Specify default CertificatesResolvers?

Is it possible to create a default certificatesResolvers which all TLS-enabled routes will use unless otherwise specified? I intend to use one LetsEncrypt resolver, and it seems messy to have to specify that for every TLS router.

The Traefik v2 configuration is pretty verbose. It allows a lot of flexibility but makes seemingly simple things difficult. Or maybe it is simple and the documentation still needs work.

2 Likes

You need to specify certificateResolver in order to use traefik certificate auto-generation feature. If you do not specify it, but specify tls traefik will use one of the configured certificates that match the request, or default certificate if none found.

There is no way to provide a default certificate resolver.

The way I see it certResolver = "foo" is no more verbose then something like useDefaultResolver = "true", so it's hard for me to see what can be done here is the way of improvement.

Let's say you want to use LE for most of the sites, but for this single special snowlake you have a cert that your company purchased somewhere and you need to use it. So let's assume that traefik had something like: "global.useResolverWithAllTls=myacme", then it will also have to have something like "router.butForThisOneDoNotUseTheDefaulResolverUseCertInstead=true". This does not look as an improvement to me.

Traefik team has to choose one default: either used supplied certs or use LE. They chose to default to using certs, since users would likely want to configure LE explicitly lest traefik go and request certs on their behalf unconfigured.

1 Like

If the label is required, then I guess that's it for now.

I was thinking more along the lines of being able to set a default resolver which then does NOT need to be specified as it would be the default. Right now it just falls back to the self-signed default, I'd prefer to be able to configure LE for that fallback instead. Any service which then should use a different resolver would just specify it as normal.

In the end it's one additional label I have to add to each service. Not a big deal, was just hoping to not repeat myself so often.

1 Like

@rchouinard i'am fully with you on this one. Being a early Traefik one user, i really struggle with Traefik 2.0 all the way through.

Yes it is a gem technically, but by a lot of other metrics it just is the worse variant.

Configuration is clunky, overcomplicated and extraordinary verbose - this included. Be it how you define an

  • secure dashboard ( massively overcomplicated / clunky )
  • all to https redirect ( clunky and overcomplicated )
  • define default endpoints if none is set (not possible at all)
  • or here default resolver (not possible at all)

One can simply use the search in this forum alone to see how people struggle with it. And those people are mostly no Traefik starters, they are all somewhat users or even maybe veterans.

Considering objectively, how much more complicated Traefik 2.0 became for all the starting feature above, Traefik has lost a lot of attractivity for starters IMHO. I'am fairly convinced that the relatively hardcore POV of the devepment team to keep it all "lego like" and do not provide any high-level feature / defaults and convenience just to simplify development, docs will not hold through 2020 - the amount of needed support for standard features in this forum shows that there is at least some new pain replacing the other.

kinda turns me sad seeing so much potential being lost ;/

I do not want to close this one out so negative though, sure Traefik 2.0 is a feature-packed, future prove release that will strive.

1 Like