Multiple letsencrypt wildcard certificates on a single Traefik instance using Cloudflare

wil · August 8, 2020, 8:51pm

I put this on Reddit before realising there was an official community:

I'm trying to learn and understand Traefik but, I'm failing with TLS certs.

The question is - What is the correct way to simply have two separate wildcard certs assigned through Letsencrypt, registered on Traefik so that I can easily add minimal labels to new containers with the host and entrypoint and just get them to work?

For those interested, some background and what I have tried:

I have 2 subdomains and 2 wildcards as sans set: 1.foo. com, *.1.foo. com, 2.bar .com, *.2.bar.com

I set the following commands:

 - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
 - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0"
 - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"

and I added the following labels to the Traefik compose file:

  - "traefik.http.routers.traefik.tls=true"
  - "traefik.http.routers.traefik.tls.certresolver=myresolver"
  - "traefik.http.routers.traefik.tls.domains[0].main=1.foo.com"
  - "traefik.http.routers.traefik.tls.domains[0].sans=*.1.foo.com"
  - "traefik.http.routers.traefik.service=api@internal"
  - "traefik.http.routers.traefik.rule=Host(`traefik.1.foo.com`)"
  - "traefik.http.routers.traefik.entrypoints=web-secure"

Now, this appears to work - Traefik gets the wildcard certificate and binds it fine.

I can then create extra routers from my containers at will by adding a new named router as long as the host is on anything.1.foo .com and it appears to work fine.

Now, I decided I want to add bar.com.

I have tried multiple configurations, but, I just can't get it working... The latest and closest I have got is simply copying most of the above lines to a second router called traefik2 and simply change foo.com to bar.com - however, it doesn't seem to actually work... I enabled logging and it appears to fail at verifying the ACME response - when I go to Cloudflare, I see it has created two entries for _acme-challenge.1 - I can only assume that Cloudflare is serving in round robin and Letsencrypt isn't issuing.

This also makes me feel like I simply got lucky for foo.com and it shouldn't have worked either.

I have been trying on and off for days and I'm just not making progress, so, I thought it's time to ask others!

(domains purposely have a space in them as this forum wouldn't let me paste links as a new user)

birdie60 · February 28, 2021, 8:55am

Hey Wil,
I'm exactly in the same challenge as you - did you (or Reddit) ever happen to solve this problem?
Thanks for sharing, if you did!

birdie60 · February 28, 2021, 9:07am

Don't worry, I found the Reddit tread with your solution here:

Topic		Replies	Views
Multiple wildcard certs with traefik Traefik v2 docker , letsencrypt-acme	8	1467	December 21, 2023
Letsencrypt wildcard certificate used by two routers Traefik v2 letsencrypt-acme	2	1961	December 26, 2020
Letsencrypt Wildcard certs not working creating a cert for each subdomain Traefik v2 letsencrypt-acme	1	607	March 24, 2020
Traefik v2 wildcard cert Traefik v2 letsencrypt-acme	2	1532	July 19, 2019
Help with multiple certificate resolvers Traefik v2 letsencrypt-acme	2	3940	August 13, 2022

Multiple letsencrypt wildcard certificates on a single Traefik instance using Cloudflare

Related topics