Hello @daniel.tomcej :
Thanks for you quick response.
I added this config to traefik following your advice but it does not work:
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
# port for http entrypoint that traefik listens on
address = ":80"
[entryPoints.https.tls]
sniStrict = true
MinVersion = "VersionTLS12"
# https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table
# https://cipherli.st/
CipherSuites = ["TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AE\
S_128_GCM_SHA256"]
I obtained the same result again:
openssl s_client -connect <public_ip>:443 | openssl x509 -noout -text
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
da:5f:8b:de:f9:47:aa:54:ea:7d:25:7f:d8:4f:fc:6b
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = TRAEFIK DEFAULT CERT
Validity
Not Before: Aug 27 22:36:22 2019 GMT
Not After : Aug 26 22:36:22 2020 GMT
Subject: CN = TRAEFIK DEFAULT CERT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bd:3a:0a:a2:14:93:49:63:75:4f:ae:d6:b5:65:
bf:dc:dc:32:80:c1:9b:fc:41:76:42:04:07:90:a3:
f0:c8:04:24:2f:25:4b:44:b3:91:10:e8:98:de:ee:
ef:5f:11:87:2c:de:43:4f:13:6f:00:ca:30:6b:f0:
6f:d3:7b:b8:5d:6f:51:1a:31:7a:65:83:fa:5c:91:
06:fe:fb:7d:ae:f5:c1:d3:ec:99:ae:1a:c8:27:58:
72:89:2f:d4:b9:e5:7a:18:7a:5a:b1:01:b9:2c:9c:
7b:75:ab:7c:47:53:2d:14:83:75:e3:3e:df:78:17:
c5:0e:de:dc:0b:68:fc:76:dc:d5:73:1d:f7:3b:f6:
c0:e9:77:df:9d:12:9a:a1:06:53:80:07:43:60:f1:
02:7b:cf:12:97:d8:cd:f9:00:0a:b2:41:18:db:d9:
a9:f1:1f:6e:0e:2d:21:6b:bc:d2:2b:ec:78:b0:c8:
57:76:1a:d8:98:2f:09:29:4c:02:6d:be:9c:cd:4f:
d6:74:fd:de:67:60:6e:6e:8b:ef:7b:e6:ec:d6:e0:
c3:04:7c:d4:0e:01:52:ed:45:1a:9f:b7:1f:1a:aa:
b2:d5:f9:d6:7c:4a:ee:80:9a:ec:11:3a:a8:0e:5d:
b5:99:25:73:0b:e2:f5:67:b2:78:5c:40:58:fb:98:
5a:d9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:031d441e860e2d124b4c9a7fc8c4ada5.33df6386621b82389d72106d84587c79.traefik.default
Signature Algorithm: sha256WithRSAEncryption
a9:b2:d1:73:75:0d:c1:b7:41:7c:42:d1:50:64:bf:a0:98:d1:
31:62:05:dd:e0:82:e2:06:a7:30:65:23:99:f9:6e:6e:d9:e9:
ba:6e:db:f6:4b:ac:7b:ed:8f:98:e9:5d:e0:c1:47:e5:7e:fc:
b5:59:f4:2f:1f:3e:16:2b:cf:19:bb:32:69:9b:04:8d:e2:d8:
21:66:1e:0e:3f:d2:80:40:2d:74:b1:3c:ce:2e:4b:c6:cf:26:
ab:a9:63:a7:1f:98:f3:b6:e2:8f:0e:4c:da:42:22:d7:78:e3:
4d:0d:33:59:cc:c8:3e:08:07:c9:d5:a1:78:27:1d:3a:d2:e2:
a7:be:6b:ee:0e:1d:b8:de:cd:24:17:2a:bd:5b:00:f1:05:ef:
8d:6e:19:bb:e2:9f:17:9c:08:b8:b2:5d:f3:87:a4:6a:05:39:
00:a3:0f:b5:04:29:5a:b1:99:fb:b0:b1:0a:25:57:1b:dc:c2:
0b:81:2e:db:d4:92:86:4d:94:e1:14:96:62:0f:22:44:6d:7d:
7b:10:e4:19:c1:c4:05:10:3b:93:ff:4d:1c:bc:43:9a:6a:74:
89:d3:0b:e9:85:fc:7a:30:38:ad:3a:4c:70:2c:e5:98:ee:69:
05:68:77:d2:34:ff:c8:39:d3:13:3e:fe:dc:8e:4e:55:a1:84:
c3:4f:27:49
This is the log from the beginning:
time="2019-08-27T22:34:23Z" level=info msg="Using TOML configuration file /config/traefik.toml"
time="2019-08-27T22:34:23Z" level=info msg="Traefik version v1.7.14 built on 2019-08-14_09:46:58AM"
time="2019-08-27T22:34:23Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
time="2019-08-27T22:34:23Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0003044a0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-08-27T22:34:23Z" level=info msg="Preparing server https &{Address::443 TLS:0xc00060c2d0 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000304560} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-08-27T22:34:23Z" level=info msg="Starting server on :80"
time="2019-08-27T22:34:23Z" level=info msg="Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc000304800} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-08-27T22:34:23Z" level=info msg="Starting server on :443"
time="2019-08-27T22:34:23Z" level=info msg="Starting server on :8080"
time="2019-08-27T22:34:23Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2019-08-27T22:34:23Z" level=info msg="Starting provider *kubernetes.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\",\"IngressEndpoint\":null}"
