Hi all,
I've got an issue configuring Traefik ACME with Cloudflare DNS challenge + subdomains. In Cloudflare, I have a domain.me
zone, with *.internal.domain.me
delegated to an internal DNS server. I've successfully set-up Traefik to use Cloudflare DNS challenge for domain.me
:
traefik:
command:
- --certificatesResolvers.letsencrypt.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
- --certificatesResolvers.letsencrypt.acme.email=postmaster@domain.me
- --certificatesResolvers.letsencrypt.acme.storage=/acme.json
- --certificatesResolvers.letsencrypt.acme.dnschallenge=true
- --certificatesResolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
environment:
- CLOUDFLARE_EMAIL
- CLOUDFLARE_DNS_API_TOKEN
This works fine, and successfully requests certificates for service1.domain.me
(or service1.server.domain.me
) configured as such:
service1:
labels:
traefik.enable: "true"
traefik.http.routers.service1.rule: "Host(`service1.domain.me`)"
traefik.http.routers.service1.entrypoints: "websecure"
However, for my internal services, it doesn't:
service2:
labels:
traefik.enable: "true"
traefik.http.routers.service2.rule: "Host(`service2.server.internal.domain.me`)"
traefik.http.routers.service2.entrypoints: "websecure"
Using DNS Challenge provider: cloudflare" providerName=letsencrypt.acm
legolog: [INFO] [service2.server.internal.domain.me] acme: Obtaining bundled SAN certificate
legolog: [INFO] [service2.server.internal.domain.me] acme: Could not find solver for: tls-alpn-01
legolog: [INFO] [service2.server.internal.domain.me] acme: Could not find solver for: http-01
legolog: [INFO] [service2.server.internal.domain.me] acme: use dns-01 solver
legolog: [INFO] [service2.server.internal.domain.me] acme: Preparing to solve DNS-01
legolog: [INFO] Found CNAME entry for \"_acme-challenge.service2.server.internal.domain.me.\": \"server.internal.domain.me.\"
legolog: [INFO] [service2.server.internal.domain.me] acme: Cleaning DNS-01 challenge
legolog: [INFO] Found CNAME entry for \"_acme-challenge.service2.server.internal.domain.me.\": \"server.internal.domain.me.\"
legolog: [WARN] [service2.server.internal.domain.me] acme: cleaning up failed: cloudflare: failed to find zone internal.domain.me.: zone could not be found
internal.domain.me
is indeed not a valid zone in my Cloudflare account. Is it possible to configure Traefik or lego which zone to use?
Alternatively, I considered using a wildcard certificate, but can't get that to work either. I adjusted my Traefik configuration as such:
traefik:
command:
- --entrypoints.websecure.http.tls.domains[0].main=domain.me
- --entrypoints.websecure.http.tls.domains[0].sans=*.domain.me
Although this successfully requested a wildcard cert, it isn't used for my container:
Adding certificate for domain(s) *.domain.me,domain.me
No default certificate, fallback to the internal generated certificate
Serving default certificate for request: "service2.server.internal.domain.me"
This looked a lot like Traefik requests specific certificate instead wildcard certificate · Issue #9682 · traefik/traefik · GitHub / docker - Traefik requests sub-domain specific certificate instead of wildcard? - Stack Overflow, but updating my container configuration (which I'd prefer not to) doesn't help either:
service2:
labels:
'traefik.http.routers.whoami.tls.domains[0].main': 'domain.me'
'traefik.http.routers.whoami.tls.domains[0].sans': '*.domain.me'
It prints the same debug message, No default certificate
, and continues serving the self-signed one.
Any help on how to get either of these approaches to work would be much appreciated!