details https://github.com/containous/traefik/issues/5769
bot closed my issue for funny reasosn
Hello @vodolaz095,
In your issue:
expect traefik to obtain certs for all subdomains of
vodolaz095.life
So you want to request every certificate possible? like billions of certificates?
There is a warning in our documentation for this reason:
Host rules can be used to generate certificates. HostRegexp cannot.
i expect traefik to obtain certs for sites it serves.
I mean, i pointed sub3.example.org
domain (by setting A records in cloudflare)
to my nginx container, when i open sub3.example.org in browser, traefik firstly serves self signed cert (its ok), but than it tries to obtain certificate for subdomain.
I don't think it will require to obtain billions of certificates, since there is approx 10+ a records pointing to same IP on which traefik and nginx containers are running.
Question is this:
how does traefik finds domains for which it had to obtain certs?
1.from frontend rules in labels of services?
2. or does traefik finds domain for cert obtaining from HOST
header?
if its 1, its imho big drawback, limiting use of traefik, if its second, i agree, that it can be abuse prone (when visitors makes me to obtain billions of certs if i use catchall DNS records - like subdomain *
).
So, to summarize things i have said:
is it possible to make traefik
when i have used means to prohibit it by proper DNS setup
when i enabled this parameter [[acme.domains]]
to obtain certs for catchall domains, and emptied acme.json
file, it seems to not get new certs at all.
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "vodolaz095.life"
watch = true
exposedByDefault = false
swarmMode = true
swarmModeRefreshSeconds = 15
network = "oldcity"
[web]
address = ":8080"
[acme]
email = "anatolij@vodolaz095.life"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[[acme.domains]]
main = "*.vodolaz095.life"
sans = ["vodolaz095.life"]
[acme]
email = "anatolij@vodolaz095.life"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[[acme.domains]]
main = "*.vodolaz095.life"
sans = ["vodolaz095.life"]
# [acme.tlsChallenge]
#[acme.httpChallenge]
#entryPoint = "http"
[acme.dnsChallenge]
provider = "cloudflare"
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
delayBeforeCheck = 5
i have feeling either there is something badly described in documentation, or traefik is not suitabe for tasks i require.
probably i should be back to nginx with wildcart cert like i used before, and nodejs script keeping proxy configs up to date and restarting nginx.