Wildcard Certificate route53 not being generated

Traefik Traefik v3 (latest)
, ,
1

I'm trying to have a single wildcard certificate for a certificate resolver rather than generating a new certificate for every new subdomain.

Due to some constraints, we cannot use square brackets ([ ]) in docker label keys on the dynamic services, so we cannot use domains[0] and define a wildcard there, so I need to do it in the traefik.yml.

I cannot figure out how to get this certificate to trigger a certificate validation, nothing in debug logs (apart from the "read configuration" logs), nothing in ACME json, and no route53 DNS records created.

Is this possible? Would appreciate some help, given it a go for a couple of hours but no success. Thanks in advance.

(note some of this was truncated, but ive kept all of the relevant resolvers)

# This seems to do nothing... it's not generating using this resolver for the default cert
tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: route53
        domain:
          main: example.app
          sans:
            - "*.example.app"

certificatesResolvers:
  letsencrypt:
    acme:
      email: company@example.app
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web
  route53:
    acme:
      email: company@example.app
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: route53

providers:
  docker:
    ...
  ecs:
    ...

http:
  routers:
    fallback:
      rule: "HostRegexp(\"{subhost:[a-zA-Z0-9-]+}.example.app\")"
      priority: 1
      service: fallback-service
      entrypoints:
        - websecure
      tls:
        certResolver: route53
        domains[0]:
          - main: "example.app"
          - sans: "*.example.app"
    wildcart-cert-router:  # attempted to make a service that just forces the resolver to need to make the cert - no luck
      entryPoints:
        - websecure
      rule: "Host(`wildcard-cert-trigger.example.app`)"
      service: noop
      tls:
        certResolver: route53
        domains:
          - main: "example.app"
            sans:
              - "*.example.app"
  services:
    noop:
      loadBalancer:
        servers:
          - url: "http://localhost"

No logs created on restart that mention route53 or example.app. No ACME validations or attemtps to reach route53.

When visiting anysubdomain.example.app or wildcard-cert-trigger.example.app it generates a log Serving default certificate for request... but that's it, still no attempt to use a real certificate.

2

This seems wrong:

From the doc:

## Dynamic configuration
http:
  routers:
    blog:
      rule: "Host(`example.com`) && Path(`/blog`)"
      tls:
        certResolver: myresolver
        domains:
          - main: "example.com"
            sans:
              - "*.example.org"
3

Apologies, I was testing a lot of different syntax to see if it made a difference (but forgot to cleanup). I tried changing all domain keys to below (like in docs) but still made no difference.

- main: "example.app"
  sans:
    - "*.example.app"

I've set debug logging and did a grep on traefik logs and the only mentions of the example.app domain are in the config logs. If i add a filter of "acme" then there are none. The only time i can get them to work are by http lets encrypt, but ofc you can't get wildcards with http acme, so that unfortunately doesn't work.

I do get these acme logs, but only a mention of route53 and not the domain nor actual certificates.

> Starting provider *acme.ChallengeTLSALPN
> *acme.ChallengeTLSALPN provider configuration config={}
> Starting provider *acme.Provider
> *acme.Provider provider configuration config={"HTTPChallengeProvider":{},"ResolverName":"route53","TLSChallengeProvider":{},"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"dnsChallenge":{"provider":"route53"},"email":"company@example.app","keyType":"RSA4096","storage":"/letsencrypt/acme.json","store":{}}
> Attempt to renew certificates "720h0m0s" before expiry and check every "24h0m0s" acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=route53.acme
> Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=route53.acme

Thanks for the reply

4

I can also confirm the Route53 is working fine cause if I use labels to just define

  • enable true
  • routers entrypoints websecure
  • tls certresolver route53
  • host rule

Then it'll generate a _acme-challenge.subdomain.example.app record. It's just I want it on the root.

5

Can you provide complete Traefik static and dynamic config?

Maybe compare to simple Traefik dnsChallenge example.

6

Aha that sample just brought an idea, I didn't realise you could add TLS config to the entrypoint. Since my entrypoint is in the static yml, I can use brackets.

I'll give that a go trying to add the wildcard through there quickly and I'll let you know.

Edit: Nvm didnt work :laughing:

7

Dynamic:

LABELS:
                "traefik.http.routers.example-14.entrypoints": "websecure",
                "traefik.http.routers.example-14.tls": "true",
                "traefik.enable": "true",
                "traefik.http.routers.example-14.priority": "10",
                "traefik.http.routers.example-14.tls.certresolver": "route53",
                "traefik.http.routers.example-14.rule": "Host(`14-my-example-subdomain.example.app`)",
                "traefik.http.services.example-14.loadbalancer.server.port": "80"

STATIC

entryPoints:
  websecure:
    address: ":443"

log:
  level: DEBUG

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: route53
        domains:
          - main: example.app
            sans:
              - "*.example.app"

certificatesResolvers:
  letsencrypt:
    acme:
      email: ${acme_email}
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web
  letsencrypt2:
    acme:
      email: ${acme_email}
      storage: /letsencrypt/acme2.json
      httpChallenge:
        entryPoint: web
  route53:
    acme:
      email: ${acme_email}
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: route53


providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

http:
  routers:
    fallback:
      rule: "HostRegexp(\"{subhost:[a-zA-Z0-9-]+}.example.app\")"
      priority: 1
      service: fallback-service
      entrypoints:
        - websecure
      tls:
        certResolver: route53
        domains:
          - main: "example.app"
            sans:
              - "*.example.app"
    wildcart-cert-router:
      entryPoints:
        - websecure
      rule: "Host(`wildcard-cert-trigger.example.app`)"
      service: noop
      tls:
        certResolver: route53
        domains:
          - main: "example.app"
            sans:
              - "*.example.app"
  services:
    noop:
      loadBalancer:
        servers:
          - url: "http://localhost"
    fallback-service:
      loadBalancer:
        servers:
          - url: "https://cdn.example.com/assets/loading_page.html"
api:
  insecure: true
  dashboard: true
8

http and tls are not Traefik static config root elements (doc). They need to be placed in a dynamic config file, loaded via providers.file in static config.

Note that acme email is not required anymore, as LetsEncrypt will not send expiration warnings anymore.

1 Like
9

Aha that did it! The whole time the http/tls wasn't even doing anything in the yml :laughing: can't believe it. The docker/ECS provider must've been the ones making the deceptive logs.

Thank you for all the help, much appreciated.

For anyone else (or myself) stumbling on this in the future, using a dynamic File in the Providers list and moving the TLS section to there instead makes it register properly as @bluepuma77 explained.

10

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.