Issue retrieving certs for mutiple domain providers

etho201 · January 26, 2022, 5:52am

I have multiple domain providers, in my case, DuckDNS and Cloudflare. I would like to retrieve certificates for both. In trying to do this, I passed in the following flags into my Traefik v2 container:

# DuckDNS
- --entrypoints.websecure.http.tls.certresolver=duckdns
- --entrypoints.websecure.http.tls.domains[0].main=${FQDN}
- --entrypoints.websecure.http.tls.domains[0].sans=*.${FQDN}
- --certificatesresolvers.duckdns.acme.email=${EMAIL}
- --certificatesresolvers.duckdns.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.duckdns.acme.dnschallenge.provider=duckdns
- --certificatesresolvers.duckdns.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
- --certificatesresolvers.duckdns.acme.dnschallenge.delayBeforeCheck=90

# Cloudflare
- --entrypoints.websecure2.http.tls.certresolver=cloudflare
- --entrypoints.websecure2.http.tls.domains[0].main=${FQDN2}
- --entrypoints.websecure2.http.tls.domains[0].sans=*.${FQDN2}
- --certificatesresolvers.cloudflare.acme.email=${EMAIL}
- --certificatesresolvers.cloudflare.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.cloudflare.acme.dnschallenge=true
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
- --certificatesresolvers.cloudflare.acme.dnschallenge.delayBeforeCheck=90

Then for environment variables, I set:

- DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_API_KEY=${CF_API_KEY}

Now, when I run the container, the only certificate that is retrieved is for my DuckDNS domains. Whereas the entries for Cloudflare just have null values.

Example of acme.json:

{
  "cloudflare": {
    "Account": null,
    "Certificates": null
  },
  "duckdns": {
    "Account": {
      "Email": "---REDACTED---",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:---REDACTED---"
          ]
        },
        "uri": "---REDACTED---"
      },
      "PrivateKey": "---REDACTED---",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "---REDACTED---.duckdns.org",
          "sans": [
            "*.---REDACTED---.duckdns.org"
          ]
        },
        "certificate": "---REDACTED---",
        "key": "---REDACTED---",
        "Store": "default"
      }
    ]
  }
}

How can I retrieve certificates that are valid for multiple domain providers?

etho201 · March 3, 2023, 8:30pm

Not sure why it didn't work initially, as I can confirm this definitely works when trying to pull in certs for multiple domain providers...

# Entrypoints
- --entryPoints.web.address=:80 # http
- --entryPoints.websecure.address=:443 # https
# DuckDNS
- --entrypoints.websecure.http.tls.certresolver=duckdns # Comment out this line after first run of traefik to force the use of wildcard certs
- --entrypoints.websecure.http.tls.domains[0].main=${FQDN}
- --entrypoints.websecure.http.tls.domains[0].sans=*.${FQDN}
# DuckDNS (Certificate Resolvers)
- --certificatesresolvers.duckdns.acme.email=${EMAIL}
- --certificatesresolvers.duckdns.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.duckdns.acme.dnschallenge.provider=duckdns
- --certificatesresolvers.duckdns.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesresolvers.duckdns.acme.dnschallenge.delayBeforeCheck=90
# Cloudflare (Comment out the below entries if only using one domain)
- --entrypoints.websecure2.http.tls.certresolver=cloudflare
- --entrypoints.websecure2.http.tls.domains[0].main=${FQDN2}
- --entrypoints.websecure2.http.tls.domains[0].sans=*.${FQDN2}
- --entrypoints.websecure2.http.tls.domains[1].main=${FQDN3}
- --entrypoints.websecure2.http.tls.domains[1].sans=*.${FQDN3}
# Cloudflare (Certificate Resolvers)
- --certificatesresolvers.cloudflare.acme.email=${EMAIL}
- --certificatesresolvers.cloudflare.acme.storage=/etc/traefik/acme/acme.json
- --certificatesresolvers.cloudflare.acme.dnschallenge=true
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesresolvers.cloudflare.acme.dnschallenge.delayBeforeCheck=90

It does leave me with an odd extra entrypoint (websecure2) that doesn't seem like it needs to be there. Especially when you consider that even my cloudflare domains need to route through websecure on port 443.

Can anyone explain if this can be done without creating an additional entrypoint? (see example below)

bluepuma77 · March 4, 2023, 7:33am

A Traefik entrypoint is usually associated with an external port. For httpChallenge you need to use port 80, for tlsChallenge you need to use port 443, otherwise it does not work. I think only for dnsChallenge you can use any port.

You should be able to attach a certresovler to a router and get a cert when challenge type and port match.

Further note: wildcard certs are only available through dnsChallenge. If you just want static domains, you can use .rule=Host(`one.example.com`) || Host(`two.example.com`).

system · March 8, 2023, 7:41pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with multiple certificate resolvers Traefik v2 (latest) letsencrypt-acme	2	2731	August 13, 2022
Multiple letsencrypt wildcard certificates on a single Traefik instance using Cloudflare Traefik v2 (latest) letsencrypt-acme	2	1497	February 28, 2021
Multiple cloudflare domains with tls on 1 traefik instance Traefik v2 (latest) kubernetes-crd , letsencrypt-acme	2	204	January 8, 2024
One Traefik for multiple domains and subdomains with different poviders possible? Traefik v2 (latest) letsencrypt-acme	2	633	April 7, 2023
Cloudflare provider multiple domains? Traefik v2 (latest) docker	2	1167	February 11, 2021

Issue retrieving certs for mutiple domain providers

Related Topics