Subdomain-only certificate with letsencrypt

PeterDraex · October 31, 2024, 2:27am

Hi,

I have one server that runs on example.com and another server that runs on sub.example.com. I'd like to use traefik on sub.example.com. The issue is that when it tries to get a certificate, it tries for the domain example.com, and the verification fails, because it's another server. I've tried this configuration:

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.old.rule=(Host(`sub.example.com`) || Host(`example2.com`))"
      - "traefik.http.routers.old.entrypoints=websecure"
      - "traefik.http.routers.old.tls=true"
      - "traefik.http.routers.old.tls.certresolver=letsencrypt"
      - "traefik.http.routers.old.tls.domains[0].main=sub.example.com"
      - "traefik.http.routers.old.tls.domains[0].sans=www.sub.example.com"

and the logs show:

2024-10-31T02:20:55Z ERR Error renewing certificate from LE: {example.com [sub.example.com]} error="error: one or more domains had a problem:\n[example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 100.99.137.137: Invalid response from https://example.com/.well-known/acme-challenge/V9hnkpJbsjtSS6lfObVROlFlC2xWCMbTtqJjlNDOk9g: 500\n" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme

How can I issue a certificate only for the subdomain?
Thanks!

bluepuma77 · October 31, 2024, 9:47am

main and sans is usually used with wildcard certs, which require dnsChallenge, which needs access to DNS provider.

LetsEncrypt will usually work with httpChallenge and tlsChallenge, when using only Host() for the used domain(s). Try to remove main/sans.

unsanded · January 23, 2025, 8:03pm

Hi,

DId you ever find out how to do this. I have a similar problem. For me the reason is that my rule looks like this:HOST(one.example.org) || (HOST(two.example.org) && PathPrefix('/path')
Only one.example.org doesn't get a certificate

bluepuma77 · January 23, 2025, 8:27pm

Usually this just works:

Host(`one.example.org`) || Host(`two.example.org`)

I doubt that the parenthesis change anything, but for fun you could try without.

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

Topic		Replies	Views
Problem obtaining ACME certificate for domain Traefik v2 docker , letsencrypt-acme	0	1393	January 14, 2022
Letsencrypt SSL not working on subdomains Traefik v3 (latest) docker , letsencrypt-acme	0	68	August 25, 2024
Traefik can retrieve a wildcard certificate for the primary domain, but not a subdomain Traefik v2 docker , letsencrypt-acme	4	14560	March 29, 2023
Certificate problem Traefik v2 docker	0	442	December 2, 2021
Proxying entire subdomain to external server: troubles with TLS Traefik v2 docker , letsencrypt-acme	5	2636	August 9, 2022

Subdomain-only certificate with letsencrypt

Related topics