I'm currently using Traefik v2 in my Kubernetes cluster. I use it to route traffic to each pods and to manage HTTPS certificates using Let's Encrypt.
I've a root domain
domain.dev that points to the
When deploying a new service it will be available to the following URL :
Currently I'm using the following
IngressRoute for each service :
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: <SERVICE>-<BRANCH>-<PROJECT> spec: entryPoints: - websecure routes: - kind: Rule match: Host(`<SERVICE>.<BRANCH>.<PROJECT>.domain.dev`) services: - name: <SERVICE> port: 80 tls: certResolver: le
This works fine until I used very long names for
<PROJECT>... Where I got the following error :
time="2020-06-04T00:00:00Z" level=error msg="Unable to obtain ACME certificate for domains \"branch-xxxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx.project-xxxxxxxxx.domain.dev\": unable to generate a certificate for the domains [branch-xxxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx.project-xxxxxxxxx.domain.dev]: error: one or more domains had a problem:\n[branch-xxxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx.project-xxxxxxxxx.domain.dev] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/finalize/12345678/1234567890 :: urn:ietf:params:acme:error:badCSR :: Error finalizing order :: CN was longer than 64 bytes, url: \n" providerName=le.acme rule="Host(`branch-xxxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxxx.project-xxxxxxxxx.domain.dev`)" routerName=service-branch-project@kubernetescrd
I've replaced real names with
xxx but length was not modified...
SERVICE might be defined on the same
BRANCH might be defined on the same
PROJECT as well. Everything is done dynamically based on a Git repo.
How could I setup my Traefik to issue certificates for each service, without having any issue like
CN too long or maybe rate limit, etc...?
Tanks very much in advance,