First of all, I would like to apologize for the incorrect appearance of the link/domains, I am a new user and I am not available to publish a post containing more than 4 links.
I'm having trouble running (and probably understanding the documentation) two independent domains hosted on two independent cloduflare accounts.
I am working on version 2.11, I have the example_me domain running and traefik correctly generates wildcard certificates for me (dnsChallenge using 'foo' account) - I use both public domains (configured on cloudflare) and local domains (configured on my local DNS) - everything works fine. I need to expand the existing configuration with a completely new public aaa.example_com domain, which is also hosted on Cloudflare, but on a separate account 'bar'. According to the information in the documentation, I am not able to use two different API keys, but the solution to my problem should be the CNAME method.
Quoting the documentation, in my case it should look like this:
Multiple DNS challenge provider are not supported with Traefik, but you can use CNAME to handle that. For example, if you have example_me (account foo) and example_com (account bar) you can create a CNAME on example_me called _acme-challenge.example_me pointing to challenge.example_com. This way, you can obtain certificates for example_com with the foo account.
I made this configuration on the account 'foo':
Type: CNAME
Name: _acme-challenge
Content: challenge.example_com
Proxy status: DNS only
On the 'bar' account side, the only configuration I did was the A entry for aaa.example_com domain pointing to the public IP of my traefik.
Adding the above CNAME and implementing the configuration in docker-compose.yml, the static traefik.yml file and the dynamic aaaexamplecom.yml causes traefik to completely stop generating certificates (even for the example_me domain, which was working fine):
time="2024-05-08T03:11:37+02:00" level=debug msg="legolog: [INFO] Found CNAME entry for "_acme-challenge.example_me.": "challenge.example_com.""
time="2024-05-08T03:11:39+02:00" level=debug msg="legolog: [INFO] Found CNAME entry for "_acme-challenge.example_me.": "challenge.example_com.""
time="2024-05-08T03:11:39+02:00" level=debug msg="legolog: [INFO] Found CNAME entry for "_acme-challenge.example_me.": "challenge.example_com.""
time="2024-05-08T03:11:40+02:00" level=debug msg="legolog: [WARN] [.example_me] acme: cleaning up failed: cloudflare: failed to find zone example_com.: zone could not be found "
time="2024-05-08T03:11:40+02:00" level=debug msg="legolog: [INFO] Found CNAME entry for "_acme-challenge.example_me.": "challenge.example_com.""
time="2024-05-08T03:11:41+02:00" level=debug msg="legolog: [WARN] [example_me] acme: cleaning up failed: cloudflare: failed to find zone example_com.: zone could not be found "
time="2024-05-08T03:11:42+02:00" level=error msg="Unable to obtain ACME certificate for domains "example_me,.example_me"" rule="Host(example_me)" error="unable to generate a certificate for the domains [example_me .example_me]: error: one or more domains had a problem:\n[.example_me] [*.example_me] acme: error presenting token: cloudflare: failed to find zone example_com.: zone could not be found\n[example_me] [example_me] acme: error presenting token: cloudflare: failed to find zone example_com.: zone could not be found\n" providerName=cf_api.acme ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" routerName=nginx-secure@docker
To be honest, the error is understandable to me - there is no zone configured for example_com on the 'foo' account, this zone is on the 'bar' account. I cannot find additional information in the documentation or on the Internet to understand how it would work and I would like to ask for help/explanation on this topic.
docker-compose.yml:
secrets:
cf_dns_api_token_exampleme:
file: "./secrets/cf_dns_api_token_example_me.secret"
services:
traefik:
image: traefik:latest
container_name: traefik-pub
user: 1000:994
networks:
- traefik_pub
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
secrets:
- "cf_dns_api_token_exampleme"
environment:
- "CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token_exampleme"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
- ./etc/traefik.yml:/etc/traefik/traefik.yml:ro
- ./etc/conf/:/etc/traefik/conf/
- ./etc/certs/:/etc/traefik/certs/
- ./log:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefikdash.example_me`)"
- "traefik.http.routers.traefik-secure.middlewares=secure-whitelist@file"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
traefik_pub:
external: true
traefik.yml:
global:
checkNewVersion: true
sendAnonymousUsage: false
log:
level: DEBUG
format: common
filePath: /var/log/traefik/traefik.log
accesslog:
format: common
filePath: /var/log/traefik/access.log
api:
dashboard: true
insecure: false
debug: false
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
certificatesResolvers:
cf_api:
acme:
email: asdf@gmail_com
storage: /etc/traefik/certs/acme_exampleme.json
caServer: "##STAGING_SERVER"
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: false
curvePreferences:
- CurveP521
- CurveP384
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
stores:
default:
defaultGeneratedCert:
resolver: cf_api
domains:
- main: 'example_me'
sans:
- '*.example_me'
- main: 'example_com'
sans:
- '*.example_com'
serversTransport:
insecureSkipVerify: true
providers:
docker:
exposedByDefault: false
endpoint: 'unix:///var/run/docker.sock'
watch: true
swarmMode: false
file:
directory: /etc/traefik/conf
watch: true
dynamic configuration aaaexamplecom.yml:
http:
routers:
dummyname:
entryPoints:
- websecure
rule: "Host(`aaa.example_com`)"
middlewares:
- default-headers
- https-redirectscheme
tls: {}
service: dummyname
services:
dummyname:
loadBalancer:
servers:
- url: "https://10.10.10.10:66666"
passHostHeader: true