SSL for sub-subdomains with Let's Encrypt and Traefik

sooperooday · November 29, 2022, 3:57am

I’m using Traefik as a reverse proxy for a variety of docker containers that I’m running, and I wanted to use sub-subdomains as I duplicate these services across multiple machines. E.g. machine1 runs service1, service2, service3, and machine2 also runs service1, service2, service3. Ideally, I would want these DNS records, all with SSL:

service1.machine1.rooday.com → machine1 IP
service2.machine1.rooday.com → machine1 IP
service3.machine1.rooday.com → machine1 IP
service1.machine2.rooday.com → machine2 IP
service2.machine2.rooday.com → machine2 IP
service3.machine2.rooday.com → machine2 IP

I tried using something like the following docker compose:

version: "2.1"
services:
  traefik:
    image: traefik
    container_name: traefik
    restart: always
    volumes:
      - /home/traefik/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 80:80
      - 443:443
    environment:
      - [email protected]
      - CLOUDFLARE_API_KEY=XXXXXXXXXXXXX
    command:
      - --providers.docker=true
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - [email protected]
      - --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.jsonv02.api.letsencrypt.org/directory
  tautulli:
    image: service1image
    container_name: service1
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - /home/service1:/config
    ports:
      - 8080:8080
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.service1.rule=Host(`service1.machine1.rooday.com`)
      - traefik.http.services.service1.loadbalancer.server.port=8080
      - traefik.http.routers.service1.entrypoints=websecure
      - traefik.http.routers.service1.tls.certresolver=cloudflare

However, after creating the DNS A record for service1.machine1.rooday.com, I got this error when trying to access it: ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

I looked up this error and came across this thread: How to add SSL to a sub-subdomain - #3 by melanie, which seems to say that I can’t do this on the Free plan. So I changed my traefik labels for service1 to look like so:

...
    labels:
      - traefik.enable=true
      - traefik.http.routers.service1.rule=(Host(`machine1.rooday.com`) && PathPrefix(`/service1`))
      - traefik.http.services.service1.loadbalancer.server.port=8080
      - traefik.http.routers.service1.entrypoints=websecure
      - traefik.http.routers.service1.tls.certresolver=cloudflare
...

The problem with this is that not all the services I’m running allow me to set a basepath, so getting them to run is more complicated with this setup. I then came across this thread: Certificates for sub.subs.domian - Help - Let's Encrypt Community Support which says that Let’s Encrypt does indeed support sub-subdomains for SSL.

So I wanted to take a step back and ask here, is there any way to get Traefik to automatically provision a Let’s Encrypt cert using Cloudflare for sub-subdomains? Or even if it requires me manually using certbot and then running Traefik, that works too, I’m just not sure how to approach this. Any help would be greatly appreciated!

sdayman · November 29, 2022, 5:00am

With ACM ($10/month), you can provision certs for sub-subdomains, including wildcards:

*.machine1.rooday.com
etc…

And you can wildcard proxied hostames, such as *.machine1.rooday.com

simon · November 29, 2022, 1:21pm

It’s also worth mentioning with the recently launched Total TLS, you don’t need to order certs - they will be auto-provisioned for you - this comes as part of the same Advanced Certificate Manager (ACM) subscription that @sdayman mentioned:

sooperooday · November 29, 2022, 9:28pm

Is there any way to achieve this by creating the cert through Let’s Encrypt and then using it on Cloudflare? Or can I only do that if I pay for ACM?

sooperooday · November 29, 2022, 10:18pm

Quick follow up, I used certbot to manually generate a cert for *.machine1.rooday.com, and then modified Traefik’s acme.json to use the values from the generated certs. Then I created a wildcard A record for *.machine1.rooday.com → machine1 IP, without the Cloudflare proxy (so it’s grey-clouded).

If I try a DNS lookup like DNS Lookup - WhatIsMyIP.com®, it shows the machine1 IP when I try domains like service1.machine1.rooday.com or asdhjkhkjasdsa.machine1.rooday.com.

However, when I try hitting service1.machine1.rooday.com in the browser (Chrome), I get ERR_CONNECTION_TIMED_OUT, and when I check my access logs for my reverse proxy, it never received any traffic, so I’m not sure what’s going on here (is Cloudflare not forwarding the traffic, or is there some SSL misconfiguration, or do I just need to wait longer for this DNS to propagate?).

sdayman · November 30, 2022, 2:12am

No, that would require a Business or Enterprise plan:

https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/

No. ACM is where Cloudflare generates custom certificates, but it can do so to cover all those domain names.

https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/

system · December 15, 2022, 2:12am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.