Traefik can retrieve a wildcard certificate for the primary domain, but not a subdomain

Traefik Traefik v2
,
1

Hi, I currently have Traefik running on docker, and setup to retrieve certificates from Letsencrypt using Cloudflare as the cert resolver. I am able to successfully get a wild card certificate for my main domain (*.mydomain.com), but I am unable to get one for a subdomain (*.local.mydomain.com), but there is also no error in the logs so Im not really sure whats going on. Below are my docker-compose and config files. This setup was working previously, but stopped at some point and I only noticed when I got an email saying my certificates were going to expire. Any help would be greatly appreciated!

Traefik docker-compose:

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/user/traefik/data/traefik.yml:/traefik.yml:ro
      - /home/user/traefik/data/acme.json:/acme.json
      - /home/user/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      # https
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.local.mydomain.com`)"
      # wildcard certs
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

networks:
  proxy:
    external: true

traefik.yml:

api:
    dashboard: true
    debug: true
  entryPoints:
    http:
      address: ":80"
    https:
      address: ":443"
  serversTransport:
    insecureSkipVerify: true
  providers:
    docker:
      endpoint: "unix:///var/run/docker.sock"
      exposedByDefault: false
    file:
      filename: /config.yml
  certificatesResolvers:
    cloudflare:
      acme:
        email: mycloudflareemail@gmail.com
        storage: acme.json
        dnsChallenge:
          provider: cloudflare
          resolvers:
            - "1.1.1.1:53"
            - "1.0.0.1:53"
2

Ok, I was able to get the subdomain certificate generated. I ended up commenting out the section in my docker-compose that generated the certificate for the primary domain, while leaving the section for the subdomain uncommented, after restarting Traefik, it immediately generated the certificate for the subdomain. After that I uncommented the lines for the primary domain, and now everything seems to be working. I am not sure why this was the resolution, if anyone has any more insight I would love to learn why.

3

Should probably be 0, 0, 1, 1 (array index).

4

Sorry it took me so long to reply, I have been out of town. I updated the array index and it indeed worked as intended. Thanks bluepuma77!

5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.