Traefik self-generated certificated wildcard subdomain in docker-compose

I originally posted my question on StackOverflow: Traefik self-signed certificated wildcard subdomain in docker-compose - Stack Overflow

I'm looking for a solution to let traefik generate a wildcard certificate for my services. In fact in local development I do have multiple services sharing the same domain and currently I have to accept the certificate for each one.

I have 2 subdomains front.domain.localhost and api.domain.localhost and I would like a single certificate for both.

Here is a demo docker-compose.yml:

version: '3'

services:
  traefik:
    image: traefik:2.5
    command:
      - --providers.docker
      - --entryPoints.http.address=:80
      - --entryPoints.http.http.redirections.entryPoint.to=https
      - --entryPoints.http.http.redirections.entryPoint.scheme=https
      - --entryPoints.https.address=:443
    labels:
      - traefik.enable=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  front:
    image: traefik/whoami
    labels:
      - traefik.http.routers.front_router.rule=Host(`front.domain.localhost`)
      - traefik.http.routers.front_router.entrypoints=https
      - traefik.http.routers.front_router.tls=true

  api:
    image: traefik/whoami
    labels:
      - traefik.http.routers.api_router.rule=Host(`api.domain.localhost`)
      - traefik.http.routers.api_router.entrypoints=https
      - traefik.http.routers.api_router.tls=true

With this one I should accept 2 certificates (one for each subdomain).

I tried with various combination of main and sans as explained in Routers - Traefik without success.

How can I achieve this ?

Hello @homer

Thanks for your interest in Traefik.

I would recommend following this guide to obtain certificates for localhost.

On Traefik you can add rootCA by using that feature or use insecure mode by configuring that parameter described in the documentation.

Thank you,

@jakubhajek Thank you for your interest. While the solution you propose is valid it does not really fully match my need.

In fact it forces to :

  1. create a Root CA
  2. ship it in the git repository
  3. ask every dev to register this CA as trusted

Maybe what I'm asking is not currently possible and could be added as a new feature ?

P.S.: By "self-generated" I meant "generated by traefik". I could use the term "traefik-generated" to clarify that.

hello @homer

Please note that Traefik uses ACME provide like Lets Encrypt for automatic certificate generation. Based on my best knowledge Let's Encrypt will not issue certificates for localhost.

You can see that threads on our Github repo that might be another solution for you: