Catchall https with letsencrypt still possible?

with 1.7 and docker I do this:

        -l traefik.frontend.rule=HostRegexp:{catchall:.*} 
        -l traefik.frontend.entryPoints=https 
        -l traefik.backend={{discourse_shortname}} 
        -l traefik.port=80 

And when a request for hits the server, it gets a new cert for let's encrypt, directs the traffic to the multisite container and life is good.

It appears that with traefik:v2.10 I am going to have to crank up a new container with new labels every time the hosts change. Is that right? This seems much, much less desirable than the old way.

Am I missing something?

Traefik v2 creates LE certs up front. You could use a wildcard cert for sub-domains, that needs dnsChallenge.

That's what I was afraid of. Thanks for confirming. This is just so different from how traefik 1.7 works.

So every time I add a new client on a multisite instance I have to spin up a new traefik container with updated labels, or switch to something other than docker for configuration, right?

I guess the solution would be to switch to sometihng lke consul to manage both storing the certs as well as telling traefik which container to proxy for?

I would assume that you can add a label to a container, you can at least add a label to a Docker service.

Traefik EE supports clustered LetsEncrypt, I think they use consul for it.

You could also use a container behind Traefik for LE cert creation and to provide the certs, either as file or via http (proof of concept) or via consul.

Oh! So I could have traefik pass https traffic straight through to a Discourse container that did its own certificate management? That could solve my problems. I'd also need it to pass port 80 straight through and not do that redirect so that the challenge could get to Discourse/acme.

For plain TCP passthrough, you need to use a TCP router and not enable TLS in Traefik. But it has the disadvantage, that you can only use HostSNI(`*`) and therefore only have a single service on a TLS port.

The usual option is to let Traefik handle and terminate TLS and forward unencrypted.

Another option is to let Traefik handle and terminate TLS and forward encrypted using insecureSkipVerify to a target service with an unknown cert (non LE verified).

Right. That's why I hadn't thought that would work.

I guess what I need to do for the domains that I can't use DNS challenges for (i.e., client sites that are CNAMEs to a domain that I do control) is to have my Ansible tooling change--or even just test test-- the DNS before launching a container that depends on DNS to be in place. A test would at least keep me from spinning up a container that would get me immediately rate limited.

Thanks for your help


you can also use CNAMEs and DNS challenge: Onboarding Your Customers with Let's Encrypt and ACME - Let's Encrypt

It's supported by default in Traefik.

1 Like

Finally! This is sounding like my solution. I thought that the DNS challenge should be able to work, but on my first reading of the process it looked like there was another record that was at play. Turns out there is, but it will Just Work if there's a CNAME for the other record too.

So my customer creates `` points well asforum.customer-hostname.comthat points`. And then when I create the client's discourse image with

        -l traefik.http.routers.clientname.rule=Host(``)
        -l traefik.http.routers.clientname.tls=true 
        -l traefik.http.routers.clientname.tls.certResolver=leDoDns

and traefik is configured like this:

      - "--certificatesResolvers.leDoDns=true"
      - ""
      - ""
      - "--certificatesResolvers.leDoDns.acme.dnsChallenge=true"
      - "--certificatesResolvers.leDoDns.acme.dnsChallenge.provider=digitalocean"
      - "--certificatesResolvers.leDoDns.acme.dnsChallenge.delayBeforeCheck=2"

and somewhere, somehow, I RTFM and put my DigitalOcean key in the Right Place (I think I can!).

Is that all I need to do? (A pet peeve is when someone asks "do I just do x" and my thought is, "why don't you try and find out?" and now I'm understanding that for me "trying it out" is 3 minute's work, but for them, it might be an hour or more, and I've pretty much just finished moving everyone to traefik2 with http challenges).

Thanks so very much

EDIT: I'll take the :heart: as a yes. I'll give it a shot and report back. Thanks again!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.