Hello,
what's the right approach for acme wildcard certificates on traefik 2.0.0-beta1? In my docker-stack.yml example below I have two docker containers with ...tls.domains = domain.tld, *.domain.tld labels on my http routes. ldez mentioned in this thread Multiple Sites / Domains that domains are optional and that certificates are created based on the host rule.
In my example it seems that certifcates are only created based on containers' host rule and tls.domains label seems to be completely ignored....
It'll be grateful if someone could tell how to fix configuration to get wildcard certificates generation working. Thanks a lot in advance!
docker-stack.yml
version: '3.7'
services:
traefik:
image: traefik:2.0-alpine
environment:
- AWS_REGION=eu-central-1
- AWS_ACCESS_KEY_ID=xxx
- AWS_SECRET_ACCESS_KEY=xxx
- AWS_HOSTED_ZONE_ID=xxx
deploy:
replicas: 1
restart_policy:
delay: 5s
max_attempts: 3
placement:
constraints:
- node.role == manager
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik_http.rule=Host(`traefik.domain.tld`)"
- "traefik.http.routers.traefik_http.entrypoints=http"
- "traefik.http.routers.traefik_http.middlewares=http-chain@file"
- "traefik.http.routers.traefik_https.rule=Host(`traefik.domain.tld`)"
- "traefik.http.routers.traefik_https.entrypoints=https"
- "traefik.http.routers.traefik_https.middlewares=https-basicauth-chain@file"
- "traefik.http.routers.traefik_https.tls=true"
- "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik_https.tls.domains=domain.tld, *.domain.tld"
- "traefik.http.routers.traefik_https.service=traefik_https"
- "traefik.http.services.traefik_https.loadbalancer.server.port=8080"
- "traefik.http.services.traefik_https.loadbalancer.server.scheme=http"
ports:
- 80:80
- 443:443
- 25:25
- 465:465
- 587:587
- 110:110
- 995:995
- 143:143
- 993:993
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/docker.swarm/traefik/traefik.toml:/traefik.toml:ro
- /opt/docker.swarm/traefik/etc/:/etc/traefik/:ro
- /opt/docker.swarm/traefik/acme.json:/acme.json
- /var/log/:/var/log/
whoami:
image: containous/whoami
deploy:
replicas: 1
restart_policy:
delay: 5s
max_attempts: 3
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami_http.rule=Host(`whoami.domain.tld`)"
- "traefik.http.routers.whoami_http.entrypoints=http"
- "traefik.http.routers.whoami_http.middlewares=http-chain@file"
- "traefik.http.routers.whoami_https.rule=Host(`whoami.domain.tld`)"
- "traefik.http.routers.whoami_https.entrypoints=https"
- "traefik.http.routers.whoami_https.middlewares=https-chain@file"
- "traefik.http.routers.whoami_https.tls=true"
- "traefik.http.routers.whoami_https.tls.certresolver=letsencrypt"
- "traefik.http.routers.whoami_https.tls.domains=domain.tld, *.domain.tld"
- "traefik.http.routers.whoami_https.service=whoami_https"
- "traefik.http.services.whoami_https.loadbalancer.server.port=80"
- "traefik.http.services.whoami_https.loadbalancer.server.scheme=http"
networks:
default:
external: true
name: traefik
traefik.toml
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.http]
address = ":80"
[entrypoints.https]
address = ":443"
[entrypoints.smtp-relay]
address = ":25"
[entrypoints.smtp-ssl]
address = ":465"
[entrypoints.smtp]
address = ":587"
[entrypoints.pop3]
address = ":110"
[entrypoints.pop3-ssl]
Address = ":995"
[entrypoints.imap]
address = ":143"
[entrypoints.imap-ssl]
address = ":993"
[log]
level = "DEBUG"
# filePath = "/var/log/traefik.log"
#[accessLog]
# filePath = "/var/log/traefik.access.log"
# format = "common"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
[accessLog.fields]
defaultmode = "keep"
[accessLog.fields.names]
"clientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
[api]
[ping]
[providers]
[providers.file]
directory = "/etc/traefik/conf.d"
[providers.docker]
network = "traefik"
defaultRule = "Host(`{{ normalize .Name }}.domain.tld`)"
exposedByDefault = false
swarmMode = true
[certificatesResolvers.letsencrypt.acme]
email = "admin@domain.tld"
storage = "acme.json"
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "route53"
middlewares.toml
[http.middlewares.http-chain.chain]
middlewares = ["redirect-https"]
[http.middlewares.https-chain.chain]
middlewares = ["headers-sts", "compress"]
[http.middlewares.https-basicauth-chain.chain]
middlewares = ["headers-sts", "compress", "test-auth"]
[http.middlewares.redirect-https.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.headers-sts.headers]
STSSeconds = 315360000
STSIncludeSubdomains = true
STSPreload = true
forceSTSHeader = true
[http.middlewares.compress.compress]
[http.middlewares.test-auth.basicauth]
users = [
"admin:$apr1$JVZBrHHX$xbqhKQPVmR1O6b7v3aG4g0"
]
tls.toml
[tls]
[tls.options]
[tls.options.default]
sniStrict = true
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", # TLS 1.2
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", # TLS 1.2
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_FALLBACK_SCSV"
]