Lets encrypt for multiple subdomains

Please explain me, im so confused,
here is my traefik docker compose file

version: "3.8"

services:

  traefik:
    image: "traefik:v3.0"
    container_name: "traefik"
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=proxynet"
      #- "--providers.file.directory=/etc/traefik/dynamic"
      - "--providers.file.watch=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--accesslog=true"
      - "--accesslog.filepath=/access.log"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entryPoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certresolver=myresolver"
      - "--entrypoints.websecure.http.tls.domains[0].main=example.dev"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.example.dev"
      - "--certificatesresolvers.myresolver.acme.email=example@gmail.com"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"

    networks:
      - proxynet
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.example.dev`) || Host(`example.dev`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.tls.certresolver=myresolver"
      - "traefik.http.routers.api.entrypoints=websecure"

  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
      - "traefik.http.routers.whoami.rule=Host(`work.mqhamdam.pro`) || Host(`whoami.example.dev`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
      # - "traefik.http.routers.whoami.tls=true"
    networks:
      - proxynet
    volumes:
      - "./whoami_letsencrypt:/letsencrypt"

networks:

  proxynet:
    external: true

I can access to traefik.example.dev, example.dev, but when i go to whoami.example.dev i see

NET::ERR_CERT_AUTHORITY_INVALID
Subject: TRAEFIK DEFAULT CERT

Issuer: TRAEFIK DEFAULT CERT

Expires on: 2025. 3. 12.

Current date: 2024. 3. 12.

What is wrong? I though lets encrypt will generate dynamically all certificates based on route hostname

is used when you want to use custom TLS certs loaded from dynamic config file, it’s not necessary for LetsEncrypt.

A certresolver can be assigned globally on entrypoint or on each router, I prefer the first solution, see simple Traefik example.

A regular certresolver using tlsChallenge will use the domains from Host(), no main/sans necessary. But all domains need to exist and point to your Traefik instance. Port 443 needs to be used for https.

If you want to create wildcards, then use main/sans and dnsChallenge, which usually requires some extra ENV configuration.

I recommend to clean up your config, check domains in DNS for correct IPs (ping), also check Traefik log for "error" and "acme".

Thanks a lot !!!
I just copy paste your example, and changed domain names and acme related parameters.
it is working now, even adding new docker containers dont have any problem.

but... I really don't understand what was the problem, because I've add tls=true?

No, that doesn’t cause problems, just makes config a bit more bloated.

You would need to look into your old logs, maybe because you used main/sans with a wildcard with tlsChallenge.

I don't think main sain caused the problem. Problem was there even before I've included them.
anyway thanks, u saved my time !

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.