I can not get a subdomain working looks like my config might work but lets encrypt seems to be receiving the yaml.
LE Errors:
level=error msg="Unable to obtain ACME certificate for domains \"portainer.\": unable to generate a certificate for the domains [portainer]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for \"portainer\": Domain name needs at least one dot, url: " providerName=letsencrypt.acme routerName=portainer@docker rule="Host(`portainer.`)"
level=error msg="Unable to obtain ACME certificate for domains \"portainer.\": unable to generate a certificate for the domains [portainer]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for \"portainer\": Domain name needs at least one dot, url: " rule="Host(`portainer.`)" providerName=letsencrypt.acme routerName=portainer@docker
level=error msg="Unable to obtain ACME certificate for domains \"portainer.\": unable to generate a certificate for the domains [portainer]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for \"portainer\": Domain name needs at least one dot, url: " providerName=letsencrypt.acme routerName=portainer@docker rule="Host(`portainer.`)"
Traefik yml:
version: '3.7'
services:
traefik:
image: traefik:chevrotin
container_name: traefik
ports:
- 80:80
- 443:443
command:
- --api=true
- --api.debug=true
- --providers.docker=true
- --providers.docker.network=reverse_proxy
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencrypt.acme.email=me@example.com
- --certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=cloudflare
- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
#- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
labels:
- traefik.enable=true
- traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_NAME}`)
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.middlewares=admin
- traefik.http.routers.traefik.tls.certresolver=letsencrypt
- traefik.http.routers.traefik.tls.domains[0].main=example.com
- traefik.http.routers.traefik.tls.domains[0].sans=*.example.com
- traefik.http.middlewares.custom.headers.browserXSSFilter=true
- traefik.http.middlewares.custom.headers.contentTypeNosniff=true
- traefik.http.middlewares.custom.headers.forceSTSHeader=true
- traefik.http.middlewares.custom.headers.frameDeny=true
- traefik.http.middlewares.custom.headers.sslredirect=true
- traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.custom.headers.stsPreload=true
- traefik.http.middlewares.custom.headers.stsSeconds=315360000
- traefik.http.middlewares.admin.basicauth.usersfile=/etc/traefik/config/usersfile
networks:
- reverse_proxy
restart: unless-stopped
volumes:
- ./config:/etc/traefik/config:ro
- ./letsencrypt:/etc/traefik/acme:rw
- ./log:/etc/traefik/log:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
secrets:
- cf_key
environment:
- CF_API_KEY=/run/secrets/cf_key
- CF_API_EMAIL=me@example.com
- DOMAIN_NAME=example.com
secrets:
cf_key:
external: true
networks:
default:
driver: bridge
reverse_proxy:
driver: overlay
Portainer yml (using as a test service):
version: "3"
services:
portainer:
container_name: portainer
environment:
- DOMAIN_NAME='example.com'
- TZ='US'
image: portainer/portainer:1.23.2
labels:
- traefik.enable=true
- traefik.http.middlewares.custom.headers.browserXSSFilter=true
- traefik.http.middlewares.custom.headers.contentTypeNosniff=true
- traefik.http.middlewares.custom.headers.forceSTSHeader=true
- traefik.http.middlewares.custom.headers.frameDeny=true
- traefik.http.middlewares.custom.headers.sslredirect=true
- traefik.http.middlewares.custom.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.custom.headers.stsPreload=true
- traefik.http.middlewares.custom.headers.stsSeconds=315360000
- traefik.http.routers.portainer.entrypoints=websecure
- traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN_NAME}`)
- traefik.http.routers.portainer.tls.certresolver=letsencrypt
networks:
- traefik_reverse_proxy
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
#- ./data:/data
- /path/to/data
volumes:
data:
networks:
traefik_reverse_proxy:
external: true
acme.json
{
"letsencrypt": {
"Account": {
"Email": "me@example.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:me@example.com"
]
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/85460202"
},
"PrivateKey": "VALID KEY",
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "example.com",
"sans": [
"*.example.com"
]
},
"certificate": "VALID CERT",
"key": "VALID KEY",
"Store": "default"
}
]
}
}