Configuring mTLS

I am new to Traefik and I am attempting to configure mTLS. I will post what I think is enough of my configuration but if I need to post more please just ask. My issue is I get no errors with my deployment but I also am never prompted to provide a client certificate when browsing to the dashboard. It seems as if I have an association problem between my TLS configuration and applying it properly? I am running Traefik in Docker Swarm by mounting the traefik.yml and I am successfully retrieving certificates from Let's Encrypt.

  • traefik.yml
global:
  checkNewVersion: true
  sendAnonymousUsage: true
providers:
  docker:
    swarmMode: true
    exposedByDefault: false
metrics:
  prometheus:
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true
    entryPoint: metrics
    buckets:
    - 0.1
    - 0.3
    - 1.2
    - 5.0
certificatesResolvers:
  myresolver:
    acme:
      email: name@domain.com
      storage: acme.json
      tlsChallenge: {}
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address:     ":443"
    http:
      tls:
        options: mtls

api:
  dashboard: true

accessLog:
  bufferingSize: 100

http:
  routers:
    dash:
      tls:
        options: default
tls:
  options:
    mtls:
      clientAuth:
        caFiles:
          - /ca.crt
        clientAuthType: RequireAndVerifyClientCert
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true
  • Docker Swarm stack file
version: "3.3"
services:
  traefik:
    image: traefik:v2.5
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme.json:/acme.json
    configs:
      - source: traefik_v7
        target: /etc/traefik/traefik.yml
      - source: ca_crt
        target: /ca.crt
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.dash.rule=Host(`my.domain.com`)
        - traefik.http.routers.dash.entrypoints=websecure
        - traefik.http.routers.dash.tls.certresolver=myresolver
        - traefik.http.routers.dash.service=api@internal
        - traefik.http.services.dash.loadbalancer.server.port=80
      placement:
        constraints:
          - node.role==manager
          - node.labels.traefik==true

My mTLS config looks like this and it works. Although Im not to familiar with using the configs label in docker compose. I just volume mount the certs from host:/etc/certs

tls:
  options:
    default:
      clientAuth:
        # in PEM format. each file can contain multiple CAs.
        caFiles:
          - /etc/certs/ca.crt
        clientAuthType: RequireAndVerifyClientCert