environment & configuration?

services:
  traefik:
    image: traefik:3.0
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443/tcp"
      - "443:443/udp"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /docker/traefik/data/traefik.yml:/traefik.yml:ro
      - /docker/traefik/data/traefik_dynamic.yml:/traefik_dynamic.yml:ro
      - /docker/traefik/data/acme.json:/acme.json
    env_file:
      - traefik.env
    networks:
      - traefik

networks:
  traefik:
    external: true
log:
  level: INFO

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      middlewares:
        - compress@file
        - hsts@file
      tls:
        certresolver: letsencrypt
    http3: {}
  traefik:
    address: ":8080"

api:
  dashboard: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: redacted
      storage: acme.json
      dnsChallenge:
        provider: cloudflare

providers:
  docker:
    watch: true
    network: traefik
    exposedByDefault: false
  file:
    filename: traefik_dynamic.yml

serversTransport:
  insecureSkipVerify: true

metrics:
  prometheus: {}
http:
  middlewares:
    services:
      basicAuth:
        users:
          - "redacted"
    minecraft:
      basicAuth:
        users:
          - "redacted"
    compress:
      compress: {}
    hsts:
      headers:
        stsSeconds: 2592000
    towebsite:
      redirectRegex:
        regex: .*
        replacement: https://redacted
        permanent: false
  routers:
    api:
      rule: Host(`traefik.redacted`)
      entrypoints:
        - websecure
      middlewares:
        - services
      service: api@internal
      tls:
        certresolver: letsencrypt
    catchall:
      rule: HostRegexp(`^(?:.+\.)?redacted$`)
      entrypoints:
        - websecure
      middlewares:
        - towebsite
      service: noop@internal
      priority: 1
      tls:
        certresolver: letsencrypt
        domains:
          - main: "redacted"
            sans:
              - "*.redacted"

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      sniStrict: true

If applicable, please paste the log output in DEBUG level

No response
@jspdown jspdown added kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. area/http3 and removed status/0-needs-triage labels May 6, 2024
@bschnei
Copy link

bschnei commented May 6, 2024

I'm experiencing the same issue with similar configuration: https://community.traefik.io/t/http-falls-back-to-http-2-even-though-http-3-is-enabled/22526

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juliens juliens

Labels
area/http3 kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@juliens @jspdown @bschnei @traefiker @kaaax0815