I've found no comprehensive example config for wildcard certificates. There are more than enough for LE but this is not my use case. That's what I tried:
Alle this is expected to wok on my internale network only. I've two separate docker-compose files:
Traefik:
services:
traefik:
image: traefik:latest # or traefik:v3.3 to pin a version
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true # helps to increase security
env_file:
- .env # store other secrets e.g., dashboard password
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
volumes:
- /run/user/1000/podman/podman.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
- /home/pm/traefik/traefik.yaml:/traefik.yaml:ro
- /home/pm/traefik/ssl:/etc/traefik/certs:ro
- /home/pm/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.mhc.loc`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.mhc.loc`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
networks:
proxy:
external: true
Portainer as an example:
services:
portainer:
image: portainer/portainer-ee:latest
container_name: portainer
command: -H unix:///var/run/docker.sock
restart: always
volumes:
- /run/user/1000/podman/podman.sock:/var/run/docker.sock
- portainer_data:/home/pm/portainer/data
networks:
- proxy
labels:
# Frontend
- "traefik.enable=true"
- "traefik.http.routers.frontend.rule=Host(`portainer.mhc.loc`)"
- "traefik.http.routers.frontend.entrypoints=https"
- "traefik.http.services.frontend.loadbalancer.server.port=9000"
- "traefik.http.routers.frontend.service=frontend"
# Edge
- "traefik.http.routers.edge.rule=Host(`edge.mhc.loc`)"
- "traefik.http.routers.edge.entrypoints=https"
- "traefik.http.services.edge.loadbalancer.server.port=8000"
- "traefik.http.routers.edge.service=edge"
networks:
proxy:
external: true
This just does not work at all Traefik basic auth does not work and Portainer leads to a 404. My wildcard certificate does not get used. Instead the self signed default certificate is uses.
How to get this woking?