Traefik 2.0: Wildcard Let's Encrypt Certificates
In this tutorial we will setup Traefik to obtain wildcard certificates from Let’s Encrypt. This requires DNS challenge to be setup. Usually Traefik obtains a certificate for every subdomain. We can simplify this process by telling Traefik to use a wildcard (*.example.com) certificate instead.
- Registered Domain
- Authoritative DNS Servers from one of these providers (you may need to change your DNS servers of your domain to one of the provider in the list)
In this tutorial we will use Cloudflare as our DNS servers for our domain.
Setup DNS challenge
If you have followed our other guides, chances are you currently use HTTP challenge. These types of challenges define how Let’s Encrypt assures that you are the owner of the domain you want to obtain a certificate for.
In order to get a wildcard certificate, you have to use DNS challenge.
First of all make sure you connect your domain with one of the supported DNS providers. We are using Cloudflare. This depends on where you bought your domain, so we can’t show you exactly how to do it.
In the Traefik Docker compose file we add the following lines:
environment: - CF_API_EMAILemail@example.com - CF_API_KEY=your-cloudflare-api-key
Next, we tell Traefik to use DNS challenge (edit the file traefik.yml):
certificatesResolvers: cloudflare: acme: email: firstname.lastname@example.org storage: acme.json dnsChallenge: provider: cloudflare resolvers: - "126.96.36.199:53" - "188.8.131.52:53"
Create a backup of your existing acme.json and clear the current file:
cp -p acme.json acme.json.bak && > acme.json
Setup the wildcard certificate
Change the Traefik Docker compose labels (make sure to change your domain accordingly):
- "traefik.http.routers.traefik.tls=true" - "traefik.http.routers.traefik.tls.certresolver=cloudflare" - "traefik.http.routers.traefik.tls.domains.main=example.com" - "traefik.http.routers.traefik.tls.domains.sans=*.example.com" - "traefik.http.routers.traefik.service=api@internal"
Tell Traefik to use the wildcard certificate for each service
Now we have to remove one label from every service:
Once you have removed the line above from all your services, Traefik should always use the wildcard certificate.