i cannot get wildcard cert, i dont have access to main domain
i want traefic to generate let's encrypt cert every time new subdomain name is used, without usage of pre-defined list of domains
i use these in static config
[certificatesResolvers]
[certificatesResolvers.lets-encrypt]
[acme]
email = "example"
storage = "example"
entryPoint = "websecure"
onDemand = true
[acme.domains]
main = "mysub.example.org"
sans = ["*.mysub.example.org"]
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
These in my docker-compose
- traefik.http.routers.example-ui-https.rule=HostRegexp(`shtued.duckdns.org`,`{subhost:[a-zA-Z0-9-]+}.mysub.example.org`)
- traefik.http.routers.example-ui-https.tls.certResolver=lets-encrypt
- traefik.http.routers.example-ui-https.tls.domains[0].main=mysub.example.org
- traefik.http.routers.example-ui-https.tls.domains[0].sans=*.mysub.example.org
in the traefik logs i see an error:
{"ACME CA":"https://acme-v02.api.letsencrypt.org/directory","error":"unable to generate a wildcard certificate in ACME provider for domain \"mysub.example.org,*.mysub.example.org\" : ACME needs a DNSChallenge","level":"error","msg":"Unable to obtain ACME certificate for domains \"mysub.example.org,*.mysub.example.org\"","providerName":"lets-encrypt.acme","routerName":"example-ui-https@docker","rule":"HostRegexp(`mysub.example.org`,`{subhost:[a-zA-Z0-9-]+}.mysub.example.org`)","time":"2023-01-27T14:19:21+03:00"}
So, how do i change it from making wildcard to generating individual one's?
Traefik LetsEncrypt will automatically get a certificate for every .rule=Host() domain.
Simple docker-compose.yml example:
version: '3.9'
services:
traefik:
image: traefik:v2.9
ports:
- published: 80
target: 80
protocol: tcp
mode: host
- published: 443
target: 443
protocol: tcp
mode: host
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /root/traefik-certificates:/traefik-certificates
command:
--providers.docker=true
--providers.docker.network=proxy
--providers.docker.exposedByDefault=false
--entryPoints.web.address=:80
--entryPoints.web.http.redirections.entryPoint.to=websecure
--entryPoints.web.http.redirections.entryPoint.scheme=https
--entryPoints.websecure.address=:443
--entryPoints.websecure.http.tls=true
- entryPoints.websecure.http.tls.certResolver=myresolver
--api.debug=true
--api.dashboard=true
--log.level=DEBUG
--accesslog=true
--certificatesResolvers.myresolver.acme.email=mail@example.com
--certificatesResolvers.myresolver.acme.tlschallenge=true
--certificatesResolvers.myresolver.acme.storage=/traefik-certificates/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.entrypoints=websecure
- traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
whoami:
image: traefik/whoami:v1.8
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.mywhoami.entrypoints=websecure
- traefik.http.routers.mywhoami.rule=Host(`example.com`) || Host(`www.example.com`)
- traefik.http.services.mywhoami.loadbalancer.server.port=80
networks:
proxy:
name: proxy
This will automatically generate two certificates:
traefik.example.com-
example.com and www.example.com
Summary:
- create a certresolver (without any domains)
- assign certresolver to entrypoint or to router directly (without any TLS domain)
- use
.rule=Host( example.com ) (with backticks, not shown here)
my issue is that it tries to make wildcard domains in many different situations where i don't want it to.
For example here:
also, i would like to have a service on a domain specified by regexp with domain generation on demand
Like, i accept all connections on *.vault.mydomain.org
and generate cert when i get connection on fasfsdalf.vault.mydomain.org
For a LetsEncrypt wildcard cert, you need to use DNSChallenge with your DNS provider.
If you have a defined set of sub-domains, then you can use Host() with the other challenges.
i have this setup and it tries to make wildcard cert as shown on the my previous message
Can you please read the docs and/or check the forum for a working example.
A wildcard can only be a subdomain and it only works with DNSChallenge, you have TLSChallenge in your config.
Yes, I have red the docs, and understand that.
The issue is that I want to make traefik just generate every certificate separately instead of it trying to make a wildcard one and failing.
You can easily do that. Use one or multiple Host() for every router rule. Remove all the main and sans.
