bot closed my issue for funny reasosn
In your issue:
expect traefik to obtain certs for all subdomains of
So you want to request every certificate possible? like billions of certificates?
There is a warning in our documentation for this reason:
Host rules can be used to generate certificates. HostRegexp cannot.
i expect traefik to obtain certs for sites it serves.
I mean, i pointed
sub3.example.org domain (by setting A records in cloudflare)
to my nginx container, when i open sub3.example.org in browser, traefik firstly serves self signed cert (its ok), but than it tries to obtain certificate for subdomain.
I don't think it will require to obtain billions of certificates, since there is approx 10+ a records pointing to same IP on which traefik and nginx containers are running.
Question is this:
how does traefik finds domains for which it had to obtain certs?
1.from frontend rules in labels of services?
2. or does traefik finds domain for cert obtaining from
if its 1, its imho big drawback, limiting use of traefik, if its second, i agree, that it can be abuse prone (when visitors makes me to obtain billions of certs if i use catchall DNS records - like subdomain
So, to summarize things i have said:
is it possible to make traefik
when i have used means to prohibit it by proper DNS setup
can this fix my issue?
when i enabled this parameter
[[acme.domains]] to obtain certs for catchall domains, and emptied
acme.json file, it seems to not get new certs at all.
debug = true logLevel = "DEBUG" defaultEntryPoints = ["https","http"] [entryPoints] [entryPoints.http] address = ":80" compress = true [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" compress = true [entryPoints.https.tls] [retry] [docker] endpoint = "unix:///var/run/docker.sock" domain = "vodolaz095.life" watch = true exposedByDefault = false swarmMode = true swarmModeRefreshSeconds = 15 network = "oldcity" [web] address = ":8080" [acme] email = "firstname.lastname@example.org" storage = "acme.json" entryPoint = "https" onHostRule = true [[acme.domains]] main = "*.vodolaz095.life" sans = ["vodolaz095.life"] [acme] email = "email@example.com" storage = "acme.json" entryPoint = "https" onHostRule = true [[acme.domains]] main = "*.vodolaz095.life" sans = ["vodolaz095.life"] # [acme.tlsChallenge] #[acme.httpChallenge] #entryPoint = "http" [acme.dnsChallenge] provider = "cloudflare" resolvers = ["22.214.171.124:53", "126.96.36.199:53"] delayBeforeCheck = 5
i have feeling either there is something badly described in documentation, or traefik is not suitabe for tasks i require.
probably i should be back to nginx with wildcart cert like i used before, and nodejs script keeping proxy configs up to date and restarting nginx.