Multiple wildcard certs with traefik

Hello all

I want to use 2 wildcards with my traefik container. I have this config:

services:
  traefik:
    image: traefik:latest
    restart: unless-stopped
    container_name: traefik
    command: --api.insecure=false --api.dashboard=true
      --providers.docker.exposedByDefault=true
      --serversTransport.insecureSkipVerify=true
      --log.filePath="/etc/traefik/traefik.log"
      --accesslog.filepath=/etc/traefik/access.log
      --log.level="INFO"
      --providers.file.filename=/etc/traefik/dynamic.yaml
      --entryPoints.websecure.address=:443
      --entryPoints.web.address=:80
      --certificatesresolvers.myresolver.acme.email=${certMail}
      --certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme/acme.json
      --certificatesresolvers.myresolver.acme.dnschallenge.provider=${certProvider}
      --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=${certResolver}
      --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
    labels:
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik.tls.domains[0].main=domain1.com"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.domain1.com"
      - "traefik.http.routers.traefik.tls.domains[1].main=domain2.com"
      - "traefik.http.routers.traefik.tls.domains[1].sans=*.domain2.com"
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain2.com`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
      - "traefik.http.routers.http_catchall.entrypoints=web"
      - "traefik.http.routers.http_catchall.middlewares=https_redirect"
      - "traefik.http.middlewares.ipwhitelist.ipwhitelist.sourcerange=<some networks>"
      - "traefik.http.routers.traefik.middlewares=ipwhitelist"

domain1.com wildcards are working as expected. domain2.com on the other site behaves strange. I have both wildcard certs within acme.json, but also named certs for each container I want to use with domain2.com.

On the container I have these labels:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.container1.tls=true"
      - "traefik.http.routers.container1.entrypoints=websecure"
      - "traefik.http.routers.container1.rule=Host(`container1.domain2.com`)"
      - "traefik.http.routers.container1.tls.certresolver=myresolver"

I didn't find any documentation on this in the official documentation. I found only this reddit, where someone had the same problem:

https://www.reddit.com/r/Traefik/comments/i61cy8/multiple_letsencrypt_wildcard_certificates_on_a/

This didn't work for me. Has someone an idea what I am doing wrong?

Why don’t you place this on a container using the domain?

The clean way would probably be to place the wildcard certs on the entrypoint, see example:

--entrypoints.websecure.address=:443
--entrypoints.websecure.http.tls.options=foobar
--entrypoints.websecure.http.tls.certResolver=leresolver
--entrypoints.websecure.http.tls.domains[0].main=example.com
--entrypoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com
--entrypoints.websecure.http.tls.domains[1].main=test.com
--entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com

Thank you for the fast reply

I can't tell you why, probably seen somewhere like that... netherless I have changed like you suggested:

--entrypoints.websecure.http.tls.domains[0].main=example.com
--entrypoints.websecure.http.tls.domains[0].sans=*.example.com
--entrypoints.websecure.http.tls.domains[1].main=test.com
--entrypoints.websecure.http.tls.domains[1].sans=*.test.com

I deleted acme.json and recreated traefik and it creates it like before, do you have another idea?

Then you probably have to place the main/sans on every service label using its domain in Host().

Sorry can you please explain that a little more in detail?

On every service you place a Host(), try to also place the matching TLS main/sans.

In you first example you had two services with Host() each, but placed 2 different wildcards (only one used) on the first service in labels, none on the second.

I do have everywhere ah Host() entry, as example:
"traefik.http.routers.container1.rule=Host(container1.domain2.com)"

if I do understand you correctly you propose to set also the following?

      - "traefik.http.routers.container1.tls.domains[0].main=domain2.com"
      - "traefik.http.routers.container1.tls.domains[0].sans=*.domain2.com"

I tried this with the same result. With domain1 I don't have this kind of problems
The easiest way to prevent this would probably be to create 2 VMs so I don't have to specify two wildcards.

the problem was certresolver, I have removed them and now it uses the wildcard. Unfortunatly I didn't understand the documentation correct in the beginning:

If certResolver is defined, Traefik will try to generate certificates based on routers Host & HostSNI rules.

source: Traefik Routers Documentation - Traefik

Once more RTFM

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.