Setting up Traefik to require client side certificates with Let's Encrypt using CLI only

Traefik Traefik v1
1

I am trying to setup Traefik to do SSL client certificates much like how I used to do it with Apache. But I can't seem to get it working correctly. I'm using Docker as well, here's the command parameters

    command:
      - --defaultEntryPoints=http,https
      - --insecureSkipVerify
      - "--entryPoints=Name:http Address::80 Compress:true Redirect.entryPoint:https"
      # This one works with no authentication
      - "--entryPoints=Name:https Address::443 Compress:true TLS"

      # These don't seem to do anything
      - "--entryPoints=Name:https Address::443 Compress:true TLS CA.Optional:false CA:/run/secrets/CA"
      - --ping
      - --docker
      - --docker.endpoint=tcp://daemon:2375
      - --docker.exposedByDefault=false
      - --docker.swarmMode
      - --docker.watch
      - --acme
      - --acme.email=REDACTED@trajano.net
      - --acme.onhostrule
      - --acme.entrypoint=https
      - --acme.httpchallenge
      - --acme.httpchallenge.entrypoint=http
      - --zookeeper.endpoint=zookeeper:2181
      - --zookeeper.prefix=traefik
      - --acme.storage=traefik/acme/acme.json
2

I can't seem to find the ClientCA in https://docs.traefik.io/configuration/entrypoints/#all-available-options either.

3

Actually it was CA.Optional and CA after all. I was using Firefox which auto-selected the certificate and when I was using Chrome, it was using the cached content. So when I cleared the browser cache things started working.

Note this approach only validates that the Client cert was signed by the CA, but does not perform any extra checks like what is the subject being used. That's a limitation of Traefik 1.7 at the moment from what I understand.