Unable to force VersionTLS12

After many, many attempts to get an A+ rating on ssllabs, and going through all topics that seemed related, I've come to the point where I need help. I'm using the following configuration to have multiple containers use at least TLS 1.2.

traefik.yaml

global:
  checkNewVersion: false

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxy
  file:
    filename: /etc/traefik/traefikfile.yaml

entryPoints:
  http:
    address: ":80"

  https:
    address: ":443"

tls:
  options:
    default:
      minVersion: "VersionTLS12"
      cipherSuites:
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      sniStrict: true

certificatesResolvers:
  default:
    acme:
      email: some@email.com
      storage: /etc/traefik/acme/acmev2.json
      keyType: EC384
      httpChallenge:
        entryPoint: http

api:
  dashboard: true

and the labels of a single container

    labels:
      - traefik.enable=true
      - traefik.http.routers.servicename.rule=Host(`some.domain.com`)
      - traefik.http.routers.servicename.tls=true
      - traefik.http.routers.servicename.tls.options=default
      - traefik.http.routers.servicename.tls.certresolver=default

I've also tried without the tls.options label, as that would make sense, but neither gave the result I was looking for.

There is currently also no mention of any TLS options being set in the DEBUG log.

Can anyone tell me what I'm doing wrong?

Anyone? A "this does work for me" would also help :slight_smile:

the tls: options: default:
should be in a dynamic file, not in the static one. (not with entrypoint)
see Set TLS default option with .toml file for more informations.

Moved it to /etc/traefik/traefikfile.yaml and poof, it works. Thank you so very much!

1 Like