TLS settings ignored wholesale

I am trying to migrate to v2, and have on my v1 setup used the origin server certificates from Cloudflare for TLS, but this doesn't work in v2, since Traefik serves the default certificate instead.

As you can see in the log below, the TLS part of the traefik.yaml isn't listed, when the static configuration is loaded. Unless this is specifically redacted, I have to believe that Traefik doesn't read that part at all.
I have already tested that it can read the file and have checked that other settings in fact do change.

traefik.log:

time="2019-10-10T20:40:27Z" level=info msg="Traefik version 2.0.2 built on 2019-10-09T19:26:05Z"
time="2019-10-10T20:40:27Z" level=debug msg="Static configuration loaded {\"global\":{},\"serversTransport\":{\"insecureSkipVerify\":true,\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":2000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"useBindPortIP\":false,\"network\":\"proxy\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"insecure\":true,\"dashboard\":true,\"debug\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/var/log/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/var/log/access.log\",\"format\":\"common\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"drop\"}},\"bufferingSize\":100}}"
time="2019-10-10T20:40:27Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/v2.0/contributing/data-collection/\n"
time="2019-10-10T20:40:27Z" level=debug msg="No default certificate, generating one"
time="2019-10-10T20:40:28Z" level=debug msg="Start TCP Server" entryPointName=traefik
time="2019-10-10T20:40:28Z" level=debug msg="Start TCP Server" entryPointName=https
time="2019-10-10T20:40:28Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2019-10-10T20:40:28Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"useBindPortIP\":false,\"network\":\"proxy\",\"swarmModeRefreshSeconds\":15000000000}"
time="2019-10-10T20:40:28Z" level=debug msg="Provider connection established with docker 18.09.4 (API 1.39)" providerName=docker
time="2019-10-10T20:40:28Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"nginx\":{\"entryPoints\":[\"https\"],\"service\":\"nginx-tyjuji\",\"rule\":\"Host(`XXXXXXX.com`)\",\"tls\":{\"options\":\"default\"}},\"portainer\":{\"entryPoints\":[\"https\"],\"service\":\"portainer-tyjuji\",\"rule\":\"Host(`admin.XXXXXXX.com`)\",\"tls\":{\"options\":\"default\"}},\"traefik\":{\"entryPoints\":[\"https\"],\"service\":\"traefik\",\"rule\":\"Host(`api.XXXXXXX.com`)\",\"tls\":{\"options\":\"default\"}}},\"services\":{\"nginx-tyjuji\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.25.0.3:80\"}],\"passHostHeader\":true}},\"portainer-tyjuji\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.25.0.2:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.25.0.4:8080\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
time="2019-10-10T20:40:28Z" level=debug msg="Creating middleware" entryPointName=https routerName=portainer@docker serviceName=portainer-tyjuji middlewareType=Pipelining middlewareName=pipelining
time="2019-10-10T20:40:28Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=portainer@docker serviceName=portainer-tyjuji
time="2019-10-10T20:40:28Z" level=debug msg="Creating server 0 http://172.25.0.2:9000" serviceName=portainer-tyjuji entryPointName=https routerName=portainer@docker serverName=0
time="2019-10-10T20:40:28Z" level=debug msg="Added outgoing tracing middleware portainer-tyjuji" middlewareType=TracingForwarder entryPointName=https routerName=portainer@docker middlewareName=tracing
time="2019-10-10T20:40:28Z" level=debug msg="Creating middleware" entryPointName=https routerName=traefik@docker serviceName=traefik middlewareName=pipelining middlewareType=Pipelining
time="2019-10-10T20:40:28Z" level=debug msg="Creating load-balancer" routerName=traefik@docker serviceName=traefik entryPointName=https
time="2019-10-10T20:40:28Z" level=debug msg="Creating server 0 http://172.25.0.4:8080" routerName=traefik@docker serverName=0 serviceName=traefik entryPointName=https
time="2019-10-10T20:40:28Z" level=debug msg="Added outgoing tracing middleware traefik" middlewareType=TracingForwarder entryPointName=https routerName=traefik@docker middlewareName=tracing
time="2019-10-10T20:40:28Z" level=debug msg="Creating middleware" serviceName=nginx-tyjuji middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=nginx@docker
time="2019-10-10T20:40:28Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=nginx@docker serviceName=nginx-tyjuji
time="2019-10-10T20:40:28Z" level=debug msg="Creating server 0 http://172.25.0.3:80" routerName=nginx@docker serviceName=nginx-tyjuji serverName=0 entryPointName=https
time="2019-10-10T20:40:28Z" level=debug msg="Added outgoing tracing middleware nginx-tyjuji" middlewareName=tracing entryPointName=https routerName=nginx@docker middlewareType=TracingForwarder
time="2019-10-10T20:40:28Z" level=debug msg="Creating middleware" entryPointName=https middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2019-10-10T20:40:28Z" level=debug msg="No default certificate, generating one"

