Configuring docker to generate wildcard certificate from yml file

Hey all,

I spent a decent amount of time fighting with this, so I thought I'd share.

I saw a video a while back where someone had used docker labels to generate wildcard certificates through lets-encrypt, but I wanted a way to control this from a yml file.

Queue many hours of digging...

Luckily, I did actually find a way to configure this.

Here's the traefik.yml file currently in use, and a link to my github where I will update the files if these ever stop working.
Current version:

entryPoints:
  http:
    address: :80
    # -- (Optional) Redirect all HTTP to HTTPS
    # http:
    #   redirections:
    #     entryPoint:
    #       to: websecure
    #       scheme: https
  https:
    address: :443
  # -- (Optional) Dashboard does this on it's own. Leave it alone.
#  custom:
#    address: :8080

http:
  routers:
    dashboard:
      entryPoints:
        - https
      rule: Host(`traefik.local.domain.com`)
      service: api@internal
      tls:
        certResolver: production
        domains:
          - main: "publicdomain.com"
          - sans: "*.publicdomain.com"
          - sans: "local.domain.com"
          - sans: "*.local.domain.com"
      middlewares:
        - basic-auth
  middlewares:
    basic-auth:
      basicAuth:
        usersFile: /etc/traefik/users/users

And as a small note, I did have a slightly different format working for about a month, but I updated to the latest v2.10 version of traefik and it broke... Not really sure why, but here's what that config looked like: (as well as a link to the commit in git with this version

entryPoints:
  http:
    address: :80
    # -- (Optional) Redirect all HTTP to HTTPS
    # http:
    #   redirections:
    #     entryPoint:
    #       to: websecure
    #       scheme: https
  https:
    address: :443
  # -- (Optional) Dashboard does this on it's own. Leave it alone.
#  custom:
#    address: :8080
http:
  routers:
    dashboard:
      entryPoints:
        - https
      rule: Host(`traefik.local.domain.com`)
      service: api@internal
      tls:
        certResolver: production

        ##### DO NOT LEAVE BOTH OF THE DOMAIN OPTIONS IN. PICK OPTION 1 OR 2 AND COMMENT OUT/DELETE THE OTHER #####

        # I have found two ways to describe this in the config file.
        # Option 1 if your two domains are different:
        domains[0]:
          - main: "publicdomain.com"
          - sans: "*.publicdomain.com"
        domains[1]:
          - main: "internaldomain.com"
          - sans: "*.internaldomain.com"
        # OR Option 2 if you just use a *.local.domain.com option. (This is what I use now)
        domains[0]:
          - main: "domain.com"
          - sans: "*.domain.com"
          - sans: "local.domain.com"
          - sans: "*.local.domain.com"
      middlewares:
        - basic-auth
  middlewares:
    basic-auth:
      basicAuth:
        usersFile: /etc/traefik/users/users
# -- Configure your CertificateResolver here...
certificatesResolvers:
  staging:
    acme:
      email: email@domain.com
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
  production:
    acme:
      email: email@domain.com
      storage: /etc/traefik/certs/acme-prod.json

Hopefully this helps others attempting to do this, and the SEO gods serve this to them. :stuck_out_tongue:

1 Like

Thank you for sharing your config!! It was really helpful.

1 Like

Usually static config does not have a http root element (doc), it should go into a dynamic config file, which is loaded via providers.file in static config.

The official LE main/sans notation looks different (doc):

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: myresolver
        domain:
          main: example.org
          sans:
            - foo.example.org
            - bar.example.org