Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let's encrypt sans handling #473

Closed
aacebedo opened this issue Jun 21, 2016 · 7 comments
Closed

Let's encrypt sans handling #473

aacebedo opened this issue Jun 21, 2016 · 7 comments
Labels
area/acme kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. status/5-frozen-due-to-age
Milestone
1.5

Comments

@aacebedo
Copy link

Hi

I am using traefik on a rpi with one domain and multiple sans.
Instead of having one certificate request with the domain and sans I have one request per sans leading to exceed the certificate request limit.
@emilevauge
Copy link
Member

@aacebedo Hi
If you are using OnDemand, this is the normal behavior. OnDemand will generate a cert using the request domain, which doesn't contain any SAN.
For now, SANs can only be obtained at config time, not at run time.

@aacebedo
Copy link
Author

Thank you for the answer!
I am using the ondemand mode so I am going to switch it to false.
However I also tried without the flag and saw as many certificatse as I have SANs in the acme.json.
Each of these had the main domain set to one SAN.

I didn't checked the content of the certificates themselves with openssl yet, I'll check it tonight.
I had to switch to the staging server (my limit is now reached I have to wait 1 week)

@emilevauge
Copy link
Member

Could you give us your toml config file?

@aacebedo
Copy link
Author

You can find the template here.
https://github.com/aacebedo/docker-boxes/blob/master/utilities/traefik/files/traefik.conf.tmpl

Just replace the sans and main with your own

@ldez ldez added the area/acme label Apr 22, 2017
@ldez ldez added kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. and removed investigation-needed labels Jun 1, 2017
@h-bragg
Copy link

h-bragg commented Jan 22, 2018
edited

I have a similar issue.

I have a lot of sub domains being used and would like more to be added with little fuss.

To prevent some rate limiting, I can pre-generate a certificate with a set of SAN domains that cover most things, it would be good to use this certificate for domains, and keep the ability to generate new domains for anything not encountered.

Could specify the certificate you want to use via config, or if the domain being used with (onHostRule) exists in an existing domain SANs then use that...

Looking at the code it looks like onDemand should use the SANS, however it has been deprecated (https://github.com/containous/traefik/blob/master/acme/acme.go#L573)

@andig
Copy link

andig commented Jan 25, 2018

I do actually have the reverse problem but it fits the issue title.

I'm serving multiple domains from a single machine using DNS CNAMEs. Traefik/LE have setup SAN certificates for totally unrelated domain names (not subdomains).

While this works fine I'd like those to be separate domains to avoid a user clicking on certificate a for domain a and be presented with certificate b that also covers domain a.

@dtomcej dtomcej mentioned this issue Feb 23, 2018
Merged
1 task
@traefiker
Copy link
Contributor

Closed by #2913.

@traefiker traefiker added this to the 1.5 milestone Feb 26, 2018
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/acme kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. status/5-frozen-due-to-age
Projects
None yet
Milestone
1.5
Development

No branches or pull requests
6 participants
@andig @aacebedo @ldez @emilevauge @h-bragg @traefiker