Serve Let Encrypt Cert on IP address (not default cert)

JamesB · February 1, 2024, 8:54am

I have a traefik instance which is configured to serve a domain and automatically manage the certificate using letsencrypt. This is working fine for the domain but if a user tries the IP directly they see a 404 and the default cert.

I've tried adding the following (where IP is the external IP the domain resolves to) but it doesn't work:

http:
  routers:
    app-route:
      rule: "Host(`app.domain.com`) || Host(`1.2.3.4`)"
      service: app
      priority: 100
      entryPoints:
        - web
        - websecure
      tls:
        certResolver: lets-encrypt

bluepuma77 · February 1, 2024, 10:44am

In general this Host(`app.domain.com`) || Host(`1.2.3.4`) should work (without TLS).

But you can't really use TLS with an IP, it will usually create an error on client side.

Also note hat you assign TLS to the router, which uses web and websecure entrypoints, so you enable TLS on port 80. Rather place TLS on the entrypoint directly.

Compare to simple Traefik example.

JamesB · February 2, 2024, 1:56pm

Thanks, I've separated the two routes but still using tls on the router as per the documentation. Not entirely sure what you were trying to show through that link, can you put an example?

http:
  routers:
    app-secure-route:
      rule: "Host(`app.domain.com`) || Host(`1.2.3.4`)"
      service: app
      priority: 100
      entryPoints:
        - websecure
      tls:
        certResolver: lets-encrypt
    app-route:
      rule: "Host(`app.domain.com`) || Host(`1.2.3.4`)"
      service: app
      priority: 100
      entryPoints:
        - web

The Host(1.2.3.4) is definately not working though, it always serves the traefik default cert.

JamesB · February 2, 2024, 2:00pm

Alternatively, is it possible for traefik to drop any requests directly to the IP instead of serve 404 and the default cert?

bluepuma77 · February 2, 2024, 2:05pm

You can define a ACME Default Certificate (doc). If you only set existing domain app.domain.com and no sans, it should run with your existing setup. If you go sans wildcard, you need dnsChallenge.

JamesB · February 2, 2024, 2:24pm

@bluepuma77 I think you nailed it, thank you for your help

system · February 5, 2024, 2:25pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
TRAEFIK DEFAULT CERT on domain that have Let's encrypt cert-manager certificate issued Traefik v2 (latest) letsencrypt-acme	2	1665	August 8, 2022
defaultCertificate + lets encrypt Traefik v2 (latest) letsencrypt-acme	1	379	September 28, 2019
2 domains, 2certificates, 1 Traefik Traefik v2 (latest) letsencrypt-acme	1	266	September 21, 2022
Lets encrypt certificate doesn't work Traefik v2 (latest) letsencrypt-acme	2	626	March 25, 2022
ACME Default Certificate does not work Traefik v2 (latest) docker , letsencrypt-acme	1	116	February 8, 2024

Serve Let Encrypt Cert on IP address (not default cert)

Related Topics