Shodan has (as expected) picked up my publicly open IP on port 443, but returns the "TRAEFIK DEFAULT CERT"
Is there a way to amend the "catchall" router to use a cert?
The following isn't working - what do I need to do?
rule = "PathPrefix(`/`)"
entrypoints = [ "websecure" ]
priority = 1
middlewares = [ "bouncer" ]
service = "nohost"
certResolver = "mythicbeasts"
main = [ "myhost.mydomain.com" ]
sans = [ "*.mydomain.com" ]
url = "http://internalip:port"
Kind of, except I was hoping to be able to use one of the Acme certs rather than extract one and force it.
Sorry, I don't think it's supported by traefik, and I don't see a good use case for it either. If you want anything that is not traefik default certificate, it should not matter for you if it's expired. This way Shodan won't see the "TRAEFIK DEFAULT CERT", but see whatever one you put there. That should resolve your stated scenario. If the domain matches though, acme cert will be used as expected of course.
It's more to attempt a reduction in offering attack surfaces.
The use case is someone hitting the IP (scanning) and the server basically informing them (by way of the cert) that it's running Traefik, which may make it more appealing to probe.
So far I'm extracting my main domain cert from acme.json and just using that manually per the docs already mentioned, but it would be nice to use one without that
Just to re-iterate, for you scenario, it does not matter what cert you are using as long as it's not the default. It does not have to be valid or up-to-date. So this is basically a one time configuration task, that is IMO hardly taxing.