Hello,
I'm looking for a solution to offer a certificate for my subdomain *.example.com.
I have my own certificate configure like this in a traefik-config.toml :
[[tls.certificates]]
certFile = "/certificates/crt/wildcard.xxx-com.crt"
keyFile = "/certificates/key/private.xxx.key"
i tried to add these command in my traefik configuration but doesn't work :
- --entrypoints.https.http.tls.domains[0].main=example.com
- --entrypoints.https.http.tls.domains[0].sans=*.example.com
Here is my full configuration :
version: '3.8'
services:
traefik:
# Use the latest v2.4.x Traefik image available
image: traefik:v2.4
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- 80:80
# Listen on port 443, default for HTTPS
- 443:443
# Listen on port 5672, default for Rabbit
- 5672:5672
# https://docs.docker.com/compose/compose-file/compose-file-v3/#deploy
deploy:
replicas: 1
placement:
max_replicas_per_node: 1
constraints:
# Traefik must be on a manager node due to access to swarm api (socket proxy can bypass but for our use case it's useless)
- node.role == manager
update_config:
order: start-first
failure_action: rollback
delay: 10s
rollback_config:
order: stop-first
restart_policy:
condition: any
delay: 5s
max_attempts: 3
window: 120s
labels:
# Enable Traefik for this service, to make it available in the public network
- traefik.enable=true
# Use the traefik-public network (declared below)
- traefik.docker.network=${TRAEFIK_PUBLIC_NETWORK_NAME}
# Use the custom label "traefik.constraint-label=traefik-public"
# This public Traefik will only use services with this label
# That way you can add other internal Traefik instances per stack if needed
- traefik.constraint-label=traefik-public
# admin-auth middleware with HTTP Basic auth
# Using the environment variables USERNAME and HASHED_PASSWORD
- traefik.http.middlewares.admin-auth.basicauth.users=${TRAEFIK_USERNAME?Variable not set}:${TRAEFIK_HASHED_PASSWORD?Variable not set}
# https-redirect middleware to redirect HTTP to HTTPS
# It can be re-used by other stacks in other Docker Compose files
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# traefik-http set up only to use the middleware to redirect to https
# Uses the environment variable DOMAIN
- traefik.http.routers.traefik-public-http.rule=Host(`${TRAEFIK_DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
# traefik-https the actual router using HTTPS
# Uses the environment variable DOMAIN
- traefik.http.routers.traefik-public-https.rule=Host(`${TRAEFIK_DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
# Use the special Traefik service api@internal with the web UI/Dashboard
- traefik.http.routers.traefik-public-https.service=api@internal
# Enable HTTP Basic auth, using the middleware created above
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
# Define the port inside of the Docker service to use
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
- /var/run/docker.sock:/var/run/docker.sock:ro
# Mount the volume to store the certificates
- /etc/ssl/d3t:/certificates:ro
# Mount the wildcard certicates config
- ./traefik.config.toml:/etc/traefik/traefik.config.toml:ro
command:
# Enable Docker in Traefik, so that it reads labels from Docker services
- --providers.docker
# Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
# Do not expose all Docker services, only the ones explicitly exposed
- --providers.docker.exposedbydefault=false
# Enable Docker Swarm mode
- --providers.docker.swarmmode
# Create an entrypoint "http" listening on port 80
- --entrypoints.http.address=:80
# Create an entrypoint "https" listening on port 443
- --entrypoints.https.address=:443
# Create an entrypoint "rabbit" listening on port 5672
- --entrypoints.rabbit.address=:5672
# Wildcard certificates config
- --providers.file.filename=/etc/traefik/traefik.config.toml
- --entrypoints.https.http.tls.domains[0].main=example.com
- --entrypoints.https.http.tls.domains[0].sans=*.example.com
# Watch changes on config
- --providers.file.watch=true
# Enable the access log, with HTTP requests
- --accesslog
# Enable the Traefik log, for configurations and errors
- --log.level=DEBUG
# Enable the Dashboard and API
- --api
networks:
# Use the public network created to be shared between Traefik and
# any other service that needs to be publicly available with HTTPS
- ${TRAEFIK_PUBLIC_NETWORK_NAME}
networks:
# Use the previously created public network "${TRAEFIK_PUBLIC_NETWORK_NAME}", shared with other
# services that need to be publicly available via this Traefik
{{ traefik_public_network_name }}:
external: true
Thank for your help