TLSOptions don't get applied - Traefik v2

[markhaehnel]

Do you want to request a feature or report a bug?

Bug

Did you try using a 1.7.x configuration for the version 2.0?

• Yes
• No

What did you do?

What did you expect to see?

I set tlsOptions.default with minVersion = "VersionTLS12" in my traefik.toml in an KubernetesCRD environment and expected traefik only serves protocols newer and equal TLS1.2

What did you see instead?

Still all cipher suites are supported.

Output of traefik version: (What version of Traefik are you using?)

Docker image: traefik:v2.0.0-alpha3
Traefik version 2.0.0-alpha3 built on 2019-03-29T17:53:25Z

What is your environment & configuration (arguments, toml, provider, platform, ...)?

[Global]
  Debug = false
  CheckNewVersion = false
  SendAnonymousUsage = false

[Log]
  LogLevel = "debug"

[Providers.KubernetesCRD]

[EntryPoints]
  [EntryPoints.http]
    Address = ":8000"
  [EntryPoints.https]
    Address = ":4443"

[ACME]
  Email = "redacted@gmail.com"
  ACMELogging = true
  CAServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  Storage = "acme.json"
  EntryPoint = "https"
  OnHostRule = false
  [ACME.DNSChallenge]
    Provider = "cloudflare"

  [[ACME.Domains]]
    Main = "*.ezhub.de"
    SANs = ["ezhub.de"]

If applicable, please paste the log output in DEBUG level (--log.level=DEBUG switch)

