Since Traefik v2, I can't figure out how to configure two routers using the same wildcard letsencrypt certificate with DNS challenge.
Resolver part of static configuration
[certificatesResolvers.le-dns.acme]
email = "me@example.com"
storage = "acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[certificatesResolvers.le-dns.acme.dnschallenge]
provider= "linodev4"
Routers in dynamic configuration
[http.routers.gitsecure]
rule = "Host(`git.example.com`)"
service = "git"
entryPoints = ["websecure"]
[http.routers.gitsecure.tls]
certResolver = "le-dns"
[[http.routers.gitsecure.tls.domains]]
main = "example.com"
sans = ["*.example.com"]
[http.routers.dockerregistry]
rule = "Host(`registry.example.com`)"
service = "dockerregistry"
entryPoints = ["dockerregistry"]
[http.routers.dockerregistry.tls]
certResolver = "le-dns"
[[http.routers.dockerregistry.tls.domains]]
main = "example.com"
sans = ["*.example.com"]
Since Traefik v2, tls configuration is made at the router level. Configuring just one works flawlessly. The problem arises when we try to configure two or more, as in the above example.
What are we doing wrong? We tried sans parameter including only the router's subdomain instead of the asterisk. Another thing we tried is replicating both domains like this ["registry.example.com", "git.example.com"] in both of them. None of these configs has ended up making the website work in HTTPS. We end up having bad certificate errors in browsers.
Most of the time, we find of logs similar as these:
level=debug msg="No ACME certificate generation required for domains [\"example.com\" \"registry.example.com\" \"git.example.com\"]." providerName=le-dns.acme
level=debug msg="http: TLS handshake error from xx.xx.xx.xx:40616: remote error: tls: unknown certificate authority"
Can somebody help us configuring two routers with the same wildcard certificate issuded by one DNS challenge?
Thank you very much!