Hello,
I'm currently using Traefik v2 in my Kubernetes cluster. I use it to route traffic to each pods and to manage HTTPS certificates using Let's Encrypt.
I've a root domain domain.dev that points to the web and websecure endpoint.
When deploying a new service it will be available to the following URL : <SERVICE>.<BRANCH>.<PROJECT>.domain.dev.
Currently I'm using the following IngressRoute for each service :
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: <SERVICE>-<BRANCH>-<PROJECT>
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`<SERVICE>.<BRANCH>.<PROJECT>.domain.dev`)
services:
- name: <SERVICE>
port: 80
tls:
certResolver: le
This works fine until I used very long names for <SERVICE>, <BRANCH> and <PROJECT>... Where I got the following error :
time="2020-06-04T00:00:00Z" level=error msg="Unable to obtain ACME certificate for domains \"branch-xxxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx.project-xxxxxxxxx.domain.dev\": unable to generate a certificate for the domains [branch-xxxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx.project-xxxxxxxxx.domain.dev]: error: one or more domains had a problem:\n[branch-xxxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx.project-xxxxxxxxx.domain.dev] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/finalize/12345678/1234567890 :: urn:ietf:params:acme:error:badCSR :: Error finalizing order :: CN was longer than 64 bytes, url: \n" providerName=le.acme rule="Host(`branch-xxxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx.project-xxxxxxxxx.domain.dev`)" routerName=service-branch-project@kubernetescrd
I've replaced real names with xxx but length was not modified...
Multiple SERVICE might be defined on the same BRANCH-PROJECT, multiple BRANCH might be defined on the same PROJECT as well. Everything is done dynamically based on a Git repo.
How could I setup my Traefik to issue certificates for each service, without having any issue like CN too long or maybe rate limit, etc...?
Tanks very much in advance,
Kevin