time="2019-04-17T17:58:22Z" level=info msg="Using TOML configuration file /config/traefik.toml" 
time="2019-04-17T17:58:22Z" level=info msg="Traefik version 2.0.0-alpha3 built on 2019-03-29T17:53:25Z"
time="2019-04-17T17:58:22Z" level=debug msg="Static configuration loaded {\"Global\":{\"Debug\":false,\"CheckNewVersion\":false,\"SendAnonymousUsage\":false},\"ServersTransport\":{\"InsecureSkipVerify\":false,\"RootCAs\":null,\"MaxIdleConnsPerHost\":200,\"ForwardingTimeouts\":null},\"EntryPoints\":{\"http\":{\"Address\":\":8000\",\"Transport\":{\"LifeCycle\"
:{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"RespondingTimeouts\":{\"ReadTimeout\":0,\"WriteTimeout\":0,\"IdleTimeout\":180000000000}},\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":false,\"TrustedIPs\":null}},\"https\":{\"Address\":\":4443\",\"Transport\":{\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":100000
00000},\"RespondingTimeouts\":{\"ReadTimeout\":0,\"WriteTimeout\":0,\"IdleTimeout\":180000000000}},\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":false,\"TrustedIPs\":null}}},\"Providers\":{\"ProvidersThrottleDuration\":2000000000,\"Docker\":null,\"File\":null,\"Marathon\":null,\"Kubernetes\":null,\"KubernetesCRD\":{\"Endpoint\":\"\",\"Token\":\"\
",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\"},\"Rest\":null},\"API\":null,\"Metrics\":null,\"Ping\":null,\"Log\":{\"LogLevel\":\"debug\",\"format\":\"common\"},\"AccessLog\":null,\"Tracing\":null,\"HostResolver\":null,\"ACME\":{\"Email\":\"redacted@gmail.com\",\"ACMELogg
ing\":true,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":false,\"DNSChallenge\":{\"Provider\":\"cloudflare\",\"DelayBeforeCheck\":0,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"Domains\":[{\"Main
\":\"*.ezhub.de\",\"SANs\":[\"ezhub.de\"]}]}}"
time="2019-04-17T17:58:22Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
time="2019-04-17T17:58:22Z" level=debug msg="No default certificate, generate one"
time="2019-04-17T17:58:22Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2019-04-17T17:58:22Z" level=debug msg="Start TCP Server" entryPointName=https
time="2019-04-17T17:58:22Z" level=debug msg="Start TCP Server" entryPointName=http
time="2019-04-17T17:58:22Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"redacted@gmail.com\",\"ACMELogging\":true,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":false,\"DNSChallenge\":{\"Provider\":\"cloudflare\",\"DelayBefore
Check\":0,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"Domains\":[{\"Main\":\"*.ezhub.de\",\"SANs\":[\"ezhub.de\"]}],\"Store\":{}}"
time="2019-04-17T17:58:22Z" level=info msg="Testing certificate renew..." providerName=acme
time="2019-04-17T17:58:22Z" level=info msg="Starting provider *crd.Provider {\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\"}"
time="2019-04-17T17:58:22Z" level=debug msg="Using label selector: \"\"" providerName=kubernetescrd
time="2019-04-17T17:58:22Z" level=info msg="label selector is: \"\"" providerName=kubernetescrd
time="2019-04-17T17:58:22Z" level=info msg="Creating in-cluster Provider client" providerName=kubernetescrd
time="2019-04-17T17:58:22Z" level=debug msg="Configuration received from provider ACME: {\"HTTP\":{},\"TCP\":null,\"TLSOptions\":null,\"TLSStores\":null}" providerName=ACME
time="2019-04-17T17:58:22Z" level=debug msg="Looking for provided certificate(s) to validate [\"*.ezhub.de\" \"ezhub.de\"]..." providerName=acme
time="2019-04-17T17:58:22Z" level=debug msg="Domains [\"*.ezhub.de\" \"ezhub.de\"] need ACME certificates generation for domains \"*.ezhub.de,ezhub.de\"." providerName=acme
time="2019-04-17T17:58:22Z" level=debug msg="Loading ACME certificates [*.ezhub.de ezhub.de]..." providerName=acme
time="2019-04-17T17:58:22Z" level=info msg="The key type is empty. Use default key type 4096." providerName=acme
time="2019-04-17T17:58:22Z" level=debug msg="No default certificate, generate one"
time="2019-04-17T17:58:23Z" level=debug msg="Configuration received from provider kubernetescrd: {\"HTTP\":{},\"TCP\":{},\"TLSOptions\":null,\"TLSStores\":null}" providerName=kubernetescrd
time="2019-04-17T17:58:23Z" level=debug msg="No default certificate, generate one"
time="2019-04-17T17:58:32Z" level=debug msg="Building ACME client..." providerName=acme
time="2019-04-17T17:58:32Z" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=acme
time="2019-04-17T17:58:32Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-04-17T17:58:32Z" level=info msg=Register... providerName=acme
time="2019-04-17T17:58:32Z" level=info msg="legolog: [INFO] acme: Registering account for redacted@gmail.com" providerName=acme
