I put this on Reddit before realising there was an official community:
I'm trying to learn and understand Traefik but, I'm failing with TLS certs.
The question is - What is the correct way to simply have two separate wildcard certs assigned through Letsencrypt, registered on Traefik so that I can easily add minimal labels to new containers with the host and entrypoint and just get them to work?
For those interested, some background and what I have tried:
I have 2 subdomains and 2 wildcards as sans set: 1.foo. com, *.1.foo. com, 2.bar .com, *.2.bar.com
I set the following commands:
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0" - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
and I added the following labels to the Traefik compose file:
- "traefik.http.routers.traefik.tls=true" - "traefik.http.routers.traefik.tls.certresolver=myresolver" - "traefik.http.routers.traefik.tls.domains.main=1.foo.com" - "traefik.http.routers.traefik.tls.domains.sans=*.1.foo.com" - "traefik.http.routers.traefik.service=api@internal" - "traefik.http.routers.traefik.rule=Host(`traefik.1.foo.com`)" - "traefik.http.routers.traefik.entrypoints=web-secure"
Now, this appears to work - Traefik gets the wildcard certificate and binds it fine.
I can then create extra routers from my containers at will by adding a new named router as long as the host is on anything.1.foo .com and it appears to work fine.
Now, I decided I want to add bar.com.
I have tried multiple configurations, but, I just can't get it working... The latest and closest I have got is simply copying most of the above lines to a second router called traefik2 and simply change foo.com to bar.com - however, it doesn't seem to actually work... I enabled logging and it appears to fail at verifying the ACME response - when I go to Cloudflare, I see it has created two entries for _acme-challenge.1 - I can only assume that Cloudflare is serving in round robin and Letsencrypt isn't issuing.
This also makes me feel like I simply got lucky for foo.com and it shouldn't have worked either.
I have been trying on and off for days and I'm just not making progress, so, I thought it's time to ask others!
(domains purposely have a space in them as this forum wouldn't let me paste links as a new user)