How to force Traefik to combine domains in one single certificate

R-VdP · December 2, 2021, 10:31am

I am currently managing about a 100 servers, each having multiple websites hosted as containers behind Traefik.

I noticed that when we add a second domain to a website for which Traefik already has a certificate, Traefik will keep the certificate that it already had and generate a new one for the newly added domain, resulting in two certificates for that website.

I would however like for these domains to always be combined in a single certificate, and I would like for Traefik in this situation to generate a single new certificate containing both domain names, and to discard the old certificate which does not contain the new domain name.

Is there any way to do this?

jakubhajek · December 2, 2021, 1:06pm

Hello @R-VdP

Thank you for using Traefik.

Have you tried to use SANS feature according to that example?

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`example.com`) && Path(`/blog`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls:
    certResolver: myresolver
    domains:
    - main: example.org
      sans:
      - '*.example.org'

https://doc.traefik.io/traefik/https/acme/

R-VdP · December 2, 2021, 2:59pm

Thank you for your response, @jakubhajek !

I am using docker-compose, the labels on my containers look as follows:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.my_router.rule=Host(`example.org`)"
  - "traefik.http.routers.my_router.tls.domains[0].main=example.org"
  - "traefik.http.routers.my_router.tls.domains[0].sans=subdomain.example.org"
  - "traefik.http.routers.my_router.tls.certresolver=letsencrypt_dns"

I do not have any particular configuration regarding TLS or ACME, besides the definition of the letsencrypt_dns resolver:

certificatesresolvers:
  letsencrypt_dns:
    acme:
      dnsChallenge:
        provider: XXX
        resolvers:
          - "9.9.9.9:53"
          - "8.8.8.8:53"
          - "1.1.1.1:53"
      email: foo@example.org
      keyType: EC256
      storage: "/letsencrypt/acme.json"

Topic		Replies	Views
How to force traefik to generate certificate for a domain? Traefik v2 (latest) docker , letsencrypt-acme , cli	4	566	September 20, 2023
Multiple letsencrypt wildcard certificates on a single Traefik instance using Cloudflare Traefik v2 (latest) letsencrypt-acme	2	1504	February 28, 2021
One Traefik for multiple domains and subdomains with different poviders possible? Traefik v2 (latest) letsencrypt-acme	2	638	April 7, 2023
2 Certificates for 2 Subdomains of Same Container, Traefik v2 (latest) letsencrypt-acme	2	541	November 8, 2021
Multiple wildcard certificates in a single Traefik container Traefik v2 (latest) docker , letsencrypt-acme	0	927	January 30, 2022

How to force Traefik to combine domains in one single certificate

Related Topics