Wildcard Certificate and specific for one subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

Tried to install RocketChat server with the traefik https option. On the sub.domain https://hive.buckfast-bayern.de
Deploy with Docker & Docker Compose - Rocket.Chat Docs
The RocketChat will be on a seperat Server, than the main Domain / Webserver is, and the subdomain is directed to the Rocketchat Server via the NameServer.

It produced this output:
When I try to reach the Website, an error occures, due to the fact that the wildcard domain *.buckfast-bayern.de has an certificate on the Webserver of the main domain.
My Questin is, is it possible to have the wildcard domain with certifiacte on the main domain server and have a certificate for the sub domain on the Rocketchat Server?
After installation I waited for about 15 min, when it is possible I have to wait longer, the get this information effective?

My web server is (include version):
Rocketchat Server: traefik
Main Domain Server: unknown

The operating system my web server runs on is (include version):
Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
RocketChat Server: Yes
Main Domain: No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Yes. Should be possible. The IP addresses for both servers are different and they can both request their own certificates.

What is the error? Is it a connection error? Because I cannot connect to your hive subdomain using HTTP or HTTPS (port 80 or 443). Are you able to connect to your hive server from the public internet and not just a local connection?

2 Likes

Hi,

Thanks for the answer. I shut down the server cause I was frustrated and tried to get it solved some how else, I reset everything and moved on. Now everything is running again just like yesterday.
This is the error Code of Google Chrome if I check the Domain: NET::ERR_CERT_AUTHORITY_INVALID
https://hive.buckfast-bayern.de/

1 Like

If you look at the detailed error info from Chrome it should show the cert being used. It would show the same wrong cert as seen by the below SSL Checker tool with is a Traefik Default Cert
https://decoder.link/sslchecker/hive.buckfast-bayern.de/443

I don't know why you say this is related to the wildcard cert on your main domain.

I don't see that you got a fresh cert for your hive subdomain. I only see the wildcard from last month.

Are there some Traefik debug logs you can review about its "traefik https option" ?

I am guessing Traefik uses a default cert until it successfully gets a new cert. But, without knowing why that failed it is hard to give advice. You'll have to review the logs to find out more.

2 Likes

HI, Yesterday, there was some error message saying, that it is the wrong certificate for *buckfast-bayern.de
But you are right, atm there is another error message as yesterday. I added the Log file here. It seems to have som error, but I do not know that this error means:

