Automatic subdomain letsencrypt certificates with wildcard fallback for non-SNI

Traefik Traefik v2 (latest)
,
1

I currently have a handful of services working with Traefik on a docker host. It is configured to automatically generate and renew certificates for each subdomain configured through labels in the docker-compose files. This is working great, but I would like to increase my security and compatibility.

I have recently been testing on ssllabs and noticed that in some circumstances the "Traefik default" cert is used. I would like to have a wildcard cert on my domain that can be used in place of the default cert in these circumstances. The twist? I want Traefik to handle the renewal of this cert as well and only serve it as a backup to the specific subdomain certs.

I have tried searching, but I can't seem to find the right terms.

Does anyone know how I can achieve this?

2

Nevermind, got it sorted.

3

Hello @phirestalker

thanks for asking the question and glad that you have found the solution. Would you please share with the community how did you solve it?

Thank you,

4

I'm not sure how well it will come out because I am copying from a terminal, but here goes.

First, I set up a wildcard cert for my domain with a few labels in my Traefik docker-compose file.

      - "traefik.http.routers.wildcard-certs.rule=Host(`*.example.com`)"
      - "traefik.http.routers.wildcard-certs.tls.certresolver=myresolver"
      - "traefik.http.routers.wildcard-certs.tls.domains[0].main=example.com"
      - "traefik.http.routers.wildcard-certs.tls.domains[0].sans=*.example.com"

Now, as we all know, this only adds the cert info to the infamous acme.json file. The default certificate setting for Traefik, however, only accepts certificate files. After some searching for a way to export these certs, I landed upon an interesting piece of software called traefik-certs-dumper. I used the default settings offered in the v2 example file and added this to the services section of my docker-compose file for Traefik.

  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:latest
    entrypoint: sh -c '
      apk add jq
      ; while ! [ -e /data/acme.json ]
      || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do
      sleep 1
      ; done
      && traefik-certs-dumper file --version v2 --watch --domain-subdir=true
      --source /data/acme.json --dest /data/certs'
    volumes:
      - ./letsencrypt:/data

The bind mount is the same directory that my Traefik docker container uses to store acme.json
Then, I added the config to use the exported certificate as the default certificate in my Traefik dynamic configuration as follows.

[tls]
  [tls.stores]
    [tls.stores.default]
      [tls.stores.default.defaultCertificate]
        certFile = "/letsencrypt/certs/example.com/certificate.crt"
        keyFile = "/letsencrypt/certs/example.com/privatekey.key"

And now, SSL Labs reports that my site works with non-SNI clients. Also, no more self-signed Traefik default cert.

I know I could have just used a wildcard cert for all of my docker containers, but I read somewhere that wildcard certs are incompatible with some advanced security settings (sorry I don't have the link).

1 Like
5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.