How to get two main domains and then multiple sub domain with sans via LE?

Hi there

After having hit LE limits twice already I am slightly desperate to understand what I am doing wrong...if anyone would help :slight_smile:

I have two web facing domains via traefik 2 and each of those domains has 6 or 9 sub domains.

I am trying to request one or two certificates (for domain1 and domain2 or one for both) from LE, but I am obviously not defining it correctly to the limits.

The question is do I have to list the main and 8 subdomains against each router definition as in 1) and 2) below? Thanks in advance....

I am using http challenge for LE.

I would like get two certs;

    1) domain1:
      - main: "domain1.com"
        sans:
          - "sub1.domain1.com"
          - "sub2.domain1.com"
          - "sub3.domain1.com"
          - "sub4.domain1.com"
          .......

and

    2) domain2:
      - main: "tdomain2.com"
        sans:
          - "sub1.domain2.com"
          - "sub2.domain2.com"
          - "sub3.domain2.com"
          - "sub4.domain2.com"
          .......

The docs refer to a definition in each router, so I have tried in my router definition per application;

This worked but I hit LE limits;

  tls:
    certResolver: letsencrypt
    domains:
      - main: "traefik.domain1.com"

then

  tls:
    certResolver: letsencrypt
    domains:
      - main: "sub1.domain2.com"

then this, which didn't seem to work, error from the cert server....

      - main: "domain1.com"
        sans:
          - "*.domain1.com"

Try switching to the LE staging server while you work this out, as it has higher rate limits.

The traefik log should show why the acme challenge is not completing and/or show which limit you may be hitting.

You can also use https://letsdebug.net/ to help troubleshoot.

Hello,

to get wildcard certificates you have to use the DNS challenge:

Thanks @cakiwi for taking the time to reply :slight_smile:

I have been using the staging server, where all of the certificate requests succeeded and all was well.

My issue is not with LE, it is with how traefik 2 requests the certs depending on their definition in the configs. That seems missing from the docs, as its critical to know if you will hit the limits.

What it didn't show me is that a separate cert was being requested per micro service router I had defined, which I'd understood from the 2.2 manual to be the new way of defining the main and sans certs.

Logically to me the 1.7 way of defining main and sans was more logical but I could understand defining per router would be more flexible?

What I couldn't find was any example of splitting those out?

So having a main domain1.com on one micro service router and then defining all of the others as sans perhaps? Who know.

I would have thought that all the sans sub domains would be grouped and traefik 2 would request 1 cert from LE, but it doesn't it requests 11, 1 main and 10 sub domains.

I have since main progress by duckduckdoing but not after a number of days trying to figure out the docs (which are otherwise great though).

Hi @ldez thanks for taking the time to reply.

Thanks for the link, except I know what wildcard certs are just not how to define them and where within the traefik 2 config?

Where does it show how to do that in the docs, as I couldn't find it :slight_smile:

I have now wildcards sorted after a late evening last night and a good bit of duckduckdoing, but I am still unclear how to define a non wildcard http set of main and sub domains in traefik2 :-/ ?

I ended up adding the main and sans for each domain in the domain to www.domain redirect, while removing it from all the other routers .... I now have a cert store with two certs, with domain1+subdomains and domain2+subdomains working via http.

I can also successfully request wildcard certs via dns :slight_smile:

I don't know if this is an approved method, but its the only one I have found to work.

Could you explain your solution better o post the configuration please?

Take a simple Traefik example, change LE validation to dnsChallenge (example, doc) and add the main/sans to the router (doc) to get a wildcard cert:

## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
  - traefik.http.routers.blog.tls.domains[0].main=example.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org

Traefik will also create a cert for multiple domains with tlsChallenge if you just specify all the domains using Host(). Make sure all domains point to your server IP.

.rule=Host(`example.com`) || Host(`sub.example.com`)

Also make sure to save the acme.json in a mounted folder or in a volume to not create a new cert on every restart, otherwise you might hit the limits.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.