K
Q

How can I get LetsEncrypt working with a wildcard domain on Traefik?

5/1/2019

I'm trying to set up LetsEncrypt with a wildcard domain on my Traefik instance. Traefik has been installed from the Helm Chart stable/traefik.

We're using Google Cloud for DNS so I want to use gcloud as my Traefik acme provider.

As mentioned, it's a wildcard. I'm trying to have Traefik manage LetsEncrypt for *.domain.com with domain.com as a SAN.

I'm currently using a K8s claim for storing the acme.json file and it's been populated with a private key but no certificates.

Traefik Helm values

# LetsEncrypt
acme:
  acmeLogging: true
  challengeType: 'dns-01'
  enabled: true
  domains:
    enabled: true
    main: '*.<domain>'
    sans:
        - <domain>
  defaultEntryPoints:
  - http
  - https
  dnsProvider:
    name: 'gcloud'
    gcloud:
      GCE_PROJECT: <redacted>
      GCE_SERVICE_ACCOUNT_FILE: /secrets/gcloud-credentials.json
  email: <redacted>
  entryPoint: 'https'
  entryPoints:
    http:
      address: ':80'
    https:
      address: ':443'
  persistence:
    enabled: true
    existingClaim: 'certificate-store'
  provider: 'gcloud'
  staging: true

# SSL configuration
ssl:
 enabled: true
 enforced: true

acme.json

{
  "Account": {
    "Email": "<redacted>",
    "Registration": {
      "body": {
        "status": "valid",
        "contact": [
          "mailto:<redacted>"
        ]
      },
      "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/9091953"
    },
    "PrivateKey": "<redacted>",
    "KeyType": "4096"
  },
  "Certificates": null,
  "HTTPChallenges": {},
  "TLSChallenges": {}
}

All responses from Traefik should be being served with a wildcard LetsEncrypt cert for said domain that should auto-renew.

What additional steps might I need to carry out to have Traefik start generating the certificates, and how can I configure Traefik to use this certificate by default? (Rather than the built-in one)

Thank you

-- Meegles
kubernetes
kubernetes-helm
lets-encrypt
traefik

Similar Questions

Graylog not exposing webinterface on kubernetes
SSL on node.js API running in StatefulSet on GKE
rebuild project with helm
Kubernetes Pods stuck with in 'Terminating' state

2 Answers

5/1/2019

Are you 100% sure that "domains" stanza should look like that? In stable/traefik chart I see slightly another format of domains:

  domains:
    enabled: false
    # List of sets of main and (optional) SANs to generate for
    # for wildcard certificates see https://docs.traefik.io/configuration/acme/#wildcard-domains
    domainsList:
    # - main: "*.example.com"
    # - sans:
    #   - "example.com"
    # - main: "*.example2.com"
    # - sans:
    #   - "test1.example2.com"
    #   - "test2.example2.com"

But may be it's just a matter of newer chart version, I don't know... If you have older chart version then you can try to upgrade...

-- Vasily Angapov
Source: StackOverflow
5/2/2019

I figured this one out. I set the following (in addition or replacement of the above) in my Helm chart overrides YAML.

acme:
  caServer: 'https://acme-v02.api.letsencrypt.org/directory'
  domains:
    enabled: true
    domainsList:
      - main: '*.<domain>'
      - sans:
          - <domain>

I also got rid of persistence.existingClaim and let Traefik make its own claim, but if you already have an existing one keeping this definition shouldn't cause you any issues!

All Traefik ingresses are now serving the correct LetsEncrypt certificate without any additional configuration.

Thank you Vasily Angapov for your response - you were correct in terms of the acme.domains.domainsList section. :-)

-- Meegles
Source: StackOverflow