Default TLS store versus ACME certificate request

williamhargrove · October 20, 2023, 11:01am

I have a question on the precedence of the various TLS options.

I have a default tls certificate defined:

 stores:
   default:
     defaultCertificate:
       certFile: /etc/traefik/tls/my.dev.crt.pem
       keyFile: /etc/traefik/tls/my.dev.key.pem

This works fine and as expected for my various routers.

Now I have defined a router that I want to have a cert issued from via acme. I have a definition in traefik.yml as below:

certificatesResolvers:
  dev:
    acme:
[etc]

And in my router definition I have:

http:
  routers:
    mytest_router:
      service: mytest
      rule: Host(`mytesthost.my.dev`)
      priority: 10
      tls:
        certResolver: dev
[etc]

When I go to the url mytesthost.my.dev I get the certificate from the default store, rather than one being requested through the 'dev' ACME cert resolve.

This leads me to think that when we have a defaultCertificate set we cannot over-ride this with a specific certResolver. If I comment out the default cert store - I see the ACME call being made, so the config looks good. I wondered if it is possible to set some priority or ordering on this?

Has anyone come across this before or can suggest a way to work around it. Ideally I would like to keep the default cert in place and just have a few routers that are making an ACME call.

Thanks.

bluepuma77 · October 20, 2023, 2:12pm

The default cert usually is backup if other certs don’t match. I would expect that LE creates certs for Host() if the domain does not match any existing cert. That’s not the case?

williamhargrove · October 20, 2023, 2:29pm

Hi there and thanks for the reply. Rather stupidly I realise I have left out an important detail regarding the default cert - it is a wildcard cert. So I think it is matching on the default cert first, which is the wildcard and never geting to the ACME issued cert.

But what I would like to try and achieve (for business reasons) is to keep the default wildcard cert in place and have the ACME one used when the domain matches the HOST block in that router.

bluepuma77 · October 20, 2023, 3:05pm

You could try to define the TLS main directly on the router (doc).

Topic		Replies	Views
defaultCertificate + lets encrypt Traefik v2 (latest) letsencrypt-acme	1	380	September 28, 2019
2.9.4: ACME Default Certificate not working Traefik v2 (latest) docker-swarm , letsencrypt-acme	3	960	November 15, 2022
Certificate resolver Traefik v2 (latest) letsencrypt-acme	6	2520	July 12, 2021
Default TLS configuration for a Lets Encrypt wildcard certificate Traefik v2 (latest) file , letsencrypt-acme	1	566	October 20, 2023
ACME Default Certificate does not work Traefik v2 (latest) docker , letsencrypt-acme	1	116	February 8, 2024

Default TLS store versus ACME certificate request

Related Topics