Wildcard domains with Let's Encrypt and docker.compose

Hi all

I'm struggling to get a wildcard subdomain setup working with docker compose. I have had a working solution for sites with docker compose and traefik for quite some time, but the new site I am trying to upload needs access to subdomains - the main site is like shop.ourdomain.com and I want *.shop.ourdomain.com to all be directed, with https, to the same container.

I have a traefik container (Traefik version 2.8) running as follows:
traefik/docker-compose.yml

services:
  traefik:
    image: traefik:v2.8
    container_name: traefik
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.email=[my email address here]
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
        #- --accesslog=true
        #- --log.level=DEBUG
    ports:
      - 80:80
      - 8080:8080
      - 443:443
    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - web
    restart: unless-stopped

networks:
  web: {}

and various websites running their own containers. They use an env file for setting the basic domain name and docker project name etc and then the relevant part of their

(part of) shop/docker-compose.yml

    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik_web
      - traefik.http.routers.${NAME}-http.rule=Host(`${DOMAIN}`)
      - traefik.http.routers.${NAME}-http.entrypoints=http
      - traefik.http.routers.${NAME}-http.middlewares=${NAME}-https
      - traefik.http.middlewares.${NAME}-https.redirectscheme.scheme=https
      - traefik.http.routers.${NAME}.rule=Host(`${DOMAIN}`)
      - traefik.http.routers.${NAME}.entrypoints=https
      - traefik.http.routers.${NAME}.tls.certresolver=myresolver

Trying to follow some suggestions I tried adding the following but that didn't seem to do anything:

      - traefik.http.routers.${NAME}.tls.domains[0].main=${DOMAIN}
      - traefik.http.routers.${NAME}-secure.tls.domains[0].sans=*.${DOMAIN}

I also tried using HostRegexp instead of Host rules but couldn't even get the main domain working with that.

I'm sure I'm just doing something stupid so sorry for the noise, but can anyone help describe how I should be able to get Traefik to get a wildcard certificate and also direct all subdomains to the container's web service?

Update:

I was able to get the host rule part working by manually adding them in one by one:

- traefik.http.routers.${NAME}-http.rule=Host(`shop.ourdomain.com`) || Host(`test.shop.ourdomain.com`)

(and the same for the https rule)

Not ideal but in this case it is workable for now as adding new subdomains is rare for this site. Unfortunately that doesn't solve the certificate issue though; how do I get it to generate a wildcard one using the docker compose setup I have?

Last update for now, I tried to use the HostRegexp details shown here: Traefik Routers Documentation - Traefik mixed with the "or" operator to do multiple host names but this didn't work:

- traefik.http.routers.${NAME}-http.rule=Host(`shop.ourdomain.com`) || HostRegexp(`^.+\.shop\.ourdomain\.com$`)

The base shop.ourdomain.com worked, but not the regexp part.

Why use Traefik 2.8 from 2 years ago???

You need to declare the domains to get a wildcard and you need to do that for each level.

Try a global:

.tls.domains[0].main=${DOMAIN}
.tls.domains[0].main=*.${DOMAIN}
.tls.domains[1].main=shop.${DOMAIN}
.tls.domains[1].main=*.shop.${DOMAIN}

I'm using that only because this is the first new site I'm putting up on a server that is currently hosting a few static sites already. Happy to change over to v3 if it is simple enough though.

Sorry to be dense, but could you please explain what the difference your lines have vs the ones I tried? For reference, this is what I tried before:

- traefik.http.routers.${NAME}.tls.domains[0].main=${DOMAIN}
- traefik.http.routers.${NAME}-secure.tls.domains[0].sans=*.${DOMAIN}

Are those "globals" entered into the same section of the docker compose yml file (under labels)?

You should assign a set of main/sans to the same router, not different ones.

Ah, I can see the difference in my lines now, I didn't notice that before.

Thanks for the tip. I'll be back at the office on Tuesday and will try again then.

Finally got to try this and it worked thank you. I knew it was something silly I overlooked!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.