Traefik-v2 alpha8 - TLS configuration : Options & default cert not applied?

Hi all,

I'm having trouble configuring tls on traefik:v2.0.0-alpha8-alpine.

I'm using docker-compose, I defined the following in my dynamic config :

[tls]
  [[tls.certificates]]
    certFile = "/etc/pki/clients/client.pem"
    keyFile = "/etc/pki/clients/client-key.pem"
    stores = ["default"]

  [tls.stores]
    [tls.stores.default]
      [tls.stores.default.defaultCertificate]
        certFile = "/etc/pki/clients/client.pem"
        keyFile = "/etc/pki/clients/client-key.pem"

  [tls.options]
    [tls.options.mintls13]
      minVersion = "VersionTLS13"

and used the following labels on my container :

- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.routers.whoami.rule=Host(`calvin.benefice.io`)"
- "traefik.http.routers.whoami.tls.options=mintls13@file"

But it seems that I receive nothing from the file provider (as shown in the next logs), and I get the error : unknown TLS options: mintls13@file when I display the config via /api/rawdata.

logs from provider:

level=debug msg="Configuration received from provider file: {\"http\":{\"middlewares\":{\"redirect-to-https\":{\"redirectScheme\":{\"scheme\":\"https\"}}}},\"tcp\":{},\"tls\":{}}" providerName=file

which gives :

{
  "http": {},
  "tcp": {},
  "tls": {} # why is this empty ?
}

I have a complete example available here : https://github.com/pbenefice/wip_traefik_tls

The certificate itself is working, but not the Options nor the default cert...

Any help would be greatly appreciated.

Thanks in advance.

The TLS block in alpha8 cannot be serialize to JSON because the tls block can contains private keys.

Ok, thanks for the info, so this is not the source of the problem...

But I don't understand why I get the unknown TLS options: mintls13@file error on the router...

I don't know what I'm missing.

I created a small sample:

version: '3'

services:
  reverse_proxy:
    image: traefik:v2.0.0-alpha8
    command:
      - --api
      - --log.level=DEBUG
      - --entrypoints.secure.address=:443
      - --providers.docker.exposedbydefault=false
      - --providers.file.filename=dyn.toml
      - --global.sendAnonymousUsage=false

    ports:
      - "80:80"
      - "443:443"
      - "8000:8000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./dyn.toml:/dyn.toml

  whoami:
    image: containous/whoami
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.whoami.entrypoints=secure"
    - "traefik.http.routers.whoami.rule=Host(`something.docker.localhost`)"
    - "traefik.http.routers.whoami.tls.options=mintls13@file"

[tls]
  # [[tls.certificates]]
  #   certFile = "/etc/pki/clients/client.pem"
  #   keyFile = "/etc/pki/clients/client-key.pem"
  #   stores = ["default"]
  #
  # [tls.stores]
  #   [tls.stores.default]
  #     [tls.stores.default.defaultCertificate]
  #       certFile = "/etc/pki/clients/client.pem"
  #       keyFile = "/etc/pki/clients/client-key.pem"

  [tls.options]
    [tls.options.mintls13]
      minVersion = "VersionTLS13"

And I don't have any error:

{
  "routers":{
    "whoami@docker":{
      "entryPoints":[
        "secure"
      ],
      "service":"whoami_tem",
      "rule":"Host(`something.docker.localhost`)",
      "tls":{
        "options":"mintls13@file"
      }
    }
  },
  "services":{
    "whoami_tem@docker":{
      "loadBalancer":{
        "servers":[
          {
            "url":"http://172.21.0.3:80"
          }
        ],
        "passHostHeader":true
      },
      "usedBy":[
        "whoami@docker"
      ],
      "serverStatus":{
        "http://172.21.0.3:80":"UP"
      }
    }
  }
}

Hi again @ldez, thank you for spending some time diging into this.

Your sample is working on my side too (except the exposed port that I changed to 8080).
I'll try to compare this to what I did, I will eventually find what's going wrong...

I'll keep you posted.

Hi again @ldez,

I think I managed to break your example :

If you use directory, instead of filename, in the file provider configuration, it does not work :

version: '3'

services:
  reverse_proxy:
    image: traefik:v2.0.0-alpha8
    command:
      - --api
      - --log.level=DEBUG
      - --entrypoints.secure.address=:443
      - --providers.docker.exposedbydefault=false
      #- --providers.file.filename=dyn.toml
      - --providers.file.directory=/config
      - --global.sendAnonymousUsage=false

    ports:
      - "80:80"
      - "443:443"
      - "8000:8000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      #- ./dyn.toml:/dyn.toml
      - ./dyn.toml:/config/dyn.toml

  whoami:
    image: containous/whoami
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.whoami.entrypoints=secure"
    - "traefik.http.routers.whoami.rule=Host(`something.docker.localhost`)"
    - "traefik.http.routers.whoami.tls.options=mintls13@file"

I don't know if this is a bug, or if I made a mistake, but this is what solved the issue on my side.
Do you want me to open an issue on github ?

In any case, thanks for your support!

Pierre.

Yes confirm it's a bug and I created a fix https://github.com/containous/traefik/pull/5118

Very nice, I can't help for the review, But thank you