Cert Resolver using private wildcard cert

Hello All,

I'm a very very new traefik and even Docker user. I inherited a POC dev system that was set up using a lets encrypt certificate resolver but between hand offs the internet access was removed from the docker server so Let's Encrypt is not able to self renew now. I was instead given a wildcard cert to use instead.

So my question is can I have traefik utilize and automatically hand out this wildcard cert for the containers it controls vs using lets encrypt certificate resolver? and can it be done by just editing only the traefik container itself or do I need to change the traefik tag "traefik.http.routers.<name<.tls.certresolver=le" that's on all of them?


There is a pretty good section in the documentation on the topic of user-defined certificates: Overview - Traefik

Long-story-short: Mount the certificate and key to your Traefik container and configure it in your dynamic configuration. You don't need any cert resolvers anymore.

Thanks for that, It did help me sort out a few things I didn't quite have right, but still not quite working. So for a first step I'm trying to just get the traefik container to use the named certs. I tried putting in the cert file names just into the existing traefik.yml file that it was already using (commented out below) as that didn't work. right now I'm trying to set-up the dynamic route in the composer and config files but still no luck. the container comes up but its using the default self signed cert. I can look inside the container and there is a /data folder with the cert files in it, it just doesn't seem to be using them....

version: '3'

image: traefik:latest
container_name: traefik
restart: unless-stopped
- no-new-privileges:true
- proxy
- "--log.level=DEBUG"
- "--api=true"
- "--metrics.prometheus=true"
- "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
- --providers.file.directory=/data/dynamic
- 80:80
- 443:443
- 8085:8080
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/:/data/
- ./data/traefik.yml:/traefik.yml:ro
- ./data/dynamic/certs.yml:/data/dynamic/certs.yml
- ./data/acme.json:/acme.json
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(<traefik dashboard URL>)"
commented out - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.keycloak-auth.forwardauth.address="
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(traefik dashboard URL>)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
commented out - "traefik.http.routers.traefik-secure.tls.certresolver=le"
- "traefik.http.routers.traefik-secure.service=api@internal"

dashboard: true

prometheus: {}

address: ":80"
- redirect-http-to-https@internal
to: https
scheme: https
address: ":443"

commented out tls:
commented out certificates:
commented out - certFile: /data/.crt
commented out keyFile: /data/.key

insecureSkipVerify: true

endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
watch: true
directory: /data/services

commented out certificatesResolvers:
commented out le:
commented out acme:
commented out email:
commented out storage: acme.json
commented out tlsChallenge: true

- certFile: /data/.crt
keyFile: /data/.key

So still trying to track this down. I was trying to follow the documentation and not having luck so I spun up an entire stand alone docker server and deployed per docs from scratch. At first that wasn't working either however I figured that out, it was because I was trying to use a sub.sub domain. so the cert is for *.domain.org and I was at first trying to use the url sub1.sub2.domain.org. the logs showed it loading the cert just not using it for that url. I changed it to just sub1.domain.org and it started applying the wildcard cert. I'm assuming this is actually a bug in traefik, but not to concerned as I can work around it anyway.

So I went back to the existing install I'm trying to change but still no luck. in the documentation it sets you up to load the container from "flags" (info msg="Configuration loaded from flags.") and just use the dynamic file to defile the cert. in the install I'm trying to modify its loading via file (info msg="Configuration loaded from file: /traefik.yml"). I think this from this line in the composer file "- ./data/traefik.yml:/traefik.yml:ro". Anyway when I add the configuration parts for the same dynamic file config it just seems to ignore the dynamic file config part. you'd think it could just be feed in from the existing traefik.yml, but no good.....

Does anyone know if you can have the config loaded from file AND still use the dynamic file parts? Also when loading from flags there's a ton of detail in "docker logs containerID", but when loading from the file above there's literally just the "loaded from file traefik.yml", when loading from file does anyone know how or where the more detailed logs get stored???

Any help is greatly appreciated, this is pretty much all 100% new to me but I feel like I might be getting closer now.