docker-compose.yml:

version: "3.5"

networks:
  internal:
    name: internal
    internal: true
  proxy:
    name: proxy

services: # Keep alphabetical for clarity
  nginx:
    container_name: nginx
    image: nginx
    restart: always
    volumes:
      - ${BASE_PATH}/${CONFIGS}/nginx:/usr/share/nginx/html:ro
    environment:
      - NGINX_HOST=${DOMAIN_NAME}
      - NGINX_PORT=80
    labels:
      - com.centurylinklabs.watchtower.enable=true
      - traefik.enable=true
      - "traefik.http.routers.nginx.rule=Host(`${DOMAIN_NAME}`)"
      - "traefik.http.routers.nginx.entrypoints=https"
      - "traefik.http.routers.nginx.tls=true"
      - "traefik.http.routers.nginx.tls.options=default"
    networks:
      - internal
      - proxy

  portainer:
    container_name: portainer
    image: portainer/portainer
    restart: always
    command: -H unix:///var/run/docker.sock --no-auth
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${BASE_PATH}/${CONFIGS}/portainer:/data
    labels:
      - com.centurylinklabs.watchtower.enable=true
      - traefik.enable=true
      - "traefik.http.routers.portainer.rule=Host(`admin.${DOMAIN_NAME}`)"
      - "traefik.http.routers.portainer.entrypoints=https"
      - "traefik.http.routers.portainer.tls=true"
      - "traefik.http.routers.portainer.tls.options=default"
    networks:
      - internal
      - proxy

  traefik:
    container_name: traefik
    image: traefik
    command: --providers.docker
    ports:
      # The HTTP ports
      #- "80:80"
      - "443:443"
      # # The Web UI (enabled by --api.insecure=true)
      #- "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${BASE_PATH}/${CONFIGS}/traefik/traefik.yaml:/traefik.yaml
      - ${BASE_PATH}/${CONFIGS}/traefik/log:/var/log
      - ${BASE_PATH}/${CONFIGS}/${CERTS}:/certs
    labels:
      - com.centurylinklabs.watchtower.enable=true
      - traefik.enable=true
      - "traefik.http.routers.traefik.rule=Host(`api.${DOMAIN_NAME}`)"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.options=default"
      - traefik.http.services.traefik.loadbalancer.server.port=8080
    networks:
      - internal
      - proxy

traefik.yaml:

global:
  checkNewVersion: false
  sendAnonymousUsage: false
serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    useBindPortIP: false
    exposedByDefault: false
    network: proxy
    watch: true

tls:
  certificates:
    - certFile: /certs/XXXXXXX.com.pem
      keyFile: /certs/XXXXXXX.com.key

  stores:
    default:
      defaultCertificate:
        certFile: /certs/XXXXXXX.com.pem
        keyFile: /certs/XXXXXXX.com.key

  options:
    default:
      minVersion: VersionTLS13

entryPoints:
  https:
    address: :443

api:
  insecure: true
  dashboard: true
  debug: true

log:
  level: DEBUG
  filePath: /var/log/traefik.log

accessLog:
  filePath: /var/log/access.log
  bufferingSize: 100

Never mind. I realized that the TLS portion must be defined in a separate FILE provider and not the static FILE as it was in v1.

The documentation could do a better job of distinguishing these two concepts, especially in the example code boxes. It might also be a good idea to have a debug message, if people put the wrong options in the wrong file.