Using wildcard certificates in Traefik v2 on Docker Swarm

Question

I am using the following Docker Compose file to deploy Traefik on a swarm cluster.

version: "3.7"

services:
  traefik:
    image: traefik:v2.1
    command:
      - "--api.dashboard=true"
      - "--accesslog=true"
      - "--log.level=INFO"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik-public"
      - "--providers.file.watch=true"
      - "--providers.file.filename=/file_provider.yml"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.delayBeforeCheck=15"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
      - "[email protected]"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 443:443
    volumes:
      - traefik-certificates:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - traefik-public
    environment:
      - "[email protected]"
      - "CF_API_KEY=api-key"
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.docker.lbswarm=true"
        - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
        - "traefik.http.routers.http-catchall.entrypoints=web"
        - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
        - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
        - "traefik.http.routers.api.tls.certresolver=letsencrypt"
        - "traefik.http.routers.api.tls.domains[0].main=*.domain.tld"
        - "traefik.http.routers.api.tls.domains[0].sans=domain.tld"
        - "traefik.http.routers.api.rule=Host(`management.domain.tld`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
        - "traefik.http.routers.api.service=api@internal"
        - "traefik.http.services.api.loadbalancer.server.port=8080"
    configs:
      - file_provider.yml

volumes:
  traefik-certificates:

configs:
  file_provider.yml:
    file: /home/access/docker/traefik-provider.yml

networks:
  traefik-public:
    external: true

At the moment, I have hit the rate limit on management.domain.tld and I instead want to use a wildcard certificate so there is less likelihood that I will run into a rate limit again. I have Traefik configured to generate the wildcard certificate which works, but there is still a rate-limiting error on management.domain.tld in the logs. Also, when I go to management.domain.tld in the browser, I get an invalid SSL/TLS error. How do I get Traefik to use the wildcard certificate instead of issuing a new certificate for every host rule?

Answer 1

Looks like you have done everything right. But there is a slight mistake in the config.

main is the Subject field for the certificate. Meaning the domain/sub-domain the certificate is being issued to.

sans is the Subject Alternate Names field for the certificate. Meaning alternative domain/sub-domain that the certificate is also valid for.

So, Instead of using:

version: "3.7"

services:
  traefik:
    image: traefik:v2.1
    ...
      labels:
        - "traefik.http.routers.api.tls.domains[0].main=*.domain.tld"
        - "traefik.http.routers.api.tls.domains[0].sans=domain.tld"
    ...

You should use:

version: "3.7"

services:
  traefik:
    image: traefik:v2.1
    ...
      labels:
        - "traefik.http.routers.api.tls.domains[0].main=domain.tld"
        - "traefik.http.routers.api.tls.domains[0].sans=*.domain.tld"
    ...