I'm trying to configure an IngressRoute that requires mTLS with Traefik 2.4.8. In the IngressRoute, I reference the following TLSOptions:

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mtls
  namespace: traefik

spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_RSA_WITH_AES_256_GCM_SHA384
    - TLS_RSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  clientAuth:
    # the CA certificate is extracted from key `tls.ca` of the given secrets.
    secretNames:
      - tls-ca
    clientAuthType: RequireAndVerifyClientCert

However, when I test the service using curl, Traefik does not reject the request if a client certificate is not presented. I've used tcpdump and can see that Traefik never requests the client certificate during the TLS handshake.

Any ideas on what could be going wrong or suggestions on how to debug? I wonder if it might be something with the secret used to store the CA cert. The only documentation I could find is the comment in the TLSOptions example that says the CA cert must be in key "tls.ca". I created a generic secret using that key and the public CA cert base64 encoded. Not sure if that's correct.

Hello @mikemulleroracle,

What does your ingressRoute look like?

Are you configuring TLS anywhere else other than on the ingressRoute?

Ideally I'd like to just use a default TLSOptions for all IngressRoutes and a default TLSStore with a default certificate. I've tried a few different combinations. Below is the IngressRoute I'm testing with:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: emojivoto-ingressroute
  namespace: traefik
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`emojivoto.example.com`)
    services:
    - name: web-svc
      namespace: emojivoto
      port: 80
  tls:
    secretName: traefik-rsa-tls-secret
    options:
      name: mtls
      namespace: traefik