Default certificate from letsencrypt

Hello,

I'm using letsencrypt as the main certificate resolver. but Traefik all the time generates new default self-signed certificate.

How can I use "Default certificate" from letsencrypt?

Thank you.

1 Like

hello @aplsms

You should create certificateResolver based on the examples we have in our documentation: Let's Encrypt - Traefik

if the certResolver is configured, the certificate should be automatically generated for your domain.

Certificate resolver from letsencrypt is working well. In every start, Traefik is creating self signed "default" certificate. I'd like to use my wildcard letsencrypt certificate as default.

So when i connect to https://123.45.56.78 (where 123.45.56.78 my public IP) i'd like to have my letsencrypt certificate, but not self signed.

Traefik is not creating self-signed certificate, it is already built-in into Traefik and presented in case one the valid certificate is not reachable.

Please verify your certificate resolver configuration, if it is correctly set up Traefik will try to connect LetsEncrypt server and issue the certificate.

time="2021-09-08T15:30:35Z" level=debug msg="No default certificate, generating one" tlsStoreName=default

How can i use one of my letsencrypt certificates as this default?

You don't have to explicitly mention which certificate you are going to use.
If the valid configuration with certResover exists Traefik will try to issue certificates from LetsEncrypt.
If the TLS certificate for domain 'mydomain.com' exists in the store Traefik will pick it up and present for your domain. If there is no certificate for the domain, Traefik will present the default certificate that is built-in. This is the general flow of how it works.

I would recommend reviewing LetsEncrypt configuration following the examples provided on our website.
You can also share your static and dynamic configuration.

Thank you,

Letsencryp certificate resolver is working well for any domain which is covered by certificate.
i have certificate from letsencript "mydomain.com" + "*.mydomain.com". it is correctly resolved for any domain like myhost.mydomain.com.

In the case of connecting to the IP address (10.10.20.13) of traefik, the certificate resolver is unable to resolve certificate, and I have "self-signed certificate TRAEFIK DEFAULT CERT".


echo ""| openssl s_client -connect 10.10.20.13:443
CONNECTED(00000003)
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=TRAEFIK DEFAULT CERT
   i:/CN=TRAEFIK DEFAULT CERT

I want to have here (for requests to IP address) certificate from letsencrypt for mydomain.com

As far that I understand, you have no such functionality and there is no way to set up a "default certificate" which will point to letsencrypt, and this hack "Letsencypt as the traefik default certificate" is a single way to do that. in this way, I need to restart traefik every time when a certificate is updated.

I am not sure if I understand what are you trying to achieve.

Are you going to set up the default certificate instead of that one that is built-in into Traefik?

yes, Exactly.
Some old clients are unable to support SNI.

Hello @aplsms

Seems that it is the feature that you are looking for.

https://doc.traefik.io/traefik/https/tls/#default-certificate

is it possible to point default certificate no to the file but to the letsencrypt store?

do you have any updates?

hi @aplsms

If you add a TLS certificate manually to the acme.json it will not be presented as a Default certificate. On the other hand, manually adding content to the acme.json file is not recommended because at some point it might wipe out because Traefik is managing that file.

I recommend using that feature TLS - Traefik that I suggested in my previous answer.

Thank you,

I don't need to add certificates manually to the acme.json. certificate properly obtained from letsencrypt and stored by traefik. I don't have any other certificates besides obtained from letsencrypt by traefik. I need to point the default certificate to the certificate in acme.json. like:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: path/to/acme.json:cert_name
        keyFile: path/to/acme.json:cert_name_key

I'm sorry, but I have a feeling that you can't say "no, we don't have such functionality" and because of that, you are answering any question which not I'm asking.

Please check the initial question: how can I use the "Default certificate" obtained by letsencrypt certificate resolver?

Thank you.

Hey @aplsms; I am referring to the last question I asked.

The default certificate can point only to the mentioned TLS Store, and not to the certificate stored in acme.json. We can consider that as a feature request, so feel free to open an issue on our Github repo referring to the conversation.

Have a great weekend, Jakub

@aplsms do you have any update/workaround? i was searching for the exactly same needs...

i'm using traefik to proxy DoT (tcp/tls) requests but using kdig to debug it looks is not serving the correct certificate, so at least in my case forcing an entrypoint to use a certificate can also be okay...

as workaround a was thinking to use something like GitHub - DanielHuisman/traefik-certificate-extractor: Tool to extract Let's Encrypt certificates from Traefik's ACME storage file. Traefik v2 support: to be able to use the defaultCertificate option...

EDIT:
ok the workaround seems working...
added a second service to the compose like Store traefik let's encrypt certificates not as json - Stack Overflow

  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:latest
    container_name: traefik-certs-dumper
    entrypoint: sh -c '
      apk add jq
      ; while ! [ -e /data/acme.json ]
      || ! [ `jq ".Certificates | length" /data/acme.json` != 0 ]; do
      sleep 1
      ; done
      && traefik-certs-dumper file --watch --version v2 --source /data/acme.json'
    volumes:
      - ssl_certs:/data

and than used the defaultCertificate option (ssl_certs volume is mouted under /certs on traefik, and traefik is saving in /certs/acme.json)

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /certs/dump/certs/*.domain.crt
        keyFile: /certs/dump/private/*.domain.key
1 Like

I'm using similar solution, just dump certificates by cron.
I have few more applications, routers and servers with own certificates management, so I need to push certs there by ssh.