Automatic subdomain letsencrypt certificates with wildcard fallback for non-SNI

I currently have a handful of services working with Traefik on a docker host. It is configured to automatically generate and renew certificates for each subdomain configured through labels in the docker-compose files. This is working great, but I would like to increase my security and compatibility.

I have recently been testing on ssllabs and noticed that in some circumstances the "Traefik default" cert is used. I would like to have a wildcard cert on my domain that can be used in place of the default cert in these circumstances. The twist? I want Traefik to handle the renewal of this cert as well and only serve it as a backup to the specific subdomain certs.

I have tried searching, but I can't seem to find the right terms.

Does anyone know how I can achieve this?

Nevermind, got it sorted.

Hello @phirestalker

thanks for asking the question and glad that you have found the solution. Would you please share with the community how did you solve it?

Thank you,

I'm not sure how well it will come out because I am copying from a terminal, but here goes.

First, I set up a wildcard cert for my domain with a few labels in my Traefik docker-compose file.

      - "traefik.http.routers.wildcard-certs.rule=Host(`*`)"
      - "traefik.http.routers.wildcard-certs.tls.certresolver=myresolver"
      - "[0]"
      - "[0].sans=*"

Now, as we all know, this only adds the cert info to the infamous acme.json file. The default certificate setting for Traefik, however, only accepts certificate files. After some searching for a way to export these certs, I landed upon an interesting piece of software called traefik-certs-dumper. I used the default settings offered in the v2 example file and added this to the services section of my docker-compose file for Traefik.

    image: ldez/traefik-certs-dumper:latest
    entrypoint: sh -c '
      apk add jq
      ; while ! [ -e /data/acme.json ]
      || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do
      sleep 1
      ; done
      && traefik-certs-dumper file --version v2 --watch --domain-subdir=true
      --source /data/acme.json --dest /data/certs'
      - ./letsencrypt:/data

The bind mount is the same directory that my Traefik docker container uses to store acme.json
Then, I added the config to use the exported certificate as the default certificate in my Traefik dynamic configuration as follows.

        certFile = "/letsencrypt/certs/"
        keyFile = "/letsencrypt/certs/"

And now, SSL Labs reports that my site works with non-SNI clients. Also, no more self-signed Traefik default cert.

I know I could have just used a wildcard cert for all of my docker containers, but I read somewhere that wildcard certs are incompatible with some advanced security settings (sorry I don't have the link).

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.