Generate subdomain certificate alongside wildcard certificate?

I am trying to figure out how to generate a subdomain certificate alongside my wildcard certificate. The usecase for this is I am utilizing the mailcow-dockerized email server, which uses a traefik cert-dumper to add certificates to emails sent over IMAPS. Problem being that it will not dump the wildcard cert, it wants the mail.mydomain.tld cert specifically. I do not want to use mailcows built in LE Cert generator because it requires using the http auth which doesn't work with my set up. I can not for the life of me figure out how to generate BOTH mail.mydomain.tld AND *.mydomain.tld. Traefik seems to be refusing to generate any subdomains because the wildcard already exists. To add insult to injury, Traefik also seems to be refusing to generate any kind of staging cert. It will generate an acme.json, but will not actually generate anything in the "Certificate" section of acme.json, so trying to figure out how to do it on my own is becoming very confusing.

traefik.yml

global:
  checkNewVersion: false
  sendAnonymousUsage: false

log:
  level: DEBUG
  format: common
  filePath: /var/log/crowdsec/traefik.log

accesslog:
  format: common
  filePath: /var/log/crowdsec/traefikaccess.log

api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: ":80/tcp"
    http:
      redirections:
        entryPoint:
          to: web-secure
          scheme: https
      middlewares:
        - securityHeaders@file
    transport:
      respondingTimeouts:
        readTimeout: 10m
        writeTimeout: 10m
        idleTimeout: 10m

  web-secure:
    address: ":443/tcp"
    http:
      tls:
        certResolver: production
        domains:
          - main: "mail.mydomain.tld"
            sans:
              - "imap.mydomain.tld"
              - "smtp.mydomain.tld"
          - main: "mydomain.tld"
            sans:
              - "*.mydomain.tld"
      middlewares:
        - securityHeaders@file
    transport:
      respondingTimeouts:
        readTimeout: 10m
        writeTimeout: 10m
        idleTimeout: 10m
        
  smtp:
    address: ":25/tcp"
  smtps:
    address: ":465/tcp"
  submission:
    address: ":587/tcp"
  imap:
    address: ":143/tcp"
  imaps:
    address: ":993/tcp"
  pop3:
    address: ":110/tcp"
  pop3s:
    address: ":995/tcp"
  managesieve:
    address: ":4190/tcp"

certificatesResolvers:
  staging: #THIS IS STAGING 
    acme:
      email: admin@mydomain.tld
      storage: /etc/traefik/certs/acme.json
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: desec
        resolvers:
          - "ns1.desec.io:53"
          - "ns2.desec.org:53"
          - "212.227.123.17:53"
          - "212.227.123.18:53"
  production:
    acme:
      email: admin@mydomain.tld
      storage: /etc/traefik/certs/acme.json
      dnsChallenge:
        provider: desec
        resolvers:
          - "ns1.desec.io:53"
          - "ns2.desec.org:53"
          - "212.227.123.17:53"
          - "212.227.123.18:53"

providers:
  file:
    directory: /etc/traefik
    watch: true

serversTransport:
  insecureSkipVerify: true

I have my dynamic config split up by type so if any of them are relevant I can also share those as well, just let me know. The files are

middleswares.yml, routers.yml, services.yml, tls.yml

Thank you so much in advance. If I figure out a solution on my own I will share it here

If a wildcard TLS cert for the sub-domain already exists, then no individual sub-domain will be created by Traefik.

You can generate TLS certs manually, for example with go-acme lego (library used by Traefik) or certbot.

If I were to temporarily set up my traefik in a way where I only have the mail cert generate, and then re-enable the wildcard cert, would traefik auto-renew both the mail and the wildcard or only the wildcard? I would ideally like to have traefik handle all of the cert stuff for me.

So i'm now trying to do what I stated in my previous comment but now Traefik is just... not generating certificates. at all. It won't even give me any information without debug logging turned on, and it's giving me a very vague message at that

No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["mail.mydomain.tld","imap.mydomain.tld","smtp.mydomain.tld"] providerName=production.acme

I moved my acme.json to a seperate directory to test this so I am 99.9999% sure it is not picking up the previous wildcard cert unless it is checking with LE to see if there is an active wildcard cert instead of checking the acme.json file.

I think it was discussed here recently, that Traefik will not remove old "unused" certs, so your approach might work initially, I am not sure if it also refreshes the old certs.

Change certificatesDuration to be able to test quickly (doc).

1 Like