Support Wildcards with traefik
Closed this issue · 10 comments
Classification
Please delete options that are not relevant.
- Feature/Enhancement
Reproducibility
Please delete options that are not relevant.
- Always
Docker information
hardware/mailserver 1.1-stable sha256:3dbb863ed5c714d9b15ff46271bae9c37adfdf57ded53b4f9ea3fefb093129df e9c99615f126 7 days ago 363MB
Description
Support wildcard certificates with traefik
Steps to reproduce
- Configure traefik to use wildcard certificates
- Attach the acme volume
- Error certificates not found
Expected results
Work as with SAN certificates
Actual results
Doesn't work
Yup, already in my todo list. Traefik 1.6 should come after release candidate cycle.
https://github.com/containous/traefik/releases
And dumpcerts.sh need to be updated for 1.6 :
Hi there!
I have a question not exactly related with this subject, but what about the release cycles?
I mean, for example: I saw you made an update on the base image like 6 days ago (rspamd 1.7.2).
hardware/debian-mail-overlay@ead3eb8
Until now the latest docker build was from 8 days ago.
https://hub.docker.com/r/hardware/mailserver/builds/bujc9punenhdrd8r6zfljgy/
However (2 hours ago), you did a new build for 1.1-latest:
https://hub.docker.com/r/hardware/mailserver/builds/btogsbla9adav8vave5c7vk/
So, how can I know which docker image refers to each commit?
PS: I'm also keep tracking about the traefik 1.6 too, by the way, caddy already has support for it (ACME v2).
Usually, 1.1-latest docker tag always point to the latest commit. But there is a memory leak issue in rspamd 1.7.2 so I haven't triggered the build to not affect 1.1-latest tag users. And I reported a bug to s6 developer. And docker hub had some build problems this week-end.
All of this caused the latest build to be delayed :)
@ichasco : Can you give me an example of acme.json with a fake wildcard certificate inside ? I can't pass the DNS-02 challenge because my DNS solution doesn't provide an API.
Yes of course, an example could be:
{
"Domain": {
"Main": "*.ichasco.com",
"SANs": null
},
"Certificate": "<Here goes the Certificate>",
"Key": "<Here goes the Key>"
},
tell me if it is valid for you or if you need something else.
Thanks
Great. Now, traefik 1.6 should works with hardware/mailserver:1.1-latest. Can you try ?
You should see this in mailserver logs :
[INFO] Search for SSL certificates generated by Traefik
[INFO] acme.json found with ACME v2 format, dumping into pem files
[INFO] Let's encrypt wildcard certificate found
[INFO] Let's encrypt live directory found
[INFO] Using /etc/letsencrypt/live/mail.domain.tld folder
Hi, I have tested and I got the following error:
server_1 | [INFO] Search for SSL certificates generated by Traefik
server_1 | [INFO] acme.json found, dumping into pem files
server_1 | [ERROR] The certificate for mail.ichasco.com or the private key was not found !
server_1 | [INFO] Don't forget to add a new traefik frontend rule to generate a certificate for mail.ichasco.com subdomain
server_1 | [INFO] Look /mnt/docker/traefik/acme/dump.log and 'docker logs traefik' for more information
Pull the latest image please.
docker pull hardware/mailserver:1.1-latest
docker-compose up -d
services:
mailserver:
image: hardware/mailserver:1.1-latest
volumes:
- /mnt/docker/traefik/acme:/etc/letsencrypt/acme
...Sorry, I was testing with stable image.
Now works perfect!
server_1 | [INFO] acme.json found with ACME v2 format, dumping into pem files
server_1 | [INFO] Let's encrypt wildcard certificate found
server_1 | [INFO] Let's encrypt live directory found
server_1 | [INFO] Using /etc/letsencrypt/live/mail.ichasco.com folder
Thank you!!
Nice. Traefik wildcard certificates support will be available in the stable branch in a few days.