Traefik serves default certificate when using wildcard domain

J7mbo · October 16, 2024, 3:45pm

The goal:

Have traefik ask letsencrypt to generate a wildcard certificate
Visiting a valid subdomain will use the certificate, and be valid
Every http call will be redirected to https
Visiting a non-existant subdomain will show a 404 page, with a valid https cert

The problem:

Visiting a non-existent subdomain shows traefik's default cert is being served.

Configuration:

commands (docker-compose.yml)

    command:
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.network=app_network"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.filename=/etc/traefik/dynamic.yml"
      - "--providers.file.watch=true"
      - '--entryPoints.http.address=:80'
      - '--entryPoints.http.http.redirections.entryPoint.to=https'
      - '--entryPoints.http.http.redirections.entryPoint.scheme=https'
      - '--entryPoints.http.http.redirections.entryPoint.permanent=true'
      - '--entryPoints.https.address=:443'
      - '--certificatesresolvers.lets_encrypt_resolver.acme.email=myemail@email.com'
      - '--certificatesresolvers.lets_encrypt_resolver.acme.storage=/acme.json'
      - '--certificatesresolvers.lets_encrypt_resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory' # @todo remove
      - '--certificatesresolvers.lets_encrypt_resolver.acme.dnschallenge=true'
      - '--certificatesresolvers.lets_encrypt_resolver.acme.dnschallenge.provider=digitalocean'
      - '--certificatesresolvers.lets_encrypt_resolver.acme.dnschallenge.delaybeforecheck=0'
      - '--entrypoints.https.http.tls.domains[0].main=mydomain.com'
      - '--entrypoints.https.http.tls.domains[0].sans=*.mydomain.com'
      - '--entrypoints.https.http.tls.certresolver=lets_encrypt_resolver'

dynamic.yml

tls:
  # traefik will terminate SSL and then communicate with self-signed certs internally.
  certificates:
    - certFile: /certs/cert.pem
      keyFile: /certs/key.pem

http:
  serversTransports:    
    myTransport:
      serverName: "app"
      rootCAs:
        - /certs/rootCA.pem

  routers:
    app:
      rule: Host(`app.mydomain.com`)
      service: app
      entryPoints:
        - https
      tls:
        certResolver: lets_encrypt_resolver

  services:
    app:
      loadBalancer:
        serversTransport: myTransport
        servers:
          - url: 'https://app:8080'

The above configuration does work for valid subdomains. I can visit https://app.mydomain.com and I am served a valid https certificate along with my internal application serving the content via its own TLS cert.

The problem is, when I visit https://randomsubdomainthatdoesntexist.mydomain.com, I am served with a browser warning and traefik's default certificate is being served. Instead, I would like it to show me the standard 404.

My expectation was that having a wildcard certificate would enable this, which is why I switched from the HTTP challenge to the DNS challenge. Was I incorrect?

What am I missing?

bluepuma77 · October 16, 2024, 6:21pm

Usually every sub-domain needs a DNS entry to resolve to an IP. You created those?

You can set a custom TLS cert as default (doc). It is also possible to use a LetsEncrypt cert as default (doc).

J7mbo · October 17, 2024, 10:00am

Usually every sub-domain needs a DNS entry to resolve to an IP. You created those?

Yes, I have a wildcard certificate for those.

Actually, looking at the docs, I can't see how to set the LE cert as the default one for all unknown subdomains:

  stores:
    default:
      defaultGeneratedCert:
        resolver: lets_encrypt_resolver
        domain:
          main: mydomain.com
          sans:
            - *.mydomain.com

The example only shows concrete domains specified in the sans field...

--

What do I need to do, so that I when I visit unknownsubdomain.mydomain.com, it does not show a https warning and instead redirects to mydomain.com, or anywhere else?

-- Edit: Solution is:

Wildcard cert
Redirect all http to https (I already had this)
Low priority route that forwards everything to another domain via middleware

Here's the redirect router:

    redirectUnknownSubdomain:
      rule: PathPrefix(`/`)
      priority: 1
      entryPoints:
        - https
      middlewares:
        - redirectUnknownSubdomain
      service: redirectUnknownSubdomain
      tls:
        certResolver: lets_encrypt_resolver
        domains:
          - main: {{env "DOMAIN"}}
          - sans: '*.{{env "DOMAIN"}}'

and the redirect service:

    redirectUnknownSubdomain:
      loadBalancer:
        servers:
          - url: https://www.google.com

system · October 20, 2024, 10:01am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Automatic subdomain letsencrypt certificates with wildcard fallback for non-SNI Traefik v2 docker , letsencrypt-acme	4	3721	October 7, 2021
Issue certificate using dns-01 challenge with Traefik Traefik v2 letsencrypt-acme	4	451	June 7, 2023
ACME Default Certificate does not work Traefik v2 docker , letsencrypt-acme	1	248	February 8, 2024
Unable to obtain ACME certificate for wildcard domains Traefik v2 letsencrypt-acme	20	8624	May 3, 2020
How do i generate separete certeficates ondemand on diff subdomains Traefik v2 letsencrypt-acme	7	322	January 29, 2023

Traefik serves default certificate when using wildcard domain

Related topics