time="2019-08-27T22:34:23Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"<myEmail>\",\"ACMELogging\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"Storage\":\"acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":true,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"route53\",\"DelayBeforeCheck\":0,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"Domains\":[{\"Main\":\"<publicURL>\",\"SANs\":[\"*.<publicURL>\"]}],\"Store\":{}}"
time="2019-08-27T22:34:23Z" level=info msg="Testing certificate renew..."
time="2019-08-27T22:34:23Z" level=info msg="ingress label selector is: \"\""
time="2019-08-27T22:34:23Z" level=info msg="Creating in-cluster Provider client"
time="2019-08-27T22:34:23Z" level=info msg="The key type is empty. Use default key type 4096."
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :80"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :443"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :8080"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :80"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :443"
time="2019-08-27T22:34:24Z" level=info msg="Server configuration reloaded on :8080"
time="2019-08-27T22:34:26Z" level=info msg=Register...
time="2019-08-27T22:34:26Z" level=info msg="legolog: [INFO] acme: Registering account for <myEmail>"
time="2019-08-27T22:34:26Z" level=info msg="legolog: [INFO] [<publicURL>, *.<publicURL>] acme: Obtaining bundled SAN certificate"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [*.<publicURL>] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/83148831"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [<publicURL>] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/83148832"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: use dns-01 solver"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Could not find solver for: tls-alpn-01"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Could not find solver for: http-01"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [<publicURL>] acme: use dns-01 solver"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: Preparing to solve DNS-01"
time="2019-08-27T22:34:27Z" level=info msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:35:04Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Preparing to solve DNS-01"
time="2019-08-27T22:35:04Z" level=info msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:35:24Z" level=error msg="vulcand/oxy/forward/websocket: Error when copying from client to backend: websocket: close 1006 (abnormal closure): unexpected EOF"
100.96.2.0 - - [27/Aug/2019:22:34:24 +0000] "GET /xmpp-websocket HTTP/1.1" 0 0 "-" "-" 1 "http-https_uc.<publicURL>/xmpp-websocket" "http://100.96.1.157:5280" 59969ms
time="2019-08-27T22:35:38Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: Trying to solve DNS-01"
time="2019-08-27T22:35:38Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: Checking DNS record propagation using [100.64.0.10:53]"
time="2019-08-27T22:35:38Z" level=info msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [*.<publicURL>] The server validated our request"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Trying to solve DNS-01"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Checking DNS record propagation using [100.64.0.10:53]"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [<publicURL>] The server validated our request"
time="2019-08-27T22:35:42Z" level=info msg="legolog: [INFO] [*.<publicURL>] acme: Cleaning DNS-01 challenge"
time="2019-08-27T22:35:43Z" level=info msg="legolog: [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]"
time="2019-08-27T22:36:16Z" level=info msg="legolog: [INFO] [<publicURL>] acme: Cleaning DNS-01 challenge"
time="2019-08-27T22:36:16Z" level=info msg="legolog: [INFO] [<publicURL>, *.<publicURL>] acme: Validations succeeded; requesting certificates"
time="2019-08-27T22:36:22Z" level=info msg="legolog: [INFO] [<publicURL>] Server responded with a certificate."
time="2019-08-27T22:36:22Z" level=info msg="Server configuration reloaded on :80"
time="2019-08-27T22:36:22Z" level=info msg="Server configuration reloaded on :443"
time="2019-08-27T22:36:22Z" level=info msg="Server configuration reloaded on :8080"
Regards and thanks for the support.