time="2019-04-17T17:58:32Z" level=debug msg="Using DNS Challenge provider: cloudflare" providerName=acme
time="2019-04-17T17:58:32Z" level=info msg="legolog: [INFO] [*.ezhub.de, ezhub.de] acme: Obtaining bundled SAN certificate" providerName=acme
time="2019-04-17T17:58:33Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-04-17T17:58:33Z" level=info msg="legolog: [INFO] [*.ezhub.de] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/x4idJLdcVVsFV0n_T3QAAgQ9ea70pbv8IQ1Up0wYvu8" providerName=acme
time="2019-04-17T17:58:33Z" level=info msg="legolog: [INFO] [ezhub.de] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/DpPN1WsnUrozFkRQly3aGwa65mxJn7VXv8cfmTWwUqk" providerName=acme
time="2019-04-17T17:58:33Z" level=info msg="legolog: [INFO] [*.ezhub.de] acme: use dns-01 solver" providerName=acme
time="2019-04-17T17:58:33Z" level=info msg="legolog: [INFO] [ezhub.de] acme: Could not find solver for: tls-alpn-01" providerName=acme
time="2019-04-17T17:58:33Z" level=info msg="legolog: [INFO] [ezhub.de] acme: Could not find solver for: http-01" providerName=acme
time="2019-04-17T17:58:33Z" level=info msg="legolog: [INFO] [ezhub.de] acme: use dns-01 solver" providerName=acme
time="2019-04-17T17:58:33Z" level=info msg="legolog: [INFO] [*.ezhub.de] acme: Preparing to solve DNS-01" providerName=acme
time="2019-04-17T17:58:34Z" level=info msg="legolog: [INFO] cloudflare: new record for ezhub.de, ID 56be82e440676a0ef65ed8b9e5cf1777" providerName=acme
time="2019-04-17T17:58:34Z" level=info msg="legolog: [INFO] [ezhub.de] acme: Preparing to solve DNS-01" providerName=acme
time="2019-04-17T17:58:34Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-04-17T17:58:35Z" level=info msg="legolog: [INFO] cloudflare: new record for ezhub.de, ID a7cf5dfe3266b98573aec0323659f489" providerName=acme
time="2019-04-17T17:58:35Z" level=info msg="legolog: [INFO] [*.ezhub.de] acme: Trying to solve DNS-01" providerName=acme
time="2019-04-17T17:58:35Z" level=info msg="legolog: [INFO] [*.ezhub.de] acme: Checking DNS record propagation using [10.245.0.10:53]" providerName=acme
time="2019-04-17T17:58:35Z" level=info msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]" providerName=acme
time="2019-04-17T17:58:35Z" level=info msg="legolog: [INFO] [*.ezhub.de] acme: Waiting for DNS record propagation." providerName=acme
time="2019-04-17T17:58:37Z" level=info msg="legolog: [INFO] [*.ezhub.de] acme: Waiting for DNS record propagation." providerName=acme
time="2019-04-17T17:58:45Z" level=info msg="legolog: [INFO] [*.ezhub.de] The server validated our request" providerName=acme
time="2019-04-17T17:58:45Z" level=info msg="legolog: [INFO] [ezhub.de] acme: Trying to solve DNS-01" providerName=acme
time="2019-04-17T17:58:45Z" level=info msg="legolog: [INFO] [ezhub.de] acme: Checking DNS record propagation using [10.245.0.10:53]" providerName=acme
time="2019-04-17T17:58:45Z" level=info msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]" providerName=acme
time="2019-04-17T17:58:46Z" level=info msg="legolog: [INFO] [ezhub.de] The server validated our request" providerName=acme
time="2019-04-17T17:58:46Z" level=info msg="legolog: [INFO] [*.ezhub.de] acme: Cleaning DNS-01 challenge" providerName=acme
time="2019-04-17T17:58:46Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-04-17T17:58:47Z" level=info msg="legolog: [INFO] [ezhub.de] acme: Cleaning DNS-01 challenge" providerName=acme
time="2019-04-17T17:58:47Z" level=debug msg="Skipping Kubernetes event kind *v1.Endpoints" providerName=kubernetescrd
time="2019-04-17T17:58:47Z" level=info msg="legolog: [INFO] [*.ezhub.de, ezhub.de] acme: Validations succeeded; requesting certificates" providerName=acme
time="2019-04-17T17:58:58Z" level=info msg="legolog: [INFO] [*.ezhub.de] Server responded with a certificate." providerName=acme
time="2019-04-17T17:58:58Z" level=debug msg="Certificates obtained for domains [*.ezhub.de ezhub.de]" providerName=acme
time="2019-04-17T17:58:58Z" level=debug msg="Configuration received from provider ACME: {\"HTTP\":{},\"TCP\":null,\"TLSOptions\":null,\"TLSStores\":null}" providerName=ACME
time="2019-04-17T17:58:58Z" level=debug msg="No store is defined to add the certificate MIIGNjCCBR6gAwIBAgITAPqmH6euZLgO92nh+Ij8b9UQGDANBg, it will be added to the default store."
time="2019-04-17T17:58:58Z" level=debug msg="Add certificate for domains *.ezhub.de,ezhub.de"
time="2019-04-17T17:58:58Z" level=debug msg="No default certificate, generate one"

[Reamer]

I have the same problem with docker-provider.

[tlsOptions]
  [tlsOptions.default]
    minVersion = "VersionTLS12"
    sniStrict = true

[traefiker]

Closed by #4973.

[Reamer]

@qm78 and @leonardobsjr:
I saw your thumbs up. I created an new issue for docker provider #5032