Rubin Shrestha
Rubin Shrestha
Blog

Traefik Let’s Encrypt and Step-CA, 1 yaml file per subdomain

by |Published

I’m trying to setup traefik, moving from nginx proxy manager.

This is /etc/traefik/traefik.yaml


# observability


api: {}

global:
  checkNewVersion: true
  sendAnonymousUsage: true    # send anonymous usage data

accesslog:
 addInternals: true
 filePath: "/var/log/traefik-access.log"
 bufferingSize: 128

log:
 filePath: "/var/log/traefik.log"
 level: INFO    # TRACE DEBUG INFO WARN ERROR FATAL PANIC
 maxAge: 48

metrics:
 addInternals: true



# environment


entryPoints:
 http:
   address: ":80"
   http:
     middlewares:
       - internal-hosts-endorsed
 https:
  address: ":443"
  http:
    middlewares:
       - internal-hosts-endorsed
    tls:
      certResolver: letsEncrypt
      domains:
        - main: "mydomain.com"
          sans:
            - "*.mydomain.com"
providers:
 file:
   directory: /etc/traefik/dynamic
   watch: true

certificatesResolvers:
  letsEncrypt:
    acme:
      email: david@mydomain.com
      storage: /etc/traefik/acme/letsencrypt-acme.json
      #caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10 #Optional to wait x second before checking with the DNS Server
  stepca:
    acme:
      email: david@mydomain.com
      storage: "/etc/traefik/acme/stepca-acme.json"
      caServer: "https://ca.mydomain.com:9000/acme/acme/directory"
      certificatesDuration: 2160
      dnsChallenge:
        provider: technitium
        disablePropagationCheck: true
        delayBeforeCheck: 5
        resolvers:
          - "192.168.2.113:53"

This is /etc/traefik/dynamic/core.yaml

http:

  routers:

   
    dashboard:
      rule: Host(`traefik.mydomain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      service: api@internal
      middlewares:
        - auth

   
   
    catchall:
      entryPoints:
        - http
        - https
      rule: PathPrefix(`/`)
      service: unavailable
      priority: 1

  services:
   
    unavailable:
      loadBalancer:
        servers: {}

  middlewares:

    auth:
      basicAuth:
        users:   
          - david:$1$bXGAceOu$1zRJMvh60HR5n6.q2B8io0

    internal-hosts-endorsed:
      ipAllowList:
        sourceRange:
          - 192.168.2.0/24
          - 10.0.0.0/24

    http-only:
      redirectScheme:
        scheme: http
        permanent: true

    internal-http-hosts:
      chain:
        middlewares:
          - internal-hosts-endorsed
          - http-only

    https-only:
      redirectScheme:
        scheme: https
        permanent: true

   
   
    internal-https-hosts:
      chain:
        middlewares:
          - internal-hosts-endorsed
          - https-only

tls:
  options:
    default:
      minVersion: VersionTLS13   
      curvePreferences:  
        - X25519    
        - CurveP256 
        - CurveP384 
        - CurveP521 
      sniStrict: true    

  stores:
    default:
      defaultGeneratedCert:
        resolver: letsEncrypt
        domain:
          main: mydomain.com
          sans:
            - '*.mydomain.com'

and I have subdomains like

/etc/traefik/dynamic/jellyseerr.yaml

# Traefik Configuration for jellyseerr_mydomain_com
#jellyseerr.mydomain.com
http:
  routers:
    jellyseerr:
      rule: "Host(`jellyseerr.mydomain.com`)"
      service: jellyseerr-service
      entryPoints:
      - http
      - https
      tls:
        certResolver: letsEncrypt

  services:
    jellyseerr-service:
      loadBalancer:
        servers:
          - url: "http://192.168.2.102:5055"

/etc/traefik/dynamic/jellyfin.yaml

# Traefik Configuration for jellyfin_mydomain_com
#jellyfin.mydomain.com
http:
  routers:
    jellyfin:
      rule: "Host(`jellyfin.mydomain.com`)"
      service: jellyfin-service
      entryPoints:
        - https
      tls:
        certResolver: letsEncrypt

  services:
    jellyfin-service:
      loadBalancer:
        servers:
          - url: "http://192.168.2.101:8096"

