Multiple wildcard certs with traefik

Hello all

I want to use 2 wildcards with my traefik container. I have this config:

    image: traefik:latest
    restart: unless-stopped
    container_name: traefik
    command: --api.insecure=false --api.dashboard=true
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "[0]"
      - "[0].sans=*"
      - "[1]"
      - "[1].sans=*"
      - "traefik.http.routers.traefik.rule=Host(``)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
      - "traefik.http.routers.http_catchall.entrypoints=web"
      - "traefik.http.routers.http_catchall.middlewares=https_redirect"
      - "traefik.http.middlewares.ipwhitelist.ipwhitelist.sourcerange=<some networks>"
      - "traefik.http.routers.traefik.middlewares=ipwhitelist" wildcards are working as expected. on the other site behaves strange. I have both wildcard certs within acme.json, but also named certs for each container I want to use with

On the container I have these labels:

      - "traefik.enable=true"
      - "traefik.http.routers.container1.tls=true"
      - "traefik.http.routers.container1.entrypoints=websecure"
      - "traefik.http.routers.container1.rule=Host(``)"
      - "traefik.http.routers.container1.tls.certresolver=myresolver"

I didn't find any documentation on this in the official documentation. I found only this reddit, where someone had the same problem:

This didn't work for me. Has someone an idea what I am doing wrong?

Why don’t you place this on a container using the domain?

The clean way would probably be to place the wildcard certs on the entrypoint, see example:


Thank you for the fast reply :slight_smile:

I can't tell you why, probably seen somewhere like that... netherless I have changed like you suggested:[0][0].sans=*[1][1].sans=*

I deleted acme.json and recreated traefik and it creates it like before, do you have another idea?

Then you probably have to place the main/sans on every service label using its domain in Host().

Sorry can you please explain that a little more in detail?

On every service you place a Host(), try to also place the matching TLS main/sans.

In you first example you had two services with Host() each, but placed 2 different wildcards (only one used) on the first service in labels, none on the second.

I do have everywhere ah Host() entry, as example:

if I do understand you correctly you propose to set also the following?

      - "[0]"
      - "[0].sans=*"

I tried this with the same result. With domain1 I don't have this kind of problems :confused:
The easiest way to prevent this would probably be to create 2 VMs so I don't have to specify two wildcards.

the problem was certresolver, I have removed them and now it uses the wildcard. Unfortunatly I didn't understand the documentation correct in the beginning:

If certResolver is defined, Traefik will try to generate certificates based on routers Host & HostSNI rules.

source: Traefik Routers Documentation - Traefik

Once more RTFM :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.