Unable to generate wildcard certificates properly for multiple domains

Traefik Traefik v2
,
1

I am intending to generate multiple wildcard certificates using cloudflare dnschallenge for multiple domains. For instance -

  1. Cert1 - example.com & *.example..com
  2. Cert2 - adguard.example.com & *.adguard.example.com

Here is my full docker-compose for traefik, i don't use anything else to configure traefik - https://pastebin.com/raw/GGAAwXBj
Pointing out the most relevant section from the compose

 - "--entrypoints.websecure.http.tls.domains[0].main=example.com"
 - "--entrypoints.websecure.http.tls.domains[0].sans=*.example.com"
 - "--entrypoints.websecure.http.tls.domains[1].main=adguard.example.com"
 - "--entrypoints.websecure.http.tls.domains[1].sans=*.adguard.example.com"

Here is a link to my redacted acme.json file - https://pastebin.com/raw/fbrtuKb4.
As evident from above json file, the first certificate is generated fine namely example.com & *.example.com are correctly present inside main and sans block but for the second certificate, *.adguard.example.com is directly present in the main block while sans block is missing altogether.

Traefik version 3.0.0-beta3
Ubuntu 22.04 & Docker

2

Try following the doc. Make sure all sub-domains are resolved for an IP.

--entrypoints.websecure.http.tls.domains[0].main=example.com
--entrypoints.websecure.http.tls.domains[0].sans=*.example.com
--entrypoints.websecure.http.tls.domains[1].main=sub1.example.com
--entrypoints.websecure.http.tls.domains[1].sans=*.sub1.example.com

or try

--entrypoints.websecure.http.tls.domains[0].main=example.com
--entrypoints.websecure.http.tls.domains[0].sans=*.example.com,*.sub1.example.com
3

I did knew about this one but quite unsure if it would work as intended
Correct me if i am wrong, assuming the following creates a wildcard certificate for example.com

--entrypoints.websecure.http.tls.domains[0].main=example.com
--entrypoints.websecure.http.tls.domains[0].sans=*.example.com

And assuming the below creates a wildcard certificate for sub1.example.com

--entrypoints.websecure.http.tls.domains[1].main=sub1.example.com
--entrypoints.websecure.http.tls.domains[1].sans=*.sub1.example.com

The first wildcard certificate is fine but in the second one i need a single combined certificate of wildcard for sub1 & sub1 itself

4

Isn’t that what’s happening? Have you tested?

6

Unfortunately i am not even able to access the traefik dashboard itself for some reason, pretty sure the certificates wouldn't have been generated too. Logs - https://pastes.io/raw/uiqmj2628x

7

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Did you read the error?

error="unable to get ACME account: permissions 755 for /letsencrypt/acme.json are too open, please use 600"
8

Here's my whole traefik docker compose - https://pastebin.com/raw/GGAAwXBj. I don't use anything else to configure traefik

Edit - i fixed all acme issues by fixing my volume mounts.

Proceeding forward, i checked for the original problem for which this thread was posted, it didn't seemed to have went as expected, have a look at my redacted acme.json file here - https://pastebin.com/raw/fbrtuKb4

Here is a link to my redacted acme.json file - https://pastebin.com/raw/fbrtuKb4.
As evident from above json file, the first certificate is generated fine namely example.com & *.example.com are correctly present inside main and sans block but for the second certificate, *.adguard.example.com is directly present in the main block while sans block is missing altogether. After much digging, i still haven't been able to find anything substantial yet

11

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.