Wildcard Cert setup causes log warning

splitbrain · August 25, 2024, 10:27am

Hi,

I have an application that serves arbitrary subdomains. So everything at *.my.domain should be passed on to this application.

I managed to do that using the following labels. I am using a DNS based certificate provider to request a wildcard certificate.

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mydomain.rule=HostRegexp(`.+.my.domain`)"
      - "traefik.http.routers.mydomain.tls.certresolver=gandi"
      - "traefik.http.routers.mydomain.tls.domains[0].main=*.my.domain"
      - "traefik.http.routers.mydomain.tls.domains[0].sans=my.domain"
      - "traefik.http.services.mydomain.loadbalancer.server.port=8080"

The above setup works fine, but I am getting the following warning in my traefik log:

WRN No domain found in rule HostRegexp(`.+.my.domain`), the TLS options applied for this router will depend on the SNI of each request entryPointName=web routerName=mydomain@docker

I am not sure I understand the issue this is reporting. Because traefik should serve the same wildcard certificate for all requests on this top level domain.

Is there a better way to configure my setup? Please note that this is not the only domain proxied through traefik - others are using a more conventional setup without any wildcard certs involved.

bluepuma77 · August 25, 2024, 1:38pm

Not sure if .+. is correct, I assume one dot stands for everything, one for a real dot, one should probably be escaped.

But in general you can ignore the warning, as you have additional TLS declaration on the router.

Note that usually main is domain and sans is wildcard.

splitbrain · August 26, 2024, 7:01am

Yeah the regex is suboptimal, but I was struggling with getting the escaping right. Note on the domain/sans order taken.

So just ignoring the warning is my only option. Okay, I can live with that. I was just wondering if I was doing something wrong here.

mbender · August 28, 2024, 9:01am

If you're trying to find a regex for "anything that's part of this domain", then try the following:

HostRegexp(`^.+\.my\.domain\.com$`)

Also, depending on your use-case, you can set a default CA resolver in the static configuration file:

entryPoints:
  web:
    address: :80

  websecure:
    asDefault: true
    address: :443
    http:
      tls:
        certResolver: le
        domains:
          - main: "*.domain.com"
            sans: 
              - "domain.com"

With asDefault you don't need to set up any entrypoints nor tls sections. If you don't use asDefault then you skip the tls section to use these defaults.

Obviously if you have more domains that might not be ideal, however.

Topic		Replies	Views
Wildcard certificate not used despite being correct Traefik v2 docker	7	3576	November 9, 2023
Traefik v2 wildcard cert Traefik v2 letsencrypt-acme	2	1534	July 19, 2019
Wildcard certificates for all subdomains without service Traefik v2 docker , letsencrypt-acme	1	3565	May 3, 2021
Beginner having troubles with wildcard certificates Traefik v3 (latest) docker	4	748	September 3, 2024
Wildcard without sans Traefik v2 docker , letsencrypt-acme	1	600	November 19, 2020

Wildcard Cert setup causes log warning

Related topics