Let's Encrypt Rate Limit with Wildcard Domains

Traefik Traefik v2
,
1

Hey traefik community,

Since I am not really sure whether this may a bug or a misunderstanding by me, I am posting my question here in the community:

I have a successful setup with acme-dns (since I host the dns server myself) and traefik to issue wildcard domains. Today, I wanted to change the key type to ECC. I backed my old certificate, changed the static config and restarted traefik. This lead to an acme rate limit error. According to the Let's Encrypt docs, I am allowed to have 5 renewals per week (that I did not use for sure). The traefik logs gave the rate limit error four times. As I have defined four routers with all the same wildcard domain under tls.domains, I believe that traefik asks Let's Encrypt for four certificates instead of one. Is this true and is this because of a misconfiguration by me?

Here is my dynamic configuration:

http:
    routers:
        traefik_router:
            entryPoints:
                - private
            middlewares:
                - redirect_to_tls
            service: traefik_router_50080
            rule: Host(`traefik.example.org`)
            

        traefik_router_tls:
            entryPoints:
                - private_tls
            service: traefik_router_50080
            rule: Host(`traefik.example.org`)
            tls:
                certResolver: lets_encrypt_resolver
                options: tls_options
                domains: 
                    - main: "*.example.org"

        acmedns_router:
            entryPoints:
                - private
            middlewares:
                - redirect_to_tls
            service: acmedns_router_58080
            rule: Host(`acme.example.org`)
            

        acmedns_router_tls:
            entryPoints:
                - private_tls
            service: acmedns_router_58080
            rule: Host(`acme.example.org`)
            tls:
                certResolver: lets_encrypt_resolver
                options: tls_options
                domains: 
                    - main: "*.example.org"

        influxdb_router:
            entryPoints:
                - private
            middlewares:
                - redirect_to_tls
            service: influxdb_router_57080
            rule: Host(`influx.example.org`)
            

        influxdb_router_tls:
            entryPoints:
                - private_tls
            service: influxdb_router_57080
            rule: Host(`influx.example.org`)
            tls:
                certResolver: lets_encrypt_resolver
                options: tls_options
                domains: 
                    - main: "*.example.org"

        web_helloworld_router:
            entryPoints:
                - public
            middlewares:
                - redirect_to_tls
            service: web_helloworld_router_56080
            rule: Host(`www.example.org`)

        web_helloworld_router_tls:
            entryPoints:
                - public_tls
            service: web_helloworld_router_56080
            rule: Host(`www.example.org`)
            tls:
                certResolver: lets_encrypt_resolver
                options: tls_options
                domains: 
                    - main: "*.example.org"


    services:
        traefik_router_50080:
            loadBalancer:
                servers:
                    - url: "http://1.2.3.4:50080"
        acmedns_router_58080:
            loadBalancer:
                servers:
                    - url: "http://1.2.3.4:58080"
        influxdb_router_57080:
            loadBalancer:
                servers:
                    - url: "http://1.2.3.4:57080"
        web_helloworld_router_56080:
            loadBalancer:
                servers:
                    - url: "http://1.2.3.4:56080"

    middlewares:
        redirect_to_tls:
            redirectScheme:
                scheme: "https"
                permanent: true

tls:
    options:
        tls_options:
            minVersion: "VersionTLS12"

Thank you so much for your help!

Best wishes,
Marc

2

I want to extend my question: unfortunately, when restricting the minimum TLS version and defining cipher suites for TLS 1.2 none of the options is applied. When I only define a minimum TLS version, this works absolutely fine:

tls:
    options:
        tls_options:
            minVersion: "VersionTLS12"
            cipherSuites:
                - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
                - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
3

Hi all!

Sorry for asking again: is there someone around who might help out?

Thanks,
Marc

4

Looks like it should work. How are you testing it ?

As all your routers appear to be using these TLS setting why not set them to default ?

5

Hi and sorry for my very, very late reply. Somehow, I did not receive an email notification. The issue seems to be related to the wildcard domain. A workaround for us was to define the certResolver key only for one router (when we wanted to use it with a wildcard domain) and define for all the other routers only the options and domains parts (when in the domains part an already used wildcard domain was defined)

Neither did I re-test if this was maybe fixed; nor did I try to restrict the cipherSuites when defining TLS 1.2 as minimum protocol version again.