How to force traefik to generate certificate for a domain?

xd003 · September 17, 2023, 8:50am

I am intending to generate multiple wildcard certificates using cloudflare dnschallenge for multiple domains. For instance -

Certificate1 - example.com & *.example..com
Certificate2 - adguard.example.com & *.adguard.example.com

Pointing out the most relevant section from the docker compose

 - "--entrypoints.websecure.http.tls.domains[0].main=example.com"
 - "--entrypoints.websecure.http.tls.domains[0].sans=*.example.com"
 - "--entrypoints.websecure.http.tls.domains[1].main=adguard.example.com"
 - "--entrypoints.websecure.http.tls.domains[1].sans=*.adguard.example.com"

The first certificate is generated perfectly fine but the issue is that while generating the second certificate, it outputs the following in logs

Domain "adguard.example.com" is duplicated in the configuration or validated by the domain {example.com [*.example.com]}. It will be processed once

As a result of this, adguard.example.com is not processed in the second certificate and this cert only remains valid for *.adguard.example.com. Is there any way to force traefik to process this domain inspite of being covered by a earlier certificate ?

docker-compose - https://pastebin.com/raw/GGAAwXBj
Traefik version 3.0.0-beta3
Ubuntu 22.04

bluepuma77 · September 17, 2023, 8:56am

It seems Traefik and le-go are "smart" and won’t create overlapping certs.

Do you need sans=*.example.com"? main=adguard.example.com" would be covering it.

xd003 · September 17, 2023, 10:52am

After further testing, it doesn't seem possible to create certificates that overlap with each other. The only way out i found was to create a single domain sans with everything required

- "--entrypoints.websecure.http.tls.domains[0].main=example.com"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.example.com,*.adguard.example.com"

bluepuma77 · September 17, 2023, 7:45pm

If you want this really bad, you can of course create your own LE certificates outside of Traefik, for example with certbot.

Certbot needs to know about the domains, you can use existing or additional labels, get data from Traefik API or directly from Docker socket.

Then you need to run certbot and create the certs, finally provide them to Traefik either as file for providers.file or as web-service for providers.http.

I built a proof-of-concept to create a LE solution for clustered Traefik.

system · September 20, 2023, 7:46pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to generate wildcard certificates properly for multiple domains Traefik v2 docker , letsencrypt-acme	7	543	September 16, 2023
How to force Traefik to combine domains in one single certificate Traefik v2 letsencrypt-acme	2	917	December 2, 2021
Multiple letsencrypt wildcard certificates on a single Traefik instance using Cloudflare Traefik v2 letsencrypt-acme	2	1574	February 28, 2021
Let's encrypt for a lot of domains automatically Traefik v2 docker , docker-swarm , letsencrypt-acme	14	3582	October 23, 2023
Different Wildcard certificate? Traefik v2 docker , letsencrypt-acme	2	371	September 10, 2020

How to force traefik to generate certificate for a domain?

Related Topics