homer
November 10, 2021, 9:44am
1
I originally posted my question on StackOverflow: Traefik self-signed certificated wildcard subdomain in docker-compose - Stack Overflow
I'm looking for a solution to let traefik generate a wildcard certificate for my services. In fact in local development I do have multiple services sharing the same domain and currently I have to accept the certificate for each one.
I have 2 subdomains front.domain.localhost
and api.domain.localhost
and I would like a single certificate for both.
Here is a demo docker-compose.yml :
version: '3'
services:
traefik:
image: traefik:2.5
command:
- --providers.docker
- --entryPoints.http.address=:80
- --entryPoints.http.http.redirections.entryPoint.to=https
- --entryPoints.http.http.redirections.entryPoint.scheme=https
- --entryPoints.https.address=:443
labels:
- traefik.enable=true
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
front:
image: traefik/whoami
labels:
- traefik.http.routers.front_router.rule=Host(`front.domain.localhost`)
- traefik.http.routers.front_router.entrypoints=https
- traefik.http.routers.front_router.tls=true
api:
image: traefik/whoami
labels:
- traefik.http.routers.api_router.rule=Host(`api.domain.localhost`)
- traefik.http.routers.api_router.entrypoints=https
- traefik.http.routers.api_router.tls=true
With this one I should accept 2 certificates (one for each subdomain).
I tried with various combination of main
and sans
as explained in Routers - Traefik without success.
How can I achieve this ?
Hello @homer
Thanks for your interest in Traefik.
I would recommend following this guide to obtain certificates for localhost.
On Traefik you can add rootCA by using that feature or use insecure mode by configuring that parameter described in the documentation .
Thank you,
homer
November 11, 2021, 1:31pm
3
@jakubhajek Thank you for your interest. While the solution you propose is valid it does not really fully match my need.
In fact it forces to :
create a Root CA
ship it in the git repository
ask every dev to register this CA as trusted
Maybe what I'm asking is not currently possible and could be added as a new feature ?
P.S.: By "self-generated" I meant "generated by traefik". I could use the term "traefik-generated" to clarify that.
hello @homer
Please note that Traefik uses ACME provide like Lets Encrypt for automatic certificate generation. Based on my best knowledge Let's Encrypt will not issue certificates for localhost.
You can see that threads on our Github repo that might be another solution for you:
opened 10:43PM - 05 Feb 19 UTC
closed 12:00AM - 29 May 19 UTC
kind/question
area/tls
status/5-frozen-due-to-age
### Do you want to request a *feature* or report a *bug*?
Feature
### What… did you expect to see?
When enabling TLS on HTTPS entrypoints, Traefik generates a self-signed certificate for any domain that does not already have one. This is nice because it allows using HTTPS for dev purposes but the certificate is not trusted by the browser and must be manually accepted first.
Without Traefik, I use [`mkcert`](https://github.com/FiloSottile/mkcert) in my Docker setup to create trusted certificates. The browser trusts the root CA from [`mkcert`](https://github.com/FiloSottile/mkcert) and thus trusts any certificate signed by it.
As far as I understand, this is currently not possible with Traefik because it uses a random key to generate certificates. I'd like to be able to provide a trusted root CA to Traefik so it uses it instead.
opened 06:35AM - 26 Sep 18 UTC
kind/enhancement
priority/P3
area/tls
### Do you want to request a *feature* or report a *bug*?
Feature
### What… did you expect to see?
Let's Encrypt does not work for intranet services. On the Let's Encrypt site, they propose to use https://github.com/jsha/minica instead (or generate them with OpenSSL). MiniCA is a GoLang application as well, and it's source is pretty small. To use it, you just call it like "minica -domains host.development" and you get a certificate for it. Unlike self-signed certificates, it does generate a Root CA certificate as well. If that file exists, all the generated files are based on that.
Integrating something like that in addition to Let's Encrypt would make it a lot easier to setup traefik in an intranet to serve http2 sites.