How can I make traefik request a single wildcard certificate?

root@traefik:~# cat /var/log/traefik.log

2024-12-17T21:52:16+01:00 INF Traefik version 3.2.3 built on 2024-12-16T10:31:50Z version=3.2.3
2024-12-17T21:52:16+01:00 INF Stats collection is enabled.
2024-12-17T21:52:16+01:00 INF Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
2024-12-17T21:52:16+01:00 INF Help us improve Traefik by leaving this feature on :)
2024-12-17T21:52:16+01:00 INF More details on: https://doc.traefik.io/traefik/contributing/data-collection/
2024-12-17T21:52:16+01:00 INF Starting provider aggregator *aggregator.ProviderAggregator
2024-12-17T21:52:16+01:00 INF Starting provider *file.Provider
2024-12-17T21:52:16+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T21:52:16+01:00 INF Starting provider *traefik.Provider
2024-12-17T21:52:16+01:00 INF Starting provider *acme.ChallengeTLSALPN
2024-12-17T21:52:16+01:00 INF Starting provider *acme.Provider
2024-12-17T21:52:16+01:00 INF Testing certificate renew... acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory providerName=letsEncrypt.acme
2024-12-17T21:52:16+01:00 INF Starting provider *acme.Provider
2024-12-17T21:52:16+01:00 INF Testing certificate renew... acmeCA=https://ca.mydomain.com:9000/acme/acme/directory providerName=stepca.acme
2024-12-17T21:52:17+01:00 ERR Error while creating certificate store error="unable to find certificate for domains "*.mydomain.com,mydomain.com": falling back to the internal generated certificate" tlsStoreName=default
2024-12-17T21:52:17+01:00 WRN No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2024-12-17T21:52:22+01:00 INF Register... providerName=letsEncrypt.acme
2024-12-17T21:52:24+01:00 INF Register... providerName=stepca.acme
2024-12-17T21:52:37+01:00 ERR Error while creating certificate store error="unable to find certificate for domains "*.mydomain.com,mydomain.com": falling back to the internal generated certificate" tlsStoreName=default
2024-12-17T21:52:37+01:00 WRN No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2024-12-17T21:52:38+01:00 ERR Error while creating certificate store error="unable to find certificate for domains "*.mydomain.com,mydomain.com": falling back to the internal generated certificate" tlsStoreName=default
2024-12-17T21:52:38+01:00 WRN No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2024-12-17T21:56:32+01:00 ERR Unable to obtain ACME certificate for domain error="unable to generate a certificate for the domains [mydomain.com *.mydomain.com]: error: one or more domains had a problem:n[*.mydomain.com] propagation: time limit exceeded: last error: authoritative nameservers: DNS call error: dial udp: lookup technitiumdns. on 192.168.2.113:53: no such host [ns=technitiumdns.:53, question='_acme-challenge.mydomain.com. IN  TXT']n[mydomain.com] propagation: time limit exceeded: last error: authoritative nameservers: DNS call error: dial udp: lookup technitiumdns. on 192.168.2.113:53: no such host [ns=technitiumdns.:53, question='_acme-challenge.mydomain.com. IN  TXT']n" ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["mydomain.com","*.mydomain.com"] providerName=letsEncrypt.acme tlsStoreName=default
2024-12-17T22:10:03+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:03+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:12+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:12+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:12+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:19+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:19+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:19+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:19+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:22+01:00 WRN HTTP servers transport already configured, skipping filename=proxmox.yaml providerName=file serversTransport=insecureTransport
2024-12-17T22:10:23+01:00 ERR Error while creating certificate store error="unable to find certificate for domains "*.mydomain.com,mydomain.com": falling back to the internal generated certificate" tlsStoreName=default
2024-12-17T22:10:26+01:00 WRN No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file
2024-12-17T22:10:49+01:00 WRN No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request entryPointName=https routerName=https-catchall@file

Why does it looks like it’s mixing lets encrypt with technitium?

You may also like