Traefik delivers two certificates and uses TLS 1.0
I have got two identical configured Traefik reverse proxys. Running on the identical Debian 10 platform.
But testing with SSL Labs SSL Server Test gives different results:
SSL Labs tests SNI and Non-SNI connection attempts to your server.
By default, if a non-SNI request is sent to Traefik, and it cannot find a matching certificate (with an IP SAN), it will return the default certificate, which is usually self signed.
If you are required to pass this sort of SSL test, you may need to either:
Thanks. I also found this discussion and tried to setup identical tls.options. But I will double check.
By the way: my options are defined in separate files in a directory where all dynamic definitions are sitting. Are they also reread when changes occur?
It should be, as the TLS options are part of the "dynamic configuration" of Traefik. The first condition is that the watch directive of the file provider must be enabled (ref. https://docs.traefik.io/v2.0/providers/file/#watch).
As I metioned: identical setup only for two different domains (I generated the configuration files from one source using sed). Even with Strict SNI checking. For one of the domains traefik delivers two certificates and also provides TLS 1.0. For the other I only get one certificate and no TLS 1.0.
Using the dashboard I can't explore the active SNI settings. Is there another possibility to find the differences in effective setup?
Now I've got the debug output for both setups ... and really cannot find any difference
I dare to include both (rather long) log files. The first one "domain1.log" covers more routers as this is a production site. SSL-Labs test (also included) is only done with "server.domain1.de" i.e.
"Adding route for server.domain1.de with TLS options withsni" entryPointName=websecure
As expected with identical configuration files the debug log - as far as I see - doesn't show differences. But: Even with sniStrict = true the first setup:
Can you try to set it with the tls option default as well please? It looks like you defined a tls option block named nosni, so it is not the default behavior if a request is not caught by a router.... which certainly happens when SSLLabs tries things.
Not sure why this would work on one server, but not on the other, but worth it to try.
As the middleware have to be defined on a router, I would suggest to you the following strategy: defining a "fallback" router which will take care of the behavior when no router match your requests.
For doing this, build a default http (and eventually a 2nd as http+tls) router associated to Traefik itself likewise https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d#49a5 (but in your file configuration here) and then, enable http to https redirect on the HTTP default router, and enable the hsts on all router, including the default.