openssl.log

 openssl s_client -connect traefik.k8s.cloud-technologies.net:443
CONNECTED(00000003)
4663060076:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1563394829
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

traefik.log

 kubectl -n ingress logs traefik-744b9bfb5b-rmhqv 
time="2019-07-17T20:16:15Z" level=info msg="Using TOML configuration file /config/traefik.toml"
time="2019-07-17T20:16:15Z" level=info msg="No tls.defaultCertificate given for https: using the first item in tls.certificates as a fallback."
time="2019-07-17T20:16:15Z" level=info msg="Traefik version v1.7.12 built on 2019-05-29_07:35:02PM"
time="2019-07-17T20:16:15Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
time="2019-07-17T20:16:15Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0xc000642a80 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:true ProxyProtocol:<nil> ForwardedHeaders:0xc000691480} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-07-17T20:16:15Z" level=info msg="Preparing server https &{Address::443 TLS:0xc00016a7e0 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:true ProxyProtocol:<nil> ForwardedHeaders:0xc0006914a0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-07-17T20:16:15Z" level=info msg="Starting server on :80"
time="2019-07-17T20:16:15Z" level=info msg="Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc0006914c0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-07-17T20:16:15Z" level=info msg="Starting server on :443"
time="2019-07-17T20:16:15Z" level=info msg="Starting server on :8080"
time="2019-07-17T20:16:15Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2019-07-17T20:16:15Z" level=info msg="Starting provider *kubernetes.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":[],\"Trace\":false,\"TemplateVersion\":0,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"\",\"Token\":\"\",\"CertAuthFilePath\":\"\",\"DisablePassHostHeaders\":false,\"EnablePassTLSCert\":false,\"Namespaces\":null,\"LabelSelector\":\"\",\"IngressClass\":\"\",\"IngressEndpoint\":null}"
time="2019-07-17T20:16:15Z" level=info msg="ingress label selector is: \"\""
time="2019-07-17T20:16:15Z" level=info msg="Creating in-cluster Provider client"
time="2019-07-17T20:16:15Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"maciej.misztal@cloud-technologies.net\",\"ACMELogging\":true,\"CAServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"Storage\":\"/acme/acme.json\",\"EntryPoint\":\"https\",\"KeyType\":\"\",\"OnHostRule\":true,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"digitalocean\",\"DelayBeforeCheck\":0,\"Resolvers\":null,\"DisablePropagationCheck\":false},\"HTTPChallenge\":null,\"TLSChallenge\":null,\"Domains\":null,\"Store\":{}}"
time="2019-07-17T20:16:15Z" level=info msg="Testing certificate renew..."
time="2019-07-17T20:16:15Z" level=info msg="Server configuration reloaded on :80"
time="2019-07-17T20:16:15Z" level=info msg="Server configuration reloaded on :443"
time="2019-07-17T20:16:15Z" level=info msg="Server configuration reloaded on :8080"
time="2019-07-17T20:16:16Z" level=info msg="Server configuration reloaded on :80"
time="2019-07-17T20:16:16Z" level=info msg="Server configuration reloaded on :443"
time="2019-07-17T20:16:16Z" level=info msg="Server configuration reloaded on :8080"
time="2019-07-17T20:16:16Z" level=info msg="The key type is empty. Use default key type 4096."
time="2019-07-17T20:16:28Z" level=info msg="Server configuration reloaded on :80"
time="2019-07-17T20:16:28Z" level=info msg="Server configuration reloaded on :443"
time="2019-07-17T20:16:28Z" level=info msg="Server configuration reloaded on :8080"
time="2019-07-17T20:16:37Z" level=info msg=Register...
time="2019-07-17T20:16:37Z" level=info msg="legolog: [INFO] acme: Registering account for maciej.misztal@cloud-technologies.net"
time="2019-07-17T20:16:37Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: Obtaining bundled SAN certificate"
time="2019-07-17T20:16:38Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/Ck-QOFZqlNrFJg5vEFKGe84BRFyg-laayxC7wkegR7g"
time="2019-07-17T20:16:38Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: Could not find solver for: tls-alpn-01"
time="2019-07-17T20:16:38Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: Could not find solver for: http-01"
time="2019-07-17T20:16:38Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: use dns-01 solver"
time="2019-07-17T20:16:38Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: Preparing to solve DNS-01"
time="2019-07-17T20:16:39Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: Trying to solve DNS-01"
time="2019-07-17T20:16:39Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: Checking DNS record propagation using [10.245.0.10:53]"
time="2019-07-17T20:16:39Z" level=info msg="legolog: [INFO] Wait for propagation [timeout: 1m0s, interval: 5s]"
time="2019-07-17T20:16:42Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] The server validated our request"
time="2019-07-17T20:16:42Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: Cleaning DNS-01 challenge"
time="2019-07-17T20:16:43Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] acme: Validations succeeded; requesting certificates"
time="2019-07-17T20:17:44Z" level=info msg="legolog: [INFO] [traefik.k8s.cloud-technologies.net] Server responded with a certificate."
time="2019-07-17T20:17:44Z" level=info msg="Server configuration reloaded on :443"
time="2019-07-17T20:17:44Z" level=info msg="Server configuration reloaded on :8080"
time="2019-07-17T20:17:44Z" level=info msg="Server configuration reloaded on :80"

values.override.yaml

debug:
    enabled: false

rbac:
    enabled: true

dashboard:
    enabled: true
    domain: traefik.k8s.cloud-technologies.net

serviceType: NodePort

service:
    nodeports:
        http: 30080
        https: 30443

ssl:
    enabled: true
    enforced: true
    permanentRedirect: true

acme:
    enabled: true
    staging: false
    logging: true
    email: "maciej.misztal@cloud-technologies.net"
    challengeType: "dns-01"
    domains:
        enabled: true
        domainList:
            - main: "*.k8s.cloud-technologies.net"
            - sans:
                - "k8s.cloud-technologies.net"
    dnsProvider:
        name: digitalocean
        digitalocean:
            DO_AUTH_TOKEN: "{token}"

FYI the ingress is configured in nodePort mode, there's a load balancer in front of the cluster, which is routing :

• 80 -> 30080
• 443 -> 30443