TCP router gets F, http router gets A

I have a service that has these labels

labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.${STACK}-app.rule=Host(`${STACK}.${DOMAIN}`)"
      - "traefik.http.routers.${STACK}-app.entrypoints=websecure"
      - "traefik.http.routers.${STACK}-app.tls.certresolver=myresolver"
      - "traefik.http.services.${STACK}-app.loadbalancer.server.port=3000"

when I start this stack, if I use SSL Server Test (Powered by Qualys SSL Labs) to validate, I get a big fat A

I now wanted to add a TCP port in the same server (express) for certain command/control

so I added the labels (to the same container)

      - "traefik.tcp.routers.${STACK}-app.rule=HostSNI(`${STACK}-socket.${DOMAIN}`)"
      - "traefik.tcp.routers.${STACK}-app.entrypoints=websecure"
      - "traefik.tcp.routers.${STACK}-app.tls.certresolver=myresolver"
      - "traefik.tcp.services.${STACK}-app.loadbalancer.server.port=42000"

so the idea is that I'd get 2 hosts stack.domain and stack-socket.domain

system starts, service starts. however, if I visit the ssl site again, I now get a big fat F for the stack-socket.domain host

confused why https is A while TCP is F

Any insights would be most welcome

You should use different router/service names in the labels for the different targets, not the same ${STACK}-app.

Is the F a result of the reverse proxy and TLS or might that be connected to the target service?

thanks. Have updated the service / router names to be unique for the target.

Same result though.

However, I did notice this

which may imply that if I

a) turn off TLS1.2
b) remove the weak ciphers

may fix the problem

I think a) is achievable using the minTls setting
will have to look into b)

That can both be configured in a dynamic config file, loaded in static config via providers.file.

Every now and then you see it in the posts here.