Self Signed Cert - Subdomain

nicolas.diakite · July 14, 2019, 5:45pm

Hy,

I would like to know if i can use self signed certificate for like 'aaa.bbb.com' for multiple subdomains like 'site.aaa.bbb.com' , 'site2.aaa.bbb.com' ?
I'm using docker provider.

Thanks in advance
NB : Sorry for my french english

cybermcm · July 14, 2019, 8:30pm

Hi,

I'm not an expert but in my point of view that is not possible (you will receive an error message that your certificates are wrong).
You can

build a certificate aaa.bbb.com with SAN(s), site.aaa.bbb.com and site2.aaa.bbb.com or
build a *.aaa.bbb.com certificate

greetings...

nicolas.diakite · July 14, 2019, 9:21pm

I had a feeling it' was not possible, but i tried
I've already try then '*.aaa.bbb.com"...

Thanks you for your reply...

dduportal · July 15, 2019, 1:35pm

Hello @nicolas.diakite, you can, with a lot of tools, generate a single self-signed certificate,
which will have aaa.bbb.com as main domain, and has a wildcard *.aaa.bbb.com as a "SAN" (subject alternative name).

Example with mkcert:

mkcert aaa.bbb.com "*.aaa.bbb.com"

Then follows https://docs.traefik.io/v1.7/configuration/entrypoints/#static-certificates to configure the generated certificate with Traefik.

As @cybermcm told you, by default this certificate will be seen as "not secured", but it's ok for tests. If you use mkcert, it can import the certificate authority on your webbrowser, making it look like a legit certificate on your machine only.

By the way, you can do the same with Let's Encrypt, and let Traefik auto-generate valid certificate for each domain it knows.

nicolas.diakite · July 15, 2019, 1:59pm

Hello @dduportal
Thank for your reply.

My goal is to use it in production so I will go with "lets encrypt" or ask to my client to pay for a wildcard cert and use it as static.

Regarding Lets encrpyt, is it mandatory to use dns challenge for wildcard, right ??

Still waiting for the "french tag" hihi

dduportal · July 15, 2019, 2:27pm

Yes, you are right: using DNS challenge is mandatory when one of the domain (principal or alternatives) is a wildcard.

However requesting a wildcard domain might not be required, as Traefik automates the certificates generation. By using the onHostRule, the domain name are dynamically detected from the frontend rules, and the Let's encrypt certificates are requested individually from this.

In your example, as soon as the service behind the domain site2.aaa.bbb.com, Traefik requests a single certificate for the domain site2.aaa.bbb.com, through TLS, HTTP or DNS challenge.
So you will end up with a finite colelction of certificates

(For the french tag, we'll discuss this )

Topic		Replies	Views
Traefik self-generated certificated wildcard subdomain in docker-compose Traefik v2 (latest) docker	3	1558	November 11, 2021
Traefik plus Mutiple Domain Wildcard Certifcate Traefik v2 (latest) docker	3	215	June 1, 2023
Wildcard certificates for all subdomains without service Traefik v2 (latest) docker , letsencrypt-acme	1	3037	May 3, 2021
How to offer certificate with subdomain (own certificate) Traefik v2 (latest) docker	0	644	April 14, 2022
Traefik docker(compose), multiple host in label. Let is serve different ssl certs Traefik v2 (latest) docker	3	4934	June 1, 2021

Self Signed Cert - Subdomain

Related Topics