I am trying to figure out how to generate a subdomain certificate alongside my wildcard certificate. The usecase for this is I am utilizing the mailcow-dockerized email server, which uses a traefik cert-dumper to add certificates to emails sent over IMAPS. Problem being that it will not dump the wildcard cert, it wants the mail.mydomain.tld cert specifically. I do not want to use mailcows built in LE Cert generator because it requires using the http auth which doesn't work with my set up. I can not for the life of me figure out how to generate BOTH mail.mydomain.tld AND *.mydomain.tld. Traefik seems to be refusing to generate any subdomains because the wildcard already exists. To add insult to injury, Traefik also seems to be refusing to generate any kind of staging cert. It will generate an acme.json, but will not actually generate anything in the "Certificate" section of acme.json, so trying to figure out how to do it on my own is becoming very confusing.
traefik.yml
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: DEBUG
format: common
filePath: /var/log/crowdsec/traefik.log
accesslog:
format: common
filePath: /var/log/crowdsec/traefikaccess.log
api:
dashboard: true
insecure: true
entryPoints:
web:
address: ":80/tcp"
http:
redirections:
entryPoint:
to: web-secure
scheme: https
middlewares:
- securityHeaders@file
transport:
respondingTimeouts:
readTimeout: 10m
writeTimeout: 10m
idleTimeout: 10m
web-secure:
address: ":443/tcp"
http:
tls:
certResolver: production
domains:
- main: "mail.mydomain.tld"
sans:
- "imap.mydomain.tld"
- "smtp.mydomain.tld"
- main: "mydomain.tld"
sans:
- "*.mydomain.tld"
middlewares:
- securityHeaders@file
transport:
respondingTimeouts:
readTimeout: 10m
writeTimeout: 10m
idleTimeout: 10m
smtp:
address: ":25/tcp"
smtps:
address: ":465/tcp"
submission:
address: ":587/tcp"
imap:
address: ":143/tcp"
imaps:
address: ":993/tcp"
pop3:
address: ":110/tcp"
pop3s:
address: ":995/tcp"
managesieve:
address: ":4190/tcp"
certificatesResolvers:
staging: #THIS IS STAGING
acme:
email: admin@mydomain.tld
storage: /etc/traefik/certs/acme.json
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
dnsChallenge:
provider: desec
resolvers:
- "ns1.desec.io:53"
- "ns2.desec.org:53"
- "212.227.123.17:53"
- "212.227.123.18:53"
production:
acme:
email: admin@mydomain.tld
storage: /etc/traefik/certs/acme.json
dnsChallenge:
provider: desec
resolvers:
- "ns1.desec.io:53"
- "ns2.desec.org:53"
- "212.227.123.17:53"
- "212.227.123.18:53"
providers:
file:
directory: /etc/traefik
watch: true
serversTransport:
insecureSkipVerify: true
I have my dynamic config split up by type so if any of them are relevant I can also share those as well, just let me know. The files are
middleswares.yml, routers.yml, services.yml, tls.yml
Thank you so much in advance. If I figure out a solution on my own I will share it here