Hey all,
I spent a decent amount of time fighting with this, so I thought I'd share.
I saw a video a while back where someone had used docker labels to generate wildcard certificates through lets-encrypt, but I wanted a way to control this from a yml file.
Queue many hours of digging...
Luckily, I did actually find a way to configure this.
Here's the traefik.yml file currently in use, and a link to my github where I will update the files if these ever stop working.
Current version:
entryPoints:
http:
address: :80
# -- (Optional) Redirect all HTTP to HTTPS
# http:
# redirections:
# entryPoint:
# to: websecure
# scheme: https
https:
address: :443
# -- (Optional) Dashboard does this on it's own. Leave it alone.
# custom:
# address: :8080
http:
routers:
dashboard:
entryPoints:
- https
rule: Host(`traefik.local.domain.com`)
service: api@internal
tls:
certResolver: production
domains:
- main: "publicdomain.com"
- sans: "*.publicdomain.com"
- sans: "local.domain.com"
- sans: "*.local.domain.com"
middlewares:
- basic-auth
middlewares:
basic-auth:
basicAuth:
usersFile: /etc/traefik/users/users
And as a small note, I did have a slightly different format working for about a month, but I updated to the latest v2.10 version of traefik and it broke... Not really sure why, but here's what that config looked like: (as well as a link to the commit in git with this version
entryPoints:
http:
address: :80
# -- (Optional) Redirect all HTTP to HTTPS
# http:
# redirections:
# entryPoint:
# to: websecure
# scheme: https
https:
address: :443
# -- (Optional) Dashboard does this on it's own. Leave it alone.
# custom:
# address: :8080
http:
routers:
dashboard:
entryPoints:
- https
rule: Host(`traefik.local.domain.com`)
service: api@internal
tls:
certResolver: production
##### DO NOT LEAVE BOTH OF THE DOMAIN OPTIONS IN. PICK OPTION 1 OR 2 AND COMMENT OUT/DELETE THE OTHER #####
# I have found two ways to describe this in the config file.
# Option 1 if your two domains are different:
domains[0]:
- main: "publicdomain.com"
- sans: "*.publicdomain.com"
domains[1]:
- main: "internaldomain.com"
- sans: "*.internaldomain.com"
# OR Option 2 if you just use a *.local.domain.com option. (This is what I use now)
domains[0]:
- main: "domain.com"
- sans: "*.domain.com"
- sans: "local.domain.com"
- sans: "*.local.domain.com"
middlewares:
- basic-auth
middlewares:
basic-auth:
basicAuth:
usersFile: /etc/traefik/users/users
# -- Configure your CertificateResolver here...
certificatesResolvers:
staging:
acme:
email: email@domain.com
storage: /etc/traefik/certs/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
production:
acme:
email: email@domain.com
storage: /etc/traefik/certs/acme-prod.json
Hopefully this helps others attempting to do this, and the SEO gods serve this to them.