Traefik 2.0: Wildcard Let's Encrypt Certificates

How to use wildcard certificates with Traefik 2.0
Header image

Image Source


In this tutorial we will setup Traefik to obtain wildcard certificates from Let’s Encrypt. This requires DNS challenge to be setup. Usually Traefik obtains a certificate for every subdomain. We can simplify this process by telling Traefik to use a wildcard (* certificate instead.


  • Registered Domain
  • Authoritative DNS Servers from one of these providers (you may need to change your DNS servers of your domain to one of the provider in the list)

In this tutorial we will use Cloudflare as our DNS servers for our domain.

Setup DNS challenge

If you have followed our other guides, chances are you currently use HTTP challenge. These types of challenges define how Let’s Encrypt assures that you are the owner of the domain you want to obtain a certificate for.

In order to get a wildcard certificate, you have to use DNS challenge.

First of all make sure you connect your domain with one of the supported DNS providers. We are using Cloudflare. This depends on where you bought your domain, so we can’t show you exactly how to do it.

In the Traefik Docker compose file we add the following lines:

  - CF_API_KEY=your-cloudflare-api-key

Here is the full Traefik Docker compose

Next, we tell Traefik to use DNS challenge (edit the file traefik.yml):

      storage: acme.json
        provider: cloudflare
          - ""
          - ""

Here is the full Traefik configuration file

Create a backup of your existing acme.json and clear the current file:

cp -p acme.json acme.json.bak && > acme.json

Setup the wildcard certificate

Change the Traefik Docker compose labels (make sure to change your domain accordingly):

- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=cloudflare"
- "[0]"
- "[0].sans=*"
- "traefik.http.routers.traefik.service=api@internal"

Here is the full Traefik Docker compose

Tell Traefik to use the wildcard certificate for each service

Now we have to remove one label from every service:

- traefik.http.routers.service.tls.certresolver=cloudflare

Here is an example compose file

Once you have removed the line above from all your services, Traefik should always use the wildcard certificate.