Wildcard certificate not used despite being correct

I have traefik setup correctly for :80 and trying to configure it to work correctly for :443.
I have validated that the routing is good by testing with http through :443 and that works no problem, so next step is setting up https. I have setup a certFile and keyFile that the logs are showing are being picked up correctly. However when it comes to actually using https it fails with SSL peer has no certificate for the requested DNS name. even though the logs show that the certificate would in fact be correct for the url.
All I can think of is that traefik doesn't handle deep subdomains?
The certificate is issues for *.app.site.com and the url accessed is client.app.site.com (obviously the specifics have been anonymized, but that is the scheme in use)

Is there any inherent issue? I'm absolutely lost as to what else could possibly be wrong since everything I check works correctly outside of traefik refusing to use the certificate.

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Enable and check Traefik debug log and dashboard.

You need to load the certs in a dynamic config file, which is loaded via providers.file in static config. Then enable TLS on entrypoint or router.

I tried adding an explicit tls to the entrypoint as per the docs (Traefik EntryPoints Documentation - Traefik) as you suggested but still not luck so here are the files. Obviously the certs are in the cert directory as per config.
Anonymized to not leak name of my company/product, but other than url and specific name of network are copy-pasted, backend config omitted for brevity

docker-compose.yaml

frontend:
    image: app-frontend:single-residency
    container_name: frontend
    restart: always
    networks: ["app"]
    depends_on: ["backend"]
    environment:
      NUXT_PUBLIC_API_BASE: "/api"
      NITRO_PORT: 8080
      NODE_ENV: production
    labels:
      traefik.enable: true
      traefik.http.routers.frontend.rule: Host(`client.app.site.com`) 
      traefik.http.services.frontend.loadbalancer.server.port: 8080

  ingress:
    image: "traefik:v2.10"
    container_name: "traefik"
    networks: ["app"]
    ports: 
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - ./traefik.yaml:/etc/traefik/traefik.yaml
      - ./certs:/certs/
      - /var/run/docker.sock:/var/run/docker.sock

traefik.yaml

## STATIC CONFIG (restart traefik to update)

# shows you a log msg if a newer image tag can be used
global:
  checkNewVersion: true

# log default is ERROR, but WARN is more helpful
log:
  level: DEBUG
  # level: INFO

# enable dashboard on 8080 with NO AUTH
api:
  insecure: true
  dashboard: true

# enable ping so the `traefik healthcheck` works
ping: {}

# auto-proxy containers if they have proper labels
# and also use this file for dynamic config (tls)
providers:
  docker:
    exposedByDefault: false
    watch: true
  file:
    fileName: /etc/traefik/traefik.yaml
    watch: true

# listen on 80/443, and redirect all 80 to 443 via 301
entryPoints:
  web:
    address: :80
    # comment out these lins if you don't want to redirect everything
#   http:
#     redirections:
#       entryPoint:
#         to: websecure
#         scheme: https
#         permanent: true
  websecure:
    address: :443
    http:
      tls:
        domain:
          main: client.app.site.com


## DYNAMIC CONFIG

tls:
  certificates:
  - certFile: /certs/wild-app.site.com.crt
    keyFile: /certs/wild-app.site.com.key
# when troubleshooting certs, enable this so traefik doesn't use 
# its own self-signed. By default if it can't find a matching
# cert, it'll just create its own which will cause cert warnings
# in browser and can be confusing to troubleshoot
  options:
    default:
      sniStrict: true

The logs show Add certificate for domain(s) *.app.site.com so it is recognizing it correctly, but refuses to serve it

This is wrong. traefik.yml is static config and loaded by default. Place tls in a dynamic config file and load via providers.file.

And websecure should look like this

  websecure:
    address: :443
    http:
      tls: {}

just to enable it. Traefik will pick the right loaded cert.

Moved this section to traefik-tls.yaml

tls:
  certificates:
  - certFile: /certs/wild-app.site.com.crt
    keyFile: /certs/wild-app.site.com.key
# when troubleshooting certs, enable this so traefik doesn't use 
# its own self-signed. By default if it can't find a matching
# cert, it'll just create its own which will cause cert warnings
# in browser and can be confusing to troubleshoot
  options:
    default:
      sniStrict: true

updating the compose to add and file loading to /etc/traefik-tls.yaml; logs show it's being loaded correctly.

Changed the websecure:http:tls in place to tls: {} as suggested but still nothing.

It's really making no sense to me why it's not working

Show your full config again. Is your target service/container even starting, I see a depends_on.

I am extremely confused why it started working now when ti still wasn't yesterday but I'll take the win, thank you for you help!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.