Traefik - Wildcard Certificate is Not Being Generated. Magic?

Help
1

Dear friends, greetings to all!

In the past 24 hours, I’ve read a lot of information about certificate issuance—how it works and how it’s set up, including topics related to Traefik.
Still, I can’t understand why the certificate issuance doesn’t work.

Example in the documentation:
Traefik EntryPoints Documentation - Traefik.

My Traefik version: 3.2.2
Domain: public
DNS: Cloudflare
Services are running in Docker

Here’s an example configuration where labels are used for the Traefik service. And it works!

docker compose

- "traefik.http.routers.wildcard_cert.tls.certresolver=letencrypt"
- "traefik.http.routers.wildcard_cert.tls.domains[0].main=example.com"
- "traefik.http.routers.wildcard_cert.tls.domains[0].sans=*.example.com"

traefik.yml

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"

certificatesResolvers:
  letencrypt:
    acme:
      email: e-mail@gmail.com
      storage: /certs/acme.json
#      caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53
        delayBeforeCheck: 20

Everything works perfectly, and I receive a wildcard certificate.
Additionally, dynamic certificate issuance (non-wildcard) works as well.

But if I configure it in traefik.yml with the following configuration:

global:
  checkNewVersion: false
  sendAnonymousUsage: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letencrypt
        domains:
          - main: example.com
            sans:
              - "*.example.com"

log:
  level: DEBUG

api:
  insecure: true
  dashboard: true

providers:
  docker:
    exposedByDefault: false

certificatesResolvers:
  letencrypt:
    acme:
      email: e-mail@gmail.com
      storage: /certs/acme.json
#      caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - 1.1.1.1:53
          - 1.0.0.1:53
        delayBeforeCheck: 20

The acme.json file remains empty, and no certificate is issued.

Here are the logs:

I would greatly appreciate your help.
(English is not my native language, so I use a translator.)

With respect and best wishes,
Alexander

1 Like
2

Probably best to ask this on a Traefik specific support channel, as to me it's not the cert issuance itself, but more specifically how Traefik deals with it.

1 Like
3

I’ve tried, but there’s no result, so I decided to ask here.
I’m almost desperate and am hoping for a stroke of luck—maybe someone among the participants knows the solution.

4

are you actually trying to use example.com in your tests?

lets encrypt has a policy against random people attempting to issue certs for example.com

There should be an error message, maybe that client is swallowing it though.

1 Like
5

No, no. This is just an example. :rofl:

2 Likes
6

solution

2 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.