I configure numerous standalone docker containers to answer at subdomains using docker labels with the following format:
labels:
- "traefik.docker.network=mynet"
- "traefik.enable=true"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.rule=Host:${INSTANCE_NAME}.validdomain.tld"
- "traefik.protocol=https"
- "traefik.port=8443"
This has worked for years. This morning trying to spin up an instance failed with some obscure HTTPS message SSL_ERROR_INTERNAL_ERROR_ALERT.
Upon investigating further I found numerous strange entries in the acme.toml file. I removed the key and certs and replaces the domain information with validsub.validdomain.tld :
{
"Domain": {
"Main": "dev.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
{
"Domain": {
"Main": "old.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
{
"Domain": {
"Main": "shop.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
{
"Domain": {
"Main": "test.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
{
"Domain": {
"Main": "demo.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
{
"Domain": {
"Main": "magento.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
{
"Domain": {
"Main": "staging.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
{
"Domain": {
"Main": "store.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
{
"Domain": {
"Main": "www.demo.validsub.validdomain.tld",
"SANs": null
},
"Certificate": "",
"Key": ""
},
It looks to me, like a networks scanner was looking for some sort of system to exploit. It found none, but these unwanted domain certificates have AFAICT taken up my contingent on letsencrypt certificates meaning I cannot spin up new instances. Can it be that traefik is pulling certs for subdomains before checking if they are even being served by this proxy?
Can I configure something to avoid this from happening?