Wildcard certificate does not work

Wildcard certificate does not work

I do not receive a wildcard certificate if I use traefik.yml
The acme.json file does not contain any data
There are no errors in the logs

Here are my settings:

global:
  checkNewVersion: false
  sendAnonymousUsage: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letencrypt
        domains:
          - main: domain.com
            sans:
              - "*.domain.com"

log:
  level: DEBUG

api:
  insecure: true
  dashboard: true

providers:
  docker:
    exposedByDefault: false
  file:
    filename: "/etc/traefik/dynamic_conf.yml"
    watch: true

certificatesResolvers:
  letencrypt:
    acme:
      email: $$$$$@gmail.com
      storage: /cert/acme.json
#      caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53

But if you use labels in docker compose and the traefik.yml settings below, everything works fine.
The acme.json file contains the data

- "traefik.http.routers.traefik_secured.tls.certresolver=letencrypt"
- "traefik.http.routers.traefik_secured.tls.domains[0].main=domain.com"
- "traefik.http.routers.traefik_secured.tls.domains[0].sans=*.domain.com"

global:
  checkNewVersion: false
  sendAnonymousUsage: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"

log:
  level: DEBUG

api:
  insecure: true
  dashboard: true

providers:
  docker:
    exposedByDefault: false
  file:
    filename: "/etc/traefik/dynamic_conf.yml"
    watch: true

certificatesResolvers:
  letencrypt:
    acme:
      email: $$$$$@gmail.com
      storage: /cert/acme.json
#      caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53

It should work the way you posted (doc):

entryPoints:
  websecure:
    address: ':443'
    http:
      tls:
        options: foobar
        certResolver: leresolver
        domains:
          - main: example.com
            sans:
              - foo.example.com
              - bar.example.com

Are you sure you supplied the correct DNS credentials via env in both cases?

Yes, I’m sure. Because if I remove these settings from traefik.yml

    http:
      tls:
        options: foobar
        certResolver: leresolver
        domains:
          - main: example.com
            sans:
              - foo.example.com
              - bar.example.com

and configure it differently by adding the labels:

"traefik.http.routers.traefik_secured.tls.certresolver=letencrypt"
"traefik.http.routers.traefik_secured.tls.domains[0].main=domain.com"
"traefik.http.routers.traefik_secured.tls.domains[0].sans=*.domain.com"

I still get the certificate. (The acme.json file contains data for my domain).

I find many tutorials, and as far as I understand, it works for everyone else, but not for me.

It Traefik reading the config file? What’s the debug output?

Share your docker-compose.yml.

docker-compose

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    environment:
      - CF_DNS_API_TOKEN=$$$$$$$$$$$$
    ports:
      - 80:80
      - 443:443
      - 8080:8080 #dashboard
    networks:
      - generic
    volumes:    
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik_secured.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.traefik_secured.entrypoints=websecure"
      - "traefik.http.routers.traefik_secured.tls=true"

      - "traefik.http.routers.traefik_secured.service=api@internal"
      - "traefik.docker.network=generic"

networks:
  generic:
    name: generic
    external: true

logs

sorry, here is the correction

    volumes:    
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - /home/traefik/certs:/certs

Can you supply the 3 relevant docs in one post?

docker-compose.yml, Traefik static config and dynamic config.

It’s kind of hard to jump around between bits and updated pieces.

Hello.
Yes of course, here are my settings.
I don't use a dynamic configuration file

(for anonymity:
example.com
e-mail@gmail.com)

traefik.yml

global:
  checkNewVersion: false
  sendAnonymousUsage: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letencrypt
        domains:
          - main: example.com
            sans:
              - "*.example.com"

log:
  level: DEBUG

api:
  insecure: true
  dashboard: true

providers:
  docker:
    exposedByDefault: false

certificatesResolvers:
  letencrypt:
    acme:
      email: e-mail@gmail.com
      storage: /certs/acme.json
#      caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53

docker compose

---
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    environment:
      - CF_DNS_API_TOKEN=@@@@@@@@@@@
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
      - generic
    volumes:    
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - /home/traefik/certs:/certs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik_secured.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.traefik_secured.entrypoints=websecure"
      - "traefik.http.routers.traefik_secured.tls=true"

      - "traefik.http.routers.traefik_secured.service=api@internal"
      - "traefik.docker.network=generic"

networks:
  generic:
    name: generic
    external: true

logs

Try to remove the line. Not sure if it overwrites the LetsEncrypt use from entrypoint.

Just tls=true is used to enable custom loaded TLS certs, it’s not required for LetsEncrypt, when you assign a certResolver.

Thank you so much, dear friend!!!!!!!!!!
I spent almost two weeks unsuccessfully trying to solve this problem!

I thought it wasn't necessary to specify

- "traefik.http.routers.traefik_secured.entrypoints=websecure"

But tls=true is important because it indicates that HTTPS must be used, and therefore, certificatesResolvers.

However, I don't understand why it worked when I used labels along with tls=true.

My friend, if it's not too much trouble, could you answer one more question?
I'll say right away, it doesn't relate to the question above.
But since you helped me solve it, I am converting all the labels from docker-compose to a traefik.yml file.

I plan to set up a second-level subdomain.
After reading articles and consulting ChatGPT, I came up with two configuration options.
Which one is correct?

This is what ChatGPT told me.
With these settings, it works:

      - "traefik.http.routers.wildcard_cert.tls.domains[0].main=example.com"
      - "traefik.http.routers.wildcard_cert.tls.domains[0].sans=*.example.com,*.sub.example.com"

This is how I configured it based on the documentation and forum posts.
With these settings, it says: Domain is duplicated in the configuration or validated by the domain

      - "traefik.http.routers.wildcard_cert.tls.domains[0].main=example.com"
      - "traefik.http.routers.wildcard_cert.tls.domains[0].sans=*.example.com"
      - "traefik.http.routers.wildcard_cert.tls.domains[1].main=sub.example.com"
      - "traefik.http.routers.wildcard_cert.tls.domains[1].sans=*.sub.example.com"

No. If a certResolver is assigned on entrypoint and a router is using that entrypoint, then you don’t need any TLS declaration on router. See simple Traefik example.

Maybe try switching around:

      - "traefik.http.routers.wildcard_cert.tls.domains[0].main=sub.example.com"
      - "traefik.http.routers.wildcard_cert.tls.domains[0].sans=*.sub.example.com"
      - "traefik.http.routers.wildcard_cert.tls.domains[1].main=example.com"
      - "traefik.http.routers.wildcard_cert.tls.domains[1].sans=*.example.com"

Or try (related post)

      - "traefik.http.routers.wildcard_cert.tls.domains[0].main=example.com"
      - "traefik.http.routers.wildcard_cert.tls.domains[0].sans=*.example.com,*.sub.example.com"

Make sure domain or zone sub. os registered with your DND provider.

Created a docker-swarm-traefik-dnschallenge example, which has dnsChallenge in command. This works for me.

In your example you only have:

example.com
*.example.com

And I also have:

sub.example.com
*sub.example.com

Something like this:
myapp.example.com
myapp2.srv1.example.com

This works for me:

      - --entrypoints.websecure.http.tls.domains[0].main=example.com
      - --entrypoints.websecure.http.tls.domains[0].sans=*.example.com,*.test.example.com

Yes, me too.
I was confused by the need to specify domains[1].main=sub.example.com.
That's why I wanted to know for sure what's correct.

And do these settings work without DNS Records in Cloudflare, Is that even possible?

domains[0].main=example.com"
domains[0].sans=*.example.com,*.sub.example.com"

For sure you need example.com. My provider did not require sub., but that may be dependent on the provider you use.