Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traefik requests specific certificate instead wildcard certificate #9682

Closed
2 tasks done
AnderssonPeter opened this issue Jan 29, 2023 · 2 comments
Closed
2 tasks done

Traefik requests specific certificate instead wildcard certificate #9682

AnderssonPeter opened this issue Jan 29, 2023 · 2 comments
Labels
area/provider/docker area/tls kind/question a question status/5-frozen-due-to-age

Comments

@AnderssonPeter
Copy link

Welcome!

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

I'm trying to use Traefik v2.9.6 with the provider for Loopia using DNS-01 to request a wildcard certificate.

${DOMAIN} is a domain that ends with .me (with no sub domain)

I have added the

- "--certificatesresolvers.loopia.acme.dnschallenge=true"
- "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}"

To use DNS-01 and request a wildcard certificate.

What did you see instead?

Instead of requesting a wildcard certificate it just requests whoami.example.me

What version of Traefik are you using?

v2.9.6

What is your environment & configuration?

traefik:
  image: "traefik:${TRAEFIK_VERSION}"
  container_name: "traefik"
  restart: unless-stopped
  read_only: true
  mem_limit: 2G
  cpus: 0.75
  security_opt:
    - no-new-privileges:true
  depends_on:
    - docker-socket-proxy
  secrets:
    - "loopia_api_user"
    - "loopia_api_password"
  command:
    - "--log.level=DEBUG"
    - "--api.insecure=true"
    - "--providers.docker=true"
    - "--providers.docker.exposedbydefault=false"
    - "--entrypoints.web.address=:80"
    - "--entrypoints.websecure.address=:443"
    - "--entrypoints.web.http.redirections.entryPoint.to=websecure" # Redirect http to https
    - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
    # Https configuration
    - "--entrypoints.websecure.http.tls=true"
    - "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}"
    - "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}"
    - "--entrypoints.websecure.http.tls.certresolver=loopia"
    # Lets encrypt Loopia dns challange
    - "--certificatesresolvers.loopia.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
    - "--certificatesresolvers.loopia.acme.dnschallenge=true"
    - "--certificatesresolvers.loopia.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
    - "--certificatesresolvers.loopia.acme.dnschallenge.provider=loopia"
    - "--certificatesresolvers.loopia.acme.email=${POSTMASTER_EMAIL}"
    - "--certificatesresolvers.loopia.acme.storage=/letsencrypt/acme.json"
    # Use the docker socket proxy
    - "--providers.docker.endpoint=tcp://docker-socket-proxy:2375" #  using Docker Socket Proxy instead of docker socket for improved security
    - "--providers.docker.network=traefik" # Defines a default docker network to use for connections to all containers.
    # Logs
    - --accesslog.filepath=/logs/access.log
    - --accesslog.format=json
    - --accesslog.fields.defaultMode=keep
    - --accesslog.fields.headers.defaultMode=keep
    - --log.filepath=/logs/traefik.log
    - '--providers.file.directory=/dynamic_conf/'
    - '--providers.file.watch=true'
  environment:
    - LOOPIA_API_USER_FILE=/run/secrets/loopia_api_user
    - LOOPIA_API_PASSWORD_FILE=/run/secrets/loopia_api_password
    - TZ=Europe/Stockholm
    - DOMAIN
  ports:
    - "80:80"
    - "443:443"
    - "8080:8080"
  volumes:
    - ./traefik/logs:/logs
    - ./traefik/dynamic_conf:/dynamic_conf:ro
    - ./traefik/letsencrypt:/letsencrypt
  networks:
    - dockersocket
    - traefik

Then I have a container that has the following labels

- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)"
- "traefik.http.routers.whoami.tls.certresolver=loopia"
- "traefik.http.routers.whoami.entrypoints=websecure"

