Pebble, Traefik, k8s and wildcard certificate

cch · October 12, 2022, 1:33pm

My setup is running Pebble, Traefik and my services in a k8s cluster (minikube) in local environment (laptop). All are installed via helm chart.

Pebble - chart version: 1.0.1
Traefik - chart version: 10.24.0

Custom domain - my.localhost

/etc/hosts file has been updated to have the following entries

127.0.0.1 my.localhost
127.0.0.1 *. my.localhost

According to Traefik's documentation, the Ingress for our service has the following annotation

  annotations:
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.certresolver: "pebble"
    traefik.ingress.kubernetes.io/router.tls.domains.0.main: "my.localhost"
    traefik.ingress.kubernetes.io/router.tls.domains.0.sans: '*.my.localhost'

From the Chrome browser, when I visited my.localhost and looked at the certificate, I was seeing default Traefik certificate is being used instead of the one generated by Pebble.

If I removed the following annotation, I can see my website is using Pebble's certificate with CN "my.localhost".

`    traefik.ingress.kubernetes.io/router.tls.domains.0.sans: '*.my.localhost'`

Does anyone know how should I configure Ingress and/or Traefik/Pebble so that I can see the certificate's SANs contain "*.my.localhost" in addition to CN being "my.localhost" ?

rg305 · October 12, 2022, 2:48pm

Hi @cch, and welcome to the LE community forum

Shouldn't that be:
127.0.0.1 *.my.localhost

cch · October 12, 2022, 2:50pm

You are correct, I have typo here in the post. The one I have in /etc/hosts does not have that extra space.

system · November 11, 2022, 2:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.