Client Authentication(mTLS) with enforcement is not working

We are working on mTLS with traefik, we are facing issue with client certificate enforcement.
we are using "clientAuthType" as "RequireAndVerifyClientCert".
Problem statement is "without giving the client certificate it still authenticates the client".
Traefik version: 2.3.1

dynamic.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: dynamic
data:
  dynamic.yaml: |
    tls:
      options:
        default:
          clientAuth:
            caFiles:
              - /client/client-certificates.crt
            clientAuthType: RequireAndVerifyClientCert

values.yaml

additionalArguments:    
    - "--log.level=DEBUG"
    - "--providers.kubernetescrd"
    - "--entrypoints.websecure.http.tls=true"
    - "--entrypoints.websecure.http.tls.certresolver=default"
    - "--entrypoints.websecure.http.tls.domains[0].main=DOMAIN.com"
    - "--entrypoints.websecure.http.tls.domains[0].sans=*.DOMAIN.com"
    - "--certificatesresolvers.default.acme.httpchallenge.entrypoint=web"
    - "--certificatesresolvers.default.acme.dnschallenge.provider=route53"
    - "--certificatesresolvers.default.acme.storage=/data/acme.json"
    - "--certificatesresolvers.default.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
    - "--providers.file.filename=/config/dynamic.yaml"

Is there any specific configuration need to be enabled in traefik side or anything we are missing.

Hi @tonymat,

could you share your Traefik logs from the beginning so we can check the configuration taken into account.

Hi @jbd,
I got the solution. Used CRD for the tls_option
instead of provider file which was bit painful indeed in K8s env. Just followed the docs in mtls
tada.. It worked for me.

Thanks.

I am glad to see you found a solution. :+1:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.