dnsChallenge for "www.*.example.org"

Karol · October 31, 2021, 1:20pm

With the config below the issued certificate doesn't work for www.abc.example.org but it works for www.example.org and abc.example.org .

http:
  routers:
    web-router:
      rule: "Host(`example.org`) ||
       Host(`www.example.org`) ||
       HostRegexp(`{subdomain:[a-z-]+}.example.org`) ||
       HostRegexp(`www.{subdomain:[a-z-]+}.example.org`)"

      entryPoints:
        - web
      middlewares:
        - redirect
        - csrf
      service: django


    web-secure-router:
      rule: "Host(`example.org`) ||
       Host(`www.example.org`) ||
       HostRegexp(`{subdomain:[a-z-]+}.example.org`) ||
       HostRegexp(`www.{subdomain:[a-z-]+}.example.org`)"

      entryPoints:
        - web-secure
      middlewares:
        - csrf
      service: django
      tls:
        certResolver: letsencrypt
        domains:
          - main: "*.example.org"
            sans:
              - "example.org"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "email@example.com"
      storage: /etc/traefik/acme/acme.json
      dnsChallenge:
        provider: route53
        delayBeforeCheck: 0

In the DNS I have A records for example.org and *.example.org .

Is it possible to get a certificate that works for www.*.example.org and *.example.org in the same time?

jakubhajek · November 9, 2021, 11:21pm

Hello @Karol

Based on my best knowledge the TLS certificates can be obtained only for the first level of your subdomain. I mean that you can obtain the certificate for .example.com but www..example is not correct.

According to the RFC2818

if more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

Thank you,

Karol · December 3, 2021, 6:55pm

Yeah, thanks for the comment. I will just go with redirecting www to non-www instead of generating certs for 'www.*'

Topic		Replies	Views
Problem obtaining ACME certificate for domain Traefik v2 (latest) docker , letsencrypt-acme	0	1308	January 14, 2022
Route53 dnsChallenge with multiple domains Traefik v2 (latest) letsencrypt-acme	2	1202	July 9, 2020
Trouble getting ACME cert Traefik v2 (latest) docker , letsencrypt-acme	3	325	August 18, 2023
Lets encrypt dns challenge via traefik docker compose (problem only on arch) Traefik v2 (latest) letsencrypt-acme	6	1979	May 28, 2023
Traefik + letsencrypt using example fails to generate ceritifcate Traefik v2 (latest) docker , letsencrypt-acme	3	1047	June 5, 2021

dnsChallenge for "www.*.example.org"

Related Topics