Traefik v3 appears to be offering self-signed together with letsencrypt

Traefik Traefik v3 (latest)
1

Hi everyone,

I got something strange in my setup. I've deployed dozens of traefik servers and never experienced this before, albeit all previous one had specific certificates, this is the first one with letsencrypt.

When visiting an endpoint, i see the certificate is trusted. I check the certificate from browser, and letsencrypt generated certificate is used - so all good there, right?

Now, when i test it with ssllabs, i get an A+ score so that's also good, but i also get an error that TRAEFIK DEFAULT CERT is offered.

image
image1002×877 33.4 KB

This is my static config:

certificatesResolvers:
  resolver:
    acme:
      email: email@domain.com
      storage: /etc/traefik/acme.json
      tlsChallenge: {}

entryPoints:
  web:
    address: ":80"
  websecure:
    http2:
      maxConcurrentStreams: 250
    address: ":443"

global:
  checkNewVersion: false
  sendAnonymousUsage: false

log:
  level: INFO

providers:
  file:
    filename: /etc/traefik/dynamic.yaml
    watch: true

This is my dynamic.yaml

http:
  routers:
    router-secure:
      rule: "Host(`server.domain.com`)"
      service: "application-app"
      entryPoints:
        - websecure
      middlewares:
        - hsts-header
      tls:
        certResolver: resolver

    router-insecure:
      rule: "Host(`server.domain.com`)"
      service: "application-app"
      entryPoints:
        - web
      middlewares:
        - redirect-to-https
        - hsts-header

  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: "https"
    hsts-header:
      headers:
        browserXSSFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        frameDeny: true

  services:
    application-app:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8000/"
        passHostHeader: true

  serversTransports:
    insecureTransport:
      insecureSkipVerify: true

tls:
  options:
    default:
      minVersion: "VersionTLS12"
      cipherSuites:
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

I also cannot see that self signed cert being offered when running openssl s_client -connect test.
Kind of strange this is going on. Is there something I've missed?

2

How does SSLLabs test? You do get the Traefik default cert, when you request just the IP, without using the domain name.

Note that you can simplify your setup by placing http-to-https redirect on entrypoint. Check simple Traefik example.

3

SSLLabs test A+ but also displays an error for traefik defaul cert.
I understand that it happens when i request just the IP but it doesn't happen on other servers. It's rather strange.

But nevermind, i revamped the config. If i run into this again, I'll check back.
Thanks.