I'm using Traefik as a reverse proxy for a variety of docker containers that I'm running, and I wanted to use sub-subdomains as I duplicate these services across multiple machines. E.g. machine1 runs service1, service2, service3, and machine2 also runs service1, service2, service3. Ideally, I would want these DNS records, all with SSL:
- service1.machine1.rooday.com -> machine1 IP
- service2.machine1.rooday.com -> machine1 IP
- service3.machine1.rooday.com -> machine1 IP
- service1.machine2.rooday.com -> machine2 IP
- service2.machine2.rooday.com -> machine2 IP
- service3.machine2.rooday.com -> machine2 IP
I tried using something like the following docker compose:
version: "2.1"
services:
traefik:
image: traefik
container_name: traefik
restart: always
volumes:
- /home/traefik/letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- 80:80
- 443:443
environment:
- CLOUDFLARE_EMAIL=email@domain.com
- CLOUDFLARE_API_KEY=XXXXXXXXXXXXX
command:
- --providers.docker=true
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.websecure.address=:443
- --certificatesresolvers.cloudflare.acme.dnschallenge=true
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.email=email@domain.com
- --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.jsonv02.api.letsencrypt.org/directory
tautulli:
image: service1image
container_name: service1
environment:
- PUID=1000
- PGID=1000
- TZ=America/Los_Angeles
volumes:
- /home/service1:/config
ports:
- 8080:8080
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.service1.rule=Host(`service1.machine1.rooday.com`)
- traefik.http.services.service1.loadbalancer.server.port=8080
- traefik.http.routers.service1.entrypoints=websecure
- traefik.http.routers.service1.tls.certresolver=cloudflare
However, after creating the DNS A record for service1.machine1.rooday.com, I got this error when trying to access it: ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
I looked up this error and came across this thread: https://community.cloudflare.com/t/how-to-add-ssl-to-a-sub-subdomain/65230/3, which seems to say that I can't do this on the Free plan. So I changed my traefik labels for service1 to look like so:
...
labels:
- traefik.enable=true
- traefik.http.routers.service1.rule=(Host(`machine1.rooday.com`) && PathPrefix(`/service1`))
- traefik.http.services.service1.loadbalancer.server.port=8080
- traefik.http.routers.service1.entrypoints=websecure
- traefik.http.routers.service1.tls.certresolver=cloudflare
...
The problem with this is that not all the services I'm running allow me to set a basepath, so getting them to run is more complicated with this setup. I then came across this thread: Certificates for sub.subs.domian - Help - Let's Encrypt Community Support which says that Let's Encrypt does indeed support sub-subdomains for SSL.
So I wanted to take a step back and ask here, is there any way to get Traefik to automatically provision a Let's Encrypt cert using Cloudflare for sub-subdomains? Or even if it requires me manually using certbot and then running Traefik, that works too, I'm just not sure how to approach this. Any help would be greatly appreciated!