time="2024-03-13T18:33:33Z" level=info msg="Traefik version 2.9.8 built on 2023-02-15T15:23:25Z"
time="2024-03-13T18:33:33Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"https\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"https\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"/logs/traefik.log\",\"format\":\"common\"},\"certificatesResolvers\":{\"le\":{\"acme\":{\"email\":\"kallertobias@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"tlsChallenge\":{}}}}}"
time="2024-03-13T18:33:33Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2024-03-13T18:33:33Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2024-03-13T18:33:33Z" level=info msg="Starting provider *traefik.Provider"
time="2024-03-13T18:33:33Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2024-03-13T18:33:33Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"web-to-https\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-https\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"redirect-web-to-https\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2024-03-13T18:33:33Z" level=debug msg="Starting TCP Server" entryPointName=web
time="2024-03-13T18:33:33Z" level=debug msg="Starting TCP Server" entryPointName=https
time="2024-03-13T18:33:33Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2024-03-13T18:33:33Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2024-03-13T18:33:33Z" level=info msg="Starting provider *docker.Provider"
time="2024-03-13T18:33:33Z" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
time="2024-03-13T18:33:33Z" level=info msg="Starting provider *acme.Provider"
time="2024-03-13T18:33:33Z" level=debug msg="*acme.Provider provider configuration: {\"email\":\"kallertobias@gmail.com\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"certificatesDuration\":2160,\"tlsChallenge\":{},\"ResolverName\":\"le\",\"store\":{},\"TLSChallengeProvider\":{},\"HTTPChallengeProvider\":{}}"
time="2024-03-13T18:33:33Z" level=debug msg="Attempt to renew certificates \"720h0m0s\" before expiry and check every \"24h0m0s\"" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2024-03-13T18:33:33Z" level=info msg="Testing certificate renew..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=le.acme
time="2024-03-13T18:33:33Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=le.acme
time="2024-03-13T18:33:33Z" level=debug msg="Provider connection established with docker 25.0.4 (API 1.44)" providerName=docker
time="2024-03-13T18:33:33Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-rocketchat-6bc89243d5b30af2e124716ada81ab248bf0cbcfea17a6cf466149ab272694eb
time="2024-03-13T18:33:33Z" level=debug msg="Filtering disabled container" providerName=docker container=mongodb-rocketchat-e2b07d20f97d8428c073ed7d0d4cbd1354889d87808ecc34fb7d1a97e43eec23
time="2024-03-13T18:33:33Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"rocketchat\":{\"entryPoints\":[\"https\"],\"service\":\"rocketchat-rocketchat\",\"rule\":\"Host(``)\",\"tls\":{\"certResolver\":\"le\"}}},\"services\":{\"rocketchat-rocketchat\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.3:3000\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2024-03-13T18:33:33Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-03-13T18:33:33Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=web-to-https@internal
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=web routerName=web-to-https@internal middlewareName=redirect-web-to-https@internal
time="2024-03-13T18:33:33Z" level=debug msg="Setting up redirection to https 443" entryPointName=web routerName=web-to-https@internal middlewareName=redirect-web-to-https@internal middlewareType=RedirectScheme
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" entryPointName=web middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2024-03-13T18:33:33Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2024-03-13T18:33:33Z" level=debug msg="Added outgoing tracing middleware noop@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=web-to-https@internal
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" entryPointName=web routerName=web-to-https@internal middlewareName=redirect-web-to-https@internal middlewareType=RedirectScheme
time="2024-03-13T18:33:33Z" level=debug msg="Setting up redirection to https 443" middlewareType=RedirectScheme entryPointName=web routerName=web-to-https@internal middlewareName=redirect-web-to-https@internal
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=https routerName=rocketchat@docker serviceName=rocketchat-rocketchat
time="2024-03-13T18:33:33Z" level=debug msg="Creating load-balancer" entryPointName=https routerName=rocketchat@docker serviceName=rocketchat-rocketchat
time="2024-03-13T18:33:33Z" level=debug msg="Creating server 0 http://172.18.0.3:3000" routerName=rocketchat@docker serviceName=rocketchat-rocketchat serverName=0 entryPointName=https
time="2024-03-13T18:33:33Z" level=debug msg="child http://172.18.0.3:3000 now UP"
time="2024-03-13T18:33:33Z" level=debug msg="Propagating new UP status"
time="2024-03-13T18:33:33Z" level=debug msg="Added outgoing tracing middleware rocketchat-rocketchat" middlewareName=tracing middlewareType=TracingForwarder entryPointName=https routerName=rocketchat@docker
time="2024-03-13T18:33:33Z" level=error msg="empty args for matcher Host, []" entryPointName=https routerName=rocketchat@docker
time="2024-03-13T18:33:33Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=https
time="2024-03-13T18:33:33Z" level=debug msg="Adding route for  with TLS options default" entryPointName=https
time="2024-03-13T18:33:33Z" level=error msg="Error while adding route for host: empty args for matcher HostSNI, []"
time="2024-03-13T18:33:33Z" level=debug msg="Trying to challenge certificate for domain [] found in HostSNI rule" rule="Host(``)" providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=rocketchat@docker
time="2024-03-13T18:33:33Z" level=error msg="Unable to obtain ACME certificate for domains \"\": no domain was given" rule="Host(``)" providerName=le.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=rocketchat@docker
time="2024-03-13T18:35:36Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:35:37Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:36:31Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:36:32Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:37:23Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:39:21Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:39:22Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:39:24Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:39:24Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:40:36Z" level=debug msg="http: TLS handshake error from 198.235.24.57:53622: tls: client offered only unsupported versions: [302 301]"
time="2024-03-13T18:40:51Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-03-13T18:40:51Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:51Z" level=debug msg="http: TLS handshake error from 165.154.36.91:45346: EOF"
time="2024-03-13T18:40:51Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:51Z" level=debug msg="http: TLS handshake error from 165.154.36.91:45732: EOF"
time="2024-03-13T18:40:52Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:52Z" level=debug msg="http: TLS handshake error from 165.154.36.91:46408: tls: no cipher suite supported by both client and server"
time="2024-03-13T18:40:52Z" level=debug msg="http: TLS handshake error from 165.154.36.91:46922: tls: client requested unsupported application protocols ([http/0.9 http/1.0 spdy/1 spdy/2 spdy/3 h2c hq])"
time="2024-03-13T18:40:52Z" level=debug msg="http: TLS handshake error from 165.154.36.91:47432: tls: client requested unsupported application protocols ([hq h2c spdy/3 spdy/2 spdy/1 http/1.0 http/0.9])"
time="2024-03-13T18:40:53Z" level=debug msg="http: TLS handshake error from 165.154.36.91:48246: tls: client offered only unsupported versions: [302 301]"
time="2024-03-13T18:40:53Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:53Z" level=debug msg="http: TLS handshake error from 165.154.36.91:48828: read tcp 172.18.0.4:443->165.154.36.91:48828: read: connection reset by peer"
time="2024-03-13T18:40:53Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:53Z" level=debug msg="http: TLS handshake error from 165.154.36.91:49414: EOF"
time="2024-03-13T18:40:54Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:54Z" level=debug msg="http: TLS handshake error from 165.154.36.91:49800: EOF"
time="2024-03-13T18:40:54Z" level=debug msg="Serving default certificate for request: \"85.215.123.144\""
time="2024-03-13T18:40:54Z" level=debug msg="http: TLS handshake error from 165.154.36.91:50172: read tcp 172.18.0.4:443->165.154.36.91:50172: read: connection reset by peer"
time="2024-03-13T18:40:54Z" level=debug msg="Serving default certificate for request: \"34.77.189.226\""
time="2024-03-13T18:40:54Z" level=debug msg="http: TLS handshake error from 165.154.36.91:50508: EOF"
time="2024-03-13T18:41:27Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:41:28Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:27Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:28Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:30Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:31Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:52Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:42:52Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:43:33Z" level=warning msg="A new release has been found: 2.11.0. Please consider updating."
time="2024-03-13T18:45:31Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-03-13T18:45:32Z" level=debug msg="Serving default certificate for request: \"\""
time="2024-03-13T18:45:55Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:45:55Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:05Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:05Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:23Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:24Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:51Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:46:52Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:05Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:06Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:55Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:55Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:59Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""
time="2024-03-13T18:48:59Z" level=debug msg="Serving default certificate for request: \"hive.buckfast-bayern.de\""

It seems that there are some handshakes failig, do I have to open any specific port?

I think the most important part of that log is above.

Traefik tries to get a cert but is failing so it falls back to its default cert. I don't know Traefik well enough to make suggestions. Someone else here may offer help.

But, I think your best option is to post this on a Traefik support forum.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.