Hello,
I just tried the new functionality pushed in v2.2 : the ability to add a default certResolver for entrypoints defined in static config.
I have an entrypoint for HTTPS named websecure and I attached to it a certResolver "my-cloudflare" :
entryPoints:
websecure:
address: ":443"
http:
tls:
certResolver: my-cloudflare
middlewares:
- secureHeader@file
And I've defined the certResolver (with cloudflare environment variables injected properly) :
certificatesResolvers:
my-cloudflare:
acme:
email: xxx@xxx.fr
storage: /etc/traefik/ssl/acme.json
caServer: https://acme-v02.api.letsencrypt.org/directory
dnsChallenge:
provider: cloudflare
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
When I define the labels from Docker-Compose, with entrypoint "websecure", I expect Traefik to trigger the DNS challenge (my-cloudflare) for the specified host (here xxx.domain.fr) automatically, but this does not appear to be the case :
services:
traefik:
container_name: traefik
image: traefik:v2.2
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.yaml:/etc/traefik/traefik.yaml
- ./dynamic/:/etc/traefik/dynamic/
- ./ssl:/etc/traefik/ssl/
environment:
CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN}
networks:
- traefik
restart: always
labels:
traefik.enable: true
traefik.http.routers.api.entrypoints: websecure
traefik.http.routers.api.rule: Host("xxx.domain.fr")
traefik.http.routers.api.service: api@internal
traefik.http.routers.api.tls: true
With the above config, Traefik is not generating the SSL certification signed by Let's Encrypt with my-cloudflare, assigned to websecure endpoint.
If I want Traefik to trigger the DNS challenge to generate the certification with my-cloudflare resolver, I need to add the label to my docker-compose container :
traefik.http.routers.api.tls.certResolver: my-cloudflare
Why ? Traefik isn't supposed to detect that the entrypoint "websecure"' use the certResolver "my-cloudflare", and, that way, automatically generate the DNS challenge ?
Thanks.