Wrong certificate is serving for second domain

Traefik Traefik v2 (latest)
1

Hi
I'm running Grafana behind Traefik on a docker setup. So far everything is working well.
Due to internal "issues" with the "main"-domain (internal.com) we created a second one (internal.de).
This (internal.de)-domain is being served with the .com-certificate.
I don't find any errors or mistakes. Hope you will .. :wink:

docker-compose:

version: '3'

services:
  traefik:
    # The official v2 Traefik docker image
    image: traefik:v2.9
    container_name: "traefik"
    restart: always
    # Enables the web UI and tells Traefik to listen to docker
    command: 
      --api.insecure=true 
      --providers.docker=true
      --providers.docker.watch=true
      --entryPoints.port443.address=:443
      --entryPoints.port80.address=:80
      --entryPoints.influxDB.address=:8086
      --entryPoints.prometheus.address=:9090
      --providers.file.directory=/configuration/
      --providers.file.watch=true
      --log.filePath=/etc/traefik/traefik.log
      --log.format=json
      --accesslog.filepath=/etc/traefik/access.log
      --tracing=true
      --tracing.serviceName=traefik

    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
      # InfluxDB
      - "8086:8086"
      # Prometheus
      - "9090:9090"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - /D/docker/iotstack/traefik/etc/:/etc/traefik/
      - /D/docker/iotstack/traefik/configuration/:/configuration/
      - /D/docker/iotstack/traefik/configuration/certs/:/etc/certs/:ro
    networks:
      - iotstack 

  grafana:
    container_name: "grafana"
    restart: always
    labels:
      # SSL redirect requires a separate router (https://github.com/containous/traefik/issues/4688#issuecomment-477800500)
      - "traefik.http.routers.grafana.entryPoints=port80"
      - "traefik.http.routers.grafana.rule=host(`internal.com`,`internal.de`)"
      - "traefik.http.middlewares.grafana-redirect.redirectScheme.scheme=https"
      - "traefik.http.middlewares.grafana-redirect.redirectScheme.permanent=false"
      # SSL endpoint
      - "traefik.http.routers.grafana-ssl.entryPoints=port443"
      - "traefik.http.routers.grafana-ssl.rule=host(`internal.com`,`internal.de`)"
      - "traefik.http.routers.grafana-ssl.tls=true"
      - "traefik.http.routers.grafana-ssl.service=grafana-ssl"
      - "traefik.http.services.grafana-ssl.loadBalancer.server.port=3000"
    image: grafana/grafana:latest 
    volumes:
      - /D/docker/iotstack/grafana/data:/var/lib/grafana
      - /D/docker/iotstack/grafana/conf:/etc/grafana
    environment:
      - GF_AUTH_ANONYMOUS_ENABLED=false
      - GF_SERVER_ROOT_URL=https://internal.com
      - GF_SERVER_DOMAIN=internal.com
      - GF_USERS_ALLOW_SIGN_UP=false
      - GF_SECURITY_ADMIN_USER=xxx
      - GF_SECURITY_ADMIN_PASSWORD=***
      - GF_INSTALL_PLUGINS=grafana-piechart-panel,yesoreyeram-infinity-datasource
    networks:
      - iotstack
.....
networks:
  iotstack:
    external: true

certificates.yml in

tls:
  certificates:
    - certFile: /etc/certs/internal.com.cer
      keyFile: /etc/certs/internal.com.key
      stores:
        - default        
    - certFile: /etc/certs/internal.de.cer
      keyFile: /etc/certs/internal.de.key
      stores:
        - default
#  options:
#    default:
#      sniStrict: true
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/internal.com.cer
        keyFile: /etc/certs/internal.com.key
2

Try Host(`internal.com`) || Host(`internal.de`). We use multiple certs and Traefik automatically serves the right one per domain.

Check your new internal.de.cer that it contains the full cert chain, usually 3 entries. I assume they are purchased TLS certs.

3

The .cer contains only the cert-code -----BEGIN CERTIFICATE----- MIIItjCCBp6gAwIBAgIUF2AZRlis......-----END CERTIFICATE-----

4

The crt should have 2 or 3 certificates for the full trust chain. Sorry, complicated topic.

First is yours, then an "intermediate", then the rootCA. Check the docs of your cert provider.

5

But the internal.com.cer has the same "structure" and it works.
I can get a p7b file too.

6

We use 5 cert files for 5 domains, Traefik automatically serves the right one for each domain. Even wildcard certs, so using SANS (multiple domains for a single cert). Is the domain name correct for the second cert? There are probably command line tools to check the file directly.

7

Sorry for the late response. Probably it is a problem how I declared the different hosts/domains? Maybe traefik always takes the standard cert from the store?
How did you configured the different domains?

8

We use Host(`example.com`) || Host(`www.example.com`) for every router rule and have declared certs according to docs:

# Dynamic configuration

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key

Then we use provider.file in static config to load the dynamic config file.