server.cert does not include the certificate for the service

[javacruft]

Bug Description

The server.cert file in traefik units contains the certificate chain, but not the certificate for the service.

This results in the follow symptoms from any client:

$ curl -L https://10.246.167.166
curl: (35) error:0A000458:SSL routines::tlsv1 unrecognized name

signed cert provided to manual-tls-certificates charm:

$ openssl x509 -in cert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:7b:98:64:c9:5b:7a:0f:dd:3a:f3:7d:09:70:1a:76:af:68:4e:93
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = State, L = City, O = Organization, CN = www.example.com
        Validity
            Not Before: Sep 13 08:39:53 2024 GMT
            Not After : Sep 23 08:39:53 2024 GMT
        Subject: CN = 10.246.167.166, x500UniqueIdentifier = 1f12bb03-2fe5-4c1e-bc74-ed26d79526fd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ec:62:da:7b:19:ac:41:91:f8:12:e6:78:95:7f:
                    7d:c9:28:42:5b:a1:59:04:78:98:41:ca:2e:a1:ce:
                    9c:d6:0e:a8:1d:3a:b8:69:2c:72:2e:82:18:b5:3a:
                    1e:ec:0f:51:b5:27:79:fa:50:56:65:d3:26:4c:c8:
                    d0:61:8f:40:f6:dd:0e:99:0b:ce:03:c0:2b:82:e5:
                    58:3a:7a:e5:2a:96:b4:4b:82:5a:ce:71:f8:52:ca:
                    13:07:71:36:94:17:45:1f:c6:09:59:c3:be:a8:c1:
                    48:ca:36:83:66:46:97:f9:f0:39:7a:18:2d:5b:6d:
                    e3:7d:9b:c4:87:8b:cc:42:a4:d5:1a:ae:2f:cc:43:
                    f1:51:01:b5:6f:56:90:64:b1:72:19:11:1f:56:65:
                    b1:a5:3f:55:a4:66:ce:18:54:80:a9:9c:8a:be:de:
                    32:0b:38:db:f5:43:79:e8:5c:88:46:72:27:00:7c:
                    c9:63:0f:9c:e8:ef:67:d4:c1:26:75:1c:9a:a6:97:
                    ae:8f:b6:65:38:55:37:52:6e:eb:bc:3a:cd:fa:ef:
                    ca:82:8f:40:15:60:29:8e:e4:76:05:6f:d5:f2:5f:
                    01:e6:ca:71:af:39:77:12:a9:c1:52:92:88:be:b7:
                    77:7e:be:d8:5c:a7:e0:1e:b2:a2:3d:8a:86:86:f1:
                    24:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                IP Address:10.246.167.166
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5a:20:29:13:a2:95:32:0c:e9:bf:af:e4:b0:ac:96:60:24:ef:
        f1:d8:e0:c6:36:b0:7d:19:28:97:f8:e3:4f:8b:a1:b6:9b:e1:
        bd:71:81:b6:5a:27:48:9f:68:f7:df:1f:aa:aa:83:7f:f4:45:
        37:22:16:72:ee:10:7e:85:85:f2:a9:fe:f2:12:30:15:b1:4a:
        79:a5:f2:12:d9:a2:21:63:45:72:00:bd:8e:76:5a:5f:21:2d:
        05:e1:03:1f:10:ad:4b:04:fa:21:a4:43:0b:e6:e0:47:b2:10:
        d7:7e:f8:b0:f2:c8:22:07:0f:95:2f:d1:12:6f:11:c1:86:f5:
        ed:d8:c1:7f:27:9c:eb:cd:02:e2:1d:af:98:43:49:f0:d5:25:
        1b:df:e7:71:5c:c9:9b:f7:37:a4:34:a8:b6:0f:a4:b7:95:0b:
        40:72:d1:4f:d4:d3:59:7e:38:38:6b:47:bf:98:21:9a:3b:30:
        72:91:51:09:0b:66:7b:27:88:f1:8f:bc:39:f1:92:5d:7f:70:
        bc:f6:f4:a9:75:b7:9f:e9:3c:2b:96:d8:fa:c7:7f:1b:d9:da:
        41:5f:4f:c4:32:c3:f9:68:23:17:5c:08:ae:af:25:8b:15:9a:
        1a:1c:77:e9:a2:47:c7:6c:b8:0e:93:44:99:66:3c:a3:2f:88:
        11:1f:92:df
-----BEGIN CERTIFICATE-----
MIIDRjCCAi6gAwIBAgIUGHuYZMlbeg/dOvN9CXAadq9oTpMwDQYJKoZIhvcNAQEL
BQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNv
bTAeFw0yNDA5MTMwODM5NTNaFw0yNDA5MjMwODM5NTNaMEgxFzAVBgNVBAMMDjEw
LjI0Ni4xNjcuMTY2MS0wKwYDVQQtDCQxZjEyYmIwMy0yZmU1LTRjMWUtYmM3NC1l
ZDI2ZDc5NTI2ZmQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsYtp7
GaxBkfgS5niVf33JKEJboVkEeJhByi6hzpzWDqgdOrhpLHIughi1Oh7sD1G1J3n6
UFZl0yZMyNBhj0D23Q6ZC84DwCuC5Vg6euUqlrRLglrOcfhSyhMHcTaUF0UfxglZ
w76owUjKNoNmRpf58Dl6GC1bbeN9m8SHi8xCpNUari/MQ/FRAbVvVpBksXIZER9W
ZbGlP1WkZs4YVICpnIq+3jILONv1Q3noXIhGcicAfMljD5zo72fUwSZ1HJqml66P
tmU4VTdSbuu8Os3678qCj0AVYCmO5HYFb9XyXwHmynGvOXcSqcFSkoi+t3d+vthc
p+AesqI9ioaG8SSBAgMBAAGjEzARMA8GA1UdEQQIMAaHBAr2p6YwDQYJKoZIhvcN
AQELBQADggEBAFogKROilTIM6b+v5LCslmAk7/HY4MY2sH0ZKJf440+Lobab4b1x
gbZaJ0ifaPffH6qqg3/0RTciFnLuEH6FhfKp/vISMBWxSnml8hLZoiFjRXIAvY52
Wl8hLQXhAx8QrUsE+iGkQwvm4EeyENd++LDyyCIHD5Uv0RJvEcGG9e3YwX8nnOvN
AuIdr5hDSfDVJRvf53FcyZv3N6Q0qLYPpLeVC0By0U/U01l+ODhrR7+YIZo7MHKR
UQkLZnsniPGPvDnxkl1/cLz29Kl1t5/pPCuW2PrHfxvZ2kFfT8Qyw/loIxdcCK6v
JYsVmhocd+miR8dsuA6TRJlmPKMviBEfkt8=
-----END CERTIFICATE-----

This is presented to the traefik units from the manual-tls-certificates operator, however its not written to the server.cert file (only the cert chain is).

To Reproduce

https://microstack.run/docs

Single node install
Enable TLS feature

Environment

sunbeam deployment from 2024.1/beta
traefik-k8s - latest/beta
manual-tls-certificates (latest/stable) charm to generate signing requests and then inject certificates

Relevant log output

Nothing relevant in log data.

Additional context

No response

[michaeldmitry]

The issue is that traefik charm uses the entire chain for the server cert to accommodate for intermediates (see more).
In the case of self signed certificates, for example, it guarantees that the server cert is part of the chain.
In the case of manual-tls-certificates, it seems to take whatever is provided in the ca.crt file , which, very likely, only includes the CA chain without the server certificate.