If applicable, please paste the log output in DEBUG level

time="2023-01-29T21:12:23+01:00" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"websecure\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"tls\":{\"certResolver\":\"loopia\",\"domains\":[{\"main\":\"example.me\",\"sans\":[\"*.example.me\"]}]}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"tcp://docker-socket-proxy:2375\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"network\":\"traefik\",\"swarmModeRefreshSeconds\":\"15s\"},\"file\":{\"directory\":\"/dynamic_conf/\",\"watch\":true}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/logs/traefik.log\",\"format\":\"common\"},\"accessLog\":{\"filePath\":\"/logs/access.log\",\"format\":\"json\",\"filters\":{},\"fields\":{\"defaultMode\":\"keep\",\"headers\":{\"defaultMode\":\"keep\"}}},\"certificatesResolvers\":{\"loopia\":{\"acme\":{\"email\":\"peter@example.me\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"loopia\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]}}}}}"
time="2023-01-29T21:12:23+01:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-01-29T21:12:23+01:00" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2023-01-29T21:12:23+01:00" level=info msg="Starting provider *acme.Provider"
time="2023-01-29T21:12:23+01:00" level=debug msg="*acme.Provider provider configuration: {\"email\":\"peter@example.me\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"dnsChallenge\":{\"provider\":\"loopia\",\"resolvers\":[\"1.1.1.1:53\",\"8.8.8.8:53\"]},\"ResolverName\":\"loopia\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"middlewares\":{\"https-redirect\":{\"redirectScheme\":{\"scheme\":\"https\"}},\"local-only\":{\"ipWhiteList\":{\"sourceRange\":[\"127.0.0.1/32\",\"192.168.0.0/24\",\"172.20.0.0/24\"]}},\"securedheaders\":{\"headers\":{\"customResponseHeaders\":{\"X-Robots-Tag\":\"none,noarchive,nosnippet,notranslate,noimageindex,\",\"server\":\"\"},\"sslRedirect\":true,\"stsSeconds\":63072000,\"stsIncludeSubdomains\":true,\"stsPreload\":true,\"forceSTSHeader\":true,\"customFrameOptionsValue\":\"SAMEORIGIN\",\"contentTypeNosniff\":true,\"browserXssFilter\":true,\"referrerPolicy\":\"same-origin\",\"featurePolicy\":\"camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';\"}}}},\"tcp\":{},\"udp\":{},\"tls\":{\"options\":{\"default\":{\"minVersion\":\"VersionTLS13\",\"clientAuth\":{},\"sniStrict\":true,\"alpnProtocols\":[\"h2\",\"http/1.1\",\"acme-tls/1\"]},\"mintls13\":{\"minVersion\":\"VersionTLS13\",\"clientAuth\":{},\"sniStrict\":true,\"alpnProtocols\":[\"h2\",\"http/1.1\",\"acme-tls/1\"]}}}}" providerName=file
time="2023-01-29T21:12:23+01:00" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=info msg="Testing certificate renew..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645},\"web-to-websecure\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-websecure\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}},\"redirect-web-to-websecure\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"models\":{\"websecure\":{\"tls\":{\"certResolver\":\"loopia\",\"domains\":[{\"main\":\"example.me\",\"sans\":[\"*.example.me\"]}]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-docker\",\"rule\":\"Host(`whoami.example.me`)\",\"tls\":{\"certResolver\":\"loopia\"}}},\"services\":{\"whoami-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.20.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-01-29T21:12:23+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:12:23+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:12:23+01:00" level=debug msg="Adding route for whoami.example.me with TLS options default" entryPointName=websecure
time="2023-01-29T21:12:23+01:00" level=debug msg="Trying to challenge certificate for domain [whoami.example.me] found in HostSNI rule" providerName=loopia.acme routerName=whoami@docker rule="Host(`whoami.example.me`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:12:23+01:00" level=debug msg="Looking for provided certificate(s) to validate [\"whoami.example.me\"]..." routerName=whoami@docker rule="Host(`whoami.example.me`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Domains [\"whoami.example.me\"] need ACME certificates generation for domains \"whoami.example.me\"." routerName=whoami@docker rule="Host(`whoami.example.me`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:23+01:00" level=debug msg="Loading ACME certificates [whoami.example.me]..." providerName=loopia.acme routerName=whoami@docker rule="Host(`whoami.example.me`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:12:24+01:00" level=debug msg="Building ACME client..." providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=debug msg="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=info msg=Register... providerName=loopia.acme
