Disable Lets Encrypt for some domain name

Traefik Traefik v3 (latest)
1

Hi everyone! First, thanks to the team for the great product! Second: could someone help please, Im trying to handle the case, where some subdomain should get certificate from lets encrypt, and some should just passthrough the traffic for 80 port (as I understand) for internal win-acme bot. So, for example, I want to handle certificate for subdomain.contoso.com for rdp server on windows machine itself, so I'm setting up like:

static config:

entryPoints:
  web:
    address: ":80" # HTTP entry point
  websecure:
    address: ":443" # HTTPS entry point
  rdp:
    address: ":3389" # RDP

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false 
  file:
    filename: "/etc/traefik/traefik_dynamic.yml" 
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: ######################
      storage: "/acme/acme.json"
      httpChallenge:
        entryPoint: web

log:
  level: DEBUG

dynamic config:

tcp:
  routers:
    rdp-router:
      rule: "HostSNI(`subdomain.contoso.com`)"
      entryPoints:
        - rdp
      tls:
        passthrough: true
      service: rdp-service

  services:
    rdp-service:
      loadBalancer:
        servers:
          - address: "someip:3389"

http:
  routers:
    acme-challenge-router-for-wacs:
      rule: "Host(`subdomain.contoso.com`)"
      entryPoints:
        - web
      service: acme-challenge-service-for-wacs

  services:
    acme-challenge-service-for-wacs:
      loadBalancer:
        servers:
          - url: "http://someip:80"

But it looks like traefik still trying to get certificate for subdomain.contoso.com. How to disable it and passthrough correctly 80 port also? Alos, when I played around with settings, when I run win-acme, I got in the log of traefik:

Unable to split host and port. Fallback to request host. error="address subdomain.contoso.com: missing port in address" providerName=acme

And it looks like traefik intercepting acme request also? So I confused and stuck, please help. Thanks in advance.

2

You can not use HostSNI(`domain`), if Traefik has no access to the cert, which according to you will be created by the target service. Traefik needs access to the cert to decrypt the HostSNI.

If you only have a single target service on the port, you can use HostSNI(`*`). But don't use any TLS options, as that might activate Traefik TLS and result in a custom cert. passthrough is the default behavior for a TCP router without TLS.

Note that RDP usually also uses UDP, which makes matters even more complicated.

1 Like
3

Thanks for answering! As I understand Traefik also support UDP. If I want to handle couple RDP servers with self-managed acme, and forward traffic based on hostname, it's not possible then, cause traefik doesnt have access to the certificate, correct?...

4

You can only use a single service on a pure TCP port, without HostSNI.

If you want to use multiple, you need to provide the certs to Traefik or use different ports.

Note that UDP is a completely different beast than TCP, as it is not session oriented. When Traefik forwards a UDP packet, the sender IP will change. So unless the original IP is placed in the UDP packet content, or is communicated via TCP data, a return packet can not be sent. Also the server need to tell the RDP client to use a different UDP target IP, the IP of the Traefik server.

1 Like
5

Got it. So it looks like bad idea :smiley: Thanks for helping.