Letsencrypt with TCP router and non-SNI traffic

Dear all,

I was hoping I can use Traefik to encrypt my OpenLDAP traffic. I know that LDAP clients do not support SNI, but as this is the only service running on the machine, I hoped that using HostSNI(*) and sniStrict = false would do the trick. Letsencrypt issues the certificates right, but Traefik presents the default self-signed certificate to all clients instead of the letsencrypt one.

Here is my config:


  level = "DEBUG"

    address = ":636"
    address = ":80"

email = "haXXX"
storage = "/root/storage.json"
    entryPoint = "web"

     filename = "./dynamic.toml"


    sniStrict = false

    rule = "HostSNI(`*`)"
    entryPoints = ["ldapsecure"]
    service = "ldapservice"
    options = "default"
    certResolver = "le"
      main = "ldap.mydomain..."

    address = ""

After googling for hours, I found no further hint what else to try, so I hope someone has a clue here.

The log has:

DEBU[2020-10-08T15:00:31+02:00] Handling connection from XX.XX.XX.XX:52302
DEBU[2020-10-08T15:00:31+02:00] Serving default certificate for request: ""

Thanks for any hint!

HostSNI is for unencrypted TCP only.

I believe that TLS for ldap is another protocol that enables TLS via STARTTLS command after the connection is established.

To use a TCP router with TLS, TLS must be the underlying protocol and support SNI.