Traefik Docker with wildcard domain

Question

I'm trying to setup my Traefik Docker with Let's Encrypt SSL:

Here is my traefik.toml

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.dashboard]
    address = ":88"
    [entryPoints.dashboard.auth]
      [entryPoints.dashboard.auth.basic]
        users = ["admin:19081987"]
  [entryPoints.http]
    address = ":80"
      [entryPoints.http.redirect]
        entryPoint = "https"
  [entryPoints.https]
    address = ":443"
      [entryPoints.https.tls]

[api]
entrypoint="dashboard"

[acme]
email = "[email protected]"
storage = "acme.json"
entryPoint = "https"
onHostRule = false
  [acme.httpChallenge]
  entryPoint = "http"

[docker]
domain = "mysite.com"
watch = true
network = "web"

[[acme.domains]]
   main = "mysite.com"
[[acme.domains]]
   main = "*.mysite.com"

My docker-compose file with WordPress and Adminer

version: '3.7'
services:
   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     volumes:
       - ./wordpress_files:/var/www/html
       - ./uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
     restart: always
     networks:
       - web
     container_name: mysitewp
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: user
       WORDPRESS_DB_PASSWORD: pass
       WORDPRESS_DB_NAME: mysitedp
     labels:
       - "traefik.backend=mysitewp"
       - "traefik.docker.network=web"
       - "traefik.frontend.rule=Host:mysite.com"
       - "traefik.enable=true"
       - "traefik.port=80"

   db:
     image: mysql:5.7
     volumes:
       - ./db_data:/var/lib/mysql
     restart: always
     networks:
       - web
     container_name: mysitedb
     environment:
       MYSQL_ROOT_PASSWORD: pass
       MYSQL_DATABASE: mysitedb
       MYSQL_USER: user
       MYSQL_PASSWORD: pass

   adminer:
     image: adminer
     restart: always
     networks:
       - web
     ports:
       - 89:8080
     labels:
       - "traefik.backend=adminer"
       - "traefik.docker.network=web"
       - "hostname=adminer"
       - "traefik.frontend.rule=Host:adminer.mysite.com"
       - "traefik.enable=true"
       - "traefik.port=89"
     depends_on:
       - db

networks:
   web:
     external: true

All working fine (I can acess my site using https) except Adminer (cannot access adminer.mysite.com). I have checked Traefik logs

unable to generate a certificate for the domains

It seem Traefik cannot generate certificate for wildcard domain (*.mysite.com). Any config wildcard domain with Traefik and Let's Encrypt?

Answer 1

As described in Let's Encrypt's post wildcard certificates can only be generated through a DNS-01 challenge.

https://docs.traefik.io/v1.7/configuration/acme/#wildcard-domains

Answer 2

As per docs, you can run traefik in manual mode and generate a certificate.

The following changes can be done in the config file,

[acme]
email = "[email protected]"
storage = "acme.json"
entryPoint = "https"
onHostRule = false

[acme.dnsChallenge]
  provider = "manual"

Answer 3

With OVH as provider and DNS Challenge, this config works for me :

version: "3.3"
services:
  traefik:
    image: "traefik:v2.6"
    container_name: "traefik"
    command:
      - --log.level=DEBUG
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt

      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=ovh
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=60
      - [email protected]
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
#      - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

      - --entrypoints.websecure.http.tls.domains[0].main=tibillet.org
      - --entrypoints.websecure.http.tls.domains[0].sans=*.tibillet.org
    ports:
      - "80:80"
      - "443:443"
#      - "8080:8080"
    environment:
      - "OVH_ENDPOINT=ovh-eu" # ou "ovh-ca"
      - "OVH_APPLICATION_KEY=${OVH_APPLICATION_KEY}"
      - "OVH_APPLICATION_SECRET=${OVH_APPLICATION_SECRET}"
      - "OVH_CONSUMER_KEY=${OVH_CONSUMER_KEY}"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

    networks:
      - frontend

networks:
  frontend:
    external: true

And the web service :

version: "3.7"
services:
  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=HostRegexp(`{sub:[a-zA-Z0-9-]+}.tibillet.org`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"

    networks:
      - frontend

networks:
  frontend:
    external: true

You have to generate the credentials for the DNS Challenge. This will be add a TXT entry within your domains. For ovh you can follow this : https://medium.com/nephely/configure-traefik-for-the-dns-01-challenge-with-ovh-as-dns-provider-c737670c0434