Traefik self-generated certificated wildcard subdomain in docker-compose

homer · November 10, 2021, 9:44am

I originally posted my question on StackOverflow: Traefik self-signed certificated wildcard subdomain in docker-compose - Stack Overflow

I'm looking for a solution to let traefik generate a wildcard certificate for my services. In fact in local development I do have multiple services sharing the same domain and currently I have to accept the certificate for each one.

I have 2 subdomains front.domain.localhost and api.domain.localhost and I would like a single certificate for both.

Here is a demo docker-compose.yml:

version: '3'

services:
  traefik:
    image: traefik:2.5
    command:
      - --providers.docker
      - --entryPoints.http.address=:80
      - --entryPoints.http.http.redirections.entryPoint.to=https
      - --entryPoints.http.http.redirections.entryPoint.scheme=https
      - --entryPoints.https.address=:443
    labels:
      - traefik.enable=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  front:
    image: traefik/whoami
    labels:
      - traefik.http.routers.front_router.rule=Host(`front.domain.localhost`)
      - traefik.http.routers.front_router.entrypoints=https
      - traefik.http.routers.front_router.tls=true

  api:
    image: traefik/whoami
    labels:
      - traefik.http.routers.api_router.rule=Host(`api.domain.localhost`)
      - traefik.http.routers.api_router.entrypoints=https
      - traefik.http.routers.api_router.tls=true

With this one I should accept 2 certificates (one for each subdomain).

I tried with various combination of main and sans as explained in Routers - Traefik without success.

How can I achieve this ?

jakubhajek · November 10, 2021, 2:50pm

Hello @homer

Thanks for your interest in Traefik.

I would recommend following this guide to obtain certificates for localhost.

On Traefik you can add rootCA by using that feature or use insecure mode by configuring that parameter described in the documentation.

Thank you,

homer · November 11, 2021, 1:31pm

@jakubhajek Thank you for your interest. While the solution you propose is valid it does not really fully match my need.

In fact it forces to :

create a Root CA
ship it in the git repository
ask every dev to register this CA as trusted

Maybe what I'm asking is not currently possible and could be added as a new feature ?

P.S.: By "self-generated" I meant "generated by traefik". I could use the term "traefik-generated" to clarify that.

jakubhajek · November 11, 2021, 5:23pm

hello @homer

Please note that Traefik uses ACME provide like Lets Encrypt for automatic certificate generation. Based on my best knowledge Let's Encrypt will not issue certificates for localhost.

You can see that threads on our Github repo that might be another solution for you:

github.com/traefik/traefik

Custom root CA for generated certificates

opened 10:43PM - 05 Feb 19 UTC

closed 12:00AM - 29 May 19 UTC

julienfalque

kind/question area/tls status/5-frozen-due-to-age

### Do you want to request a *feature* or report a *bug*? Feature ### What… did you expect to see? When enabling TLS on HTTPS entrypoints, Traefik generates a self-signed certificate for any domain that does not already have one. This is nice because it allows using HTTPS for dev purposes but the certificate is not trusted by the browser and must be manually accepted first. Without Traefik, I use [`mkcert`](https://github.com/FiloSottile/mkcert) in my Docker setup to create trusted certificates. The browser trusts the root CA from [`mkcert`](https://github.com/FiloSottile/mkcert) and thus trusts any certificate signed by it. As far as I understand, this is currently not possible with Traefik because it uses a random key to generate certificates. I'd like to be able to provide a trusted root CA to Traefik so it uses it instead.

github.com/traefik/traefik

Generate SSL Certificates on the fly like minica

opened 06:35AM - 26 Sep 18 UTC

thunder7553

kind/enhancement priority/P3 area/tls

### Do you want to request a *feature* or report a *bug*? Feature ### What… did you expect to see? Let's Encrypt does not work for intranet services. On the Let's Encrypt site, they propose to use https://github.com/jsha/minica instead (or generate them with OpenSSL). MiniCA is a GoLang application as well, and it's source is pretty small. To use it, you just call it like "minica -domains host.development" and you get a certificate for it. Unlike self-signed certificates, it does generate a Root CA certificate as well. If that file exists, all the generated files are based on that. Integrating something like that in addition to Let's Encrypt would make it a lot easier to setup traefik in an intranet to serve http2 sites.

Topic		Replies	Views
Wildcard certificates for all subdomains without service Traefik v2 docker , letsencrypt-acme	1	3404	May 3, 2021
Multiple wildcard certificates in a single Traefik container Traefik v2 docker , letsencrypt-acme	0	1074	January 30, 2022
Traefik not sending self-signed certificates for subdomain localhost Traefik v2 docker , tcp	2	2323	March 15, 2020
Automatic subdomain letsencrypt certificates with wildcard fallback for non-SNI Traefik v2 docker , letsencrypt-acme	4	3721	October 7, 2021
How to offer certificate with subdomain (own certificate) Traefik v2 docker	0	802	April 14, 2022

Traefik self-generated certificated wildcard subdomain in docker-compose

Related topics