Hi all,
I've recently switched my reverse proxy from nginx to Traefik, but I'm having one last issue that I can't seem to figure for about a week now. It's about wildcard certificates and serving them when visiting any subdomain without a service behind it. I've attached the docker-compose file for my Traefik Servce and the wildcard service I'm testing with (the wildcard service configuration is based on this: Arbitrary wildcard subdomain, redirect to docker container).
So basically I'd like to serve something like [somerandomstring].example.com with the certificate for *.example.com. The matching works fine already, but unfortunately it always serves Traefik's self-signed certificate and therefore I'm seeing a warning in my browser. I've set-up the DNS-Challenge and it works fine with my named services, so I don't understand, how to tell Traefik to generate the wildcard certificate and use it rather, than the default self-signed cert.
My last resort would be to generate the wildcard certificate myself and store it as default certificate (as described here cant add self signed wildcard cert · Issue #6221 · traefik/traefik · GitHub), but I'd love to avoid that if I can set it up with Traefik somehow.
I'd appreciate any help with this, since it is driving me insane (at least a little bit). Thanks in advance for any hints in the right direction
Edit: Okay, I feel decently stupid now.
I just recognized, that I forgot the tlsresolver, and that's why it didn't request the wildcard certificate before... so it now has successfully requested it. This issue is resolved
version: "3.7"
services:
# Traefik as reverse proxy with dashboard enabled
reverse:
image: traefik:2.4
restart: unless-stopped
networks:
- web
environment:
NETCUP_CUSTOMER_NUMBER: xxxxxxxx
NETCUP_API_KEY: xxxxxxx
NETCUP_API_PASSWORD: xxxxxxxx
command:
# More logs when debugging
- --log.level=DEBUG
# Tell traefik to watch docker events for hot reload
- --providers.docker
- --providers.docker.exposedbydefault=false
# Enable the dashboard on https
- --api
# Listen default HTTP ports
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
# Automatic generation of certificate with Let's Encrypt
- --certificatesresolvers.leresolver.acme.email=myemail@example.de
- --certificatesresolvers.leresolver.acme.storage=/acme.json
- --certificatesresolvers.leresolver.acme.dnschallenge.provider=netcup
- --certificatesresolvers.leresolver.acme.dnschallenge.resolvers=dns1,dns2
- --certificatesresolvers.leresolver.acme.dnschallenge.delaybeforecheck=900
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
# Persists certificate locally, otherwise we will recreate new ones at each restarts and quickly hit limits.
- ./acme.json:/acme.json
labels:
# Redirect HTTP traffic to HTTPS
- traefik.http.routers.redirs.rule=hostregexp({host:.+}
)
- traefik.http.routers.redirs.entrypoints=web
- traefik.http.routers.redirs.middlewares=redirect-to-https
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
# Expose the traefik dashboard on the reserved sub path, TLS is provided by the Let's Encrypt cert provider.
- traefik.enable=true
- traefik.http.routers.dashboard.service=api@internal
- traefik.http.routers.dashboard.rule=Host(traefik.example.com
) && (PathPrefix(/api
) || PathPrefix(/dashboard
))
- traefik.http.routers.dashboard.entrypoints=websecure
- traefik.http.routers.dashboard.tls.certresolver=leresolver
- traefik.http.routers.dashboard.priority=100
# Protect dashboard with simple auth => log with admin / admin for this example
- traefik.http.routers.dashboard.middlewares=admin
# Password is generated withhtpasswd -nb admin admin
beware to escape all '$' replacing them by '$$'
- "traefik.http.middlewares.admin.basicauth.users=someuser:somepasswordnetworks:
web:
external: true
version: "3.7"
services:
nginxError:
image: nginx:latest
container_name: nginx-error
networks:
- web
volumes:
- ./error-pages/:/usr/share/nginx/error-pages/
- ./nginx/conf/:/etc/nginx/conf.d/
labels:
- traefik.enable=true
- traefik.http.routers.error-router.rule=Host(example.com
)
- traefik.http.routers.error-router.rule=PathPrefix(/
)
- traefik.http.routers.error-router.tls.domains[0].main=example.com
- traefik.http.routers.error-router.tls.domains[0].sans=*.example.com
- traefik.http.routers.error-router.tls=true
- traefik.http.routers.error-router.entrypoints=websecure
- traefik.http.routers.error-router.priority=1
- traefik.docker.network=web
restart: unless-stoppednetworks:
web:
external: true