time="2023-01-29T21:12:24+01:00" level=debug msg="legolog: [INFO] acme: Registering account for peter@example.me"
time="2023-01-29T21:12:25+01:00" level=debug msg="Using DNS Challenge provider: loopia" providerName=loopia.acme
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: Obtaining bundled SAN certificate"
time="2023-01-29T21:12:25+01:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"whoami\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-docker\",\"rule\":\"Host(`whoami.example.me`)\",\"tls\":{\"certResolver\":\"loopia\"}}},\"services\":{\"whoami-docker\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.20.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5153870843"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: Could not find solver for: tls-alpn-01"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: Could not find solver for: http-01"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: use dns-01 solver"
time="2023-01-29T21:12:25+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: Preparing to solve DNS-01"
time="2023-01-29T21:12:26+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: Trying to solve DNS-01"
time="2023-01-29T21:12:26+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: Checking DNS record propagation using [1.1.1.1:53 8.8.8.8:53]"
time="2023-01-29T21:13:31+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: Cleaning DNS-01 challenge"
time="2023-01-29T21:13:32+01:00" level=debug msg="legolog: [INFO] [whoami.example.me] acme: Validations succeeded; requesting certificates"
time="2023-01-29T21:13:33+01:00" level=debug msg="Certificates obtained for domains [whoami.example.me]" providerName=loopia.acme routerName=whoami@docker rule="Host(`whoami.example.me`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory"
time="2023-01-29T21:13:33+01:00" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=loopia.acme
time="2023-01-29T21:13:33+01:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-01-29T21:13:33+01:00" level=debug msg="Adding route for whoami.example.me with TLS options default" entryPointName=websecure
time="2023-01-29T21:13:33+01:00" level=debug msg="Trying to challenge certificate for domain [whoami.example.me] found in HostSNI rule" routerName=whoami@docker rule="Host(`whoami.example.me`)" ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme
time="2023-01-29T21:13:33+01:00" level=debug msg="Looking for provided certificate(s) to validate [\"whoami.example.me\"]..." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme routerName=whoami@docker rule="Host(`whoami.example.me`)"
time="2023-01-29T21:13:33+01:00" level=debug msg="No ACME certificate generation required for domains [\"whoami.example.me\"]." ACME CA="https://acme-staging-v02.api.letsencrypt.org/directory" providerName=loopia.acme routerName=whoami@docker rule="Host(`whoami.example.me`)"
@AnderssonPeter
Copy link
Author

Adding the following to the traefik container solved the issue

    labels:
      - "traefik.enable=true"
      - 'traefik.http.routers.wildcard-certs.tls.certresolver=loopia'
      - 'traefik.http.routers.wildcard-certs.tls.domains[0].main=${DOMAIN}'
      - 'traefik.http.routers.wildcard-certs.tls.domains[0].sans=*.${DOMAIN}'

But is

      - "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN}"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN}"
      - "--entrypoints.websecure.http.tls.certresolver=loopia"

Incorrect? (most blog entries online use those commands)

@rtribotte
Copy link
Member

rtribotte commented Jan 30, 2023
edited

Hello @AnderssonPeter,

Thanks for your interest in Traefik!

In the second case, the Traefik container defines the HTTP model for TLS configuration that will be applied to any router, if not specified.
But the DOMAIN env variable is only evaluated once, and the same TLS domain configuration is applied for any router.

To get more help on your configuration, please join our Community Forum and reach out to us on the Traefik section.

As this issue seems to be a question about configuration will close it but feel free to re-open it if you think that we missed something.

@traefik traefik locked and limited conversation to collaborators Mar 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/provider/docker area/tls kind/question a question status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AnderssonPeter @rtribotte @traefiker