DNS Name of generated certificate

dhoerner2412 · June 23, 2020, 3:21pm

Hi,

I using latest traefik version with following static- and dynamic configuration:

defaultEntryPoints = ["https"]

[entryPoints]

[entryPoints.https]
address = ":5300"

[providers]

# Enable the file provider to define routers / middlewares / services in file
[providers.file]
filename = "config/rules.toml"
watch = true

[http]
##### ROUTERS ####
[http.routers]
[http.routers.MyService]
rule = "PathPrefix(`/myservice/`)"
service = "MyService"
middlewares = ["MyService"]
[http.routers.MyService.tls]
options = "CisServices"

##### SERVICES ####
[http.services]
[http.services.MyService.loadBalancer]
[[http.services.MyService.loadBalancer.servers]]
url = "http://mycomputer.domain.com:5337/"

##### MIDDLEWARES ####
[http.middlewares]
[http.middlewares.MyService.stripPrefix]
prefixes = ["/myservice"]

[tls.options]
[tls.options.CisServices]
minVersion = "VersionTLS12"

Traefik is running and just doing what it should, BUT the generated certificate is always insecure in all browsers (also when installed to the Trusted Root Store in Windows", because the certificate was generated for another domain-name, like

c763d3b7e70495841efbb86be0ae2728.5330d5a6b1143262b899fd68e727a262.traefik.default

How can I force traefik to generate the self-signed certificate for "mycomputer.domain.com"?

cakiwi · June 24, 2020, 11:14am

Weclome @dhoerner2412

You are going to have to configure a certificate resolver for lets encrypt in your static configuration and then configure one of the domain definition options for your router.

https://docs.traefik.io/https/acme/

dhoerner2412 · June 29, 2020, 1:01pm

Hi @cakiwi,

I tried your solution but got following error:

{"level":"error","msg":"Unable to obtain ACME certificate for domains \"COMPUTERNAME.DOMAIN.com\" : unable to generate a certificate for the domains [COMPUTERNAME.DOMAIN.com]: error: one or more domains had a problem:\n[COMPUTERNAME.DOMAIN.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for COMPUTERNAME.DOMAIN.com - check that a DNS record exists for this domain, url: \n","providerName":"CsiServices.acme","time":"2020-06-29T14:55:39+02:00"}

I don't want to register a Domain at Let's encrypt etc. I just want to automatically generate a Self-signed certificate for a Computername. I can do this with openssl but I thought that traefik can do this for me automatically?!

cakiwi · June 29, 2020, 4:04pm

If you're wanting what I think you are, removing the LetsEncrypt resolver should give you traefik self-signed certificate with the correct fqdn, as long as a Host() rule or tls.domains option are present.

dhoerner2412 · June 30, 2020, 6:50am

Hmm still no luck with this
My static config is now the same as in the start thread.
My dynamic config looks now the following:

[http]
##### ROUTERS ####
[http.routers]
[http.routers.MyService]
rule = "Host(`COMPUTER.DOMAIN.COM`) && PathPrefix(`/myservice/`)"
service = "MyService"
middlewares = ["MyService"]
[http.routers.MyService.tls]
options = "CisServices"

##### SERVICES ####
[http.services]
[http.services.MyService.loadBalancer]
[[http.services.MyService.loadBalancer.servers]]
url = "http://COMPUTER:5337/"

##### MIDDLEWARES ####
[http.middlewares]
[http.middlewares.MyService.stripPrefix]
prefixes = ["/myservice"]

[tls.options]
[tls.options.CisServices]
minVersion = "VersionTLS12"

When accessing https://COMPUTERNAME.DOMAIN.COM/myservice/ I still get an error in firefox, and can see that the certificate's DNS Name is

DNS-Name
7724ff3642184f826fa8a9e06360f978.676cd7976b83dde6b80816a76d479296.traefik.default

sirkjohannsen · June 30, 2020, 12:49pm

Did you configure your DNS provider correctly ? acme.dnsChallenge that is ?
Also - maybe try the http or tls Challenge instead.
Those do not require any 3rd party provider configurations.

cakiwi · June 30, 2020, 1:28pm

I just tried it also. The Traefik Default certificate subject is auto generated and not updated for routes.

As you need it 'trusted' in the browser. You only have a few options.

Register a domain and use it with LetsEncrypt
Self issued wildcard certificate for your domain. No automatic provisioning but a wildcard will cover hosts in a domain.
Provision a Certificate Authority that support the ACME protocol and use that with the ACME provider.

If you self issue or roll your own CA then you still have the issues of certificate lifecycle with the additional overhead of a CA and you have to deploy the CA to the browsers so that the chain of trust is valid.

dhoerner2412 · July 1, 2020, 6:41am

Ok thank you for your help. So I need to continue to generate my own self-signed cert with openssl. Maybe this feature can be available in one of the next releases of traefik.

shot · July 1, 2020, 12:40pm

Do you need a trusted cert for a local machine strictly for development purposes?

Topic		Replies	Views
CN=TRAEFIK DEFAULT CERT despite certificates correctly generating Traefik v2 docker , letsencrypt-acme , cli	22	1757	February 2, 2024
Traefik v3 appears to be offering self-signed together with letsencrypt Traefik v3 (latest) letsencrypt-acme	2	353	July 24, 2024
Traefik does not generate an Certificate? Traefik v2 letsencrypt-acme	12	2539	January 2, 2024
Running Traefik behind a reverse proxy: specify the DNS name presented by the self-signed TRAEFIK DEFAULT CERT Traefik v2 middleware	2	946	October 12, 2020
How to provide self generated certs instead of the default ones? Traefik v2 docker , letsencrypt-acme	2	45	August 26, 2024

DNS Name of generated certificate

Related topics