DNS challenge and wildcard certificates
Expected behavior, generate only one wildcard cert for all apps, but instead runtipi still generates a single cert per app.
Traefik .yml
api:
dashboard: true
insecure: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
file:
directory: /etc/traefik/dynamic
watch: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
websecure:
address: ":443"
http:
tls:
certResolver: myresolver
domains:
- main: xxxx.duckdns.org
sans:
- *.xxxx.duckdns.org
certificatesResolvers:
myresolver:
acme:
email: xxxxxxx
storage: /shared/acme.json
dnsChallenge:
provider: duckdns
log:
level: ERROR
acme.json
{
"myresolver": {
"Account": {
"Email": "xxxx",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:xxxx"
]
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1920811146"
},
"PrivateKey": "MIIJJwIBAAKCAgEAuO6tmc0tUn5ipSoQtNeq2AkAudkMMUKjIazmdCENdL>
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "xxxx.duckdns.org"
},
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY3akNDQk5hZ0F3S>
"key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0V>
"Store": "default"
},
{
"domain": {
"main": "doozle.xxxx.duckdns.org"
},
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUYvRENDQk9TZ0F3S>
"key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0V>
"Store": "default"
}
}
]
}
}
41 Replies
also tipi-compose.yml at user-config for the token
services:
runtipi-reverse-proxy:
ports:
- 8080:8080
environment:
DUCKDNS_TOKEN: xxxxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxxxxxx
ls
ok, i found the problem and the solution, but some parser in the script won
t let me apply it
you guys are declaring it like this on the docker-compose and it generates a cert for each domain
traefik.http.routers.dashboard-secure.rule: Host(${DOMAIN}) && PathPrefix(/`)
traefik.http.routers.dashboard-secure.service: dashboard
traefik.http.routers.dashboard-secure.entrypoints: websecure
traefik.http.routers.dashboard-secure.tls.certresolver: myresolver
to generate a wildcard we need this in the compose
traefik.http.routers.dashboard-secure.tls.domains[0].main: example.com
traefik.http.routers.dashboard-secure.tls.domains[0].sans: *.example.com
but some parser expects alphanumeric only and wont let me add *.domainHi, I tried to replicate but I couldn't. My acme always returns null in the certificate
This is how to format your text code on discord
#acme.json
#Traefik.yml
acme.json will be auto populated i just pasted here to show that the certificates are not the same
what you are missing is the custom tipi-compose.yml where you declare the duckdns token
Yes, but my show null on certificates... Can you show your certificate on browser?
That was my
did you persist your traefik config?
yep
My tipi-compose now is this:
your current ip on duckdns is your local ip?
im using a redirect on adguard to my ip yes
I'm talking about this configuration
also yes, im running a duckdns container to update it
I'm trying to make it work only locally
Then I set the ip to my local tipi like 192.168.1.140
you have to set to your external ip, it will only work local if you dont open the ports anyway
I'm on cgnat
and when your dns redirects to you, it stays local too
well, all i did for it to work was add the token to tipi-compose and change the traekif to dns challenge
you did both, maybe delete the certs dir? let it re-create them
Does your certificate appear to have been created by let's encrypt?
yes
Nice
remove the ones you have at traefik/tls
see if it create new ones and correct ones this time
He give to you only the xxxx.duckdns.org not the *.xxxx.duckdns.org?
the reason i created this help is because it creates application.xxxx.duckdns.org
one for each app
not a wildcard
In the dashboard, did you define the domain name?
yes, xxxx.duckdns.org
My traefik.yml was like that:
i didnt even use the optionals, just provider: duckdns
same at the tipi-compose, no optional jus the token
maybe since you are hiding the token behind the root dir, runtipi don`t have access and cant load it?
i know its a better security practice, but try on clear text just to see if it works
try this one
and the extar declarations on entrypoints i use are not needed also, yours is cleaner
I have already tried all these alternatives. I believe it is related to the IP defined in DuckDNS. As I saw a video that worked like this, set the local ip on duckdns, I tried to reproduce it in runtipi.
Perkelator
YouTube
HomeLab SSL certificates for FREE with minimal effort
In this video we use Nginx Proxy Manager, DuckDNS , Let's Encrypt and our HomeLab to setup SSL certificates. We use DuckDNS to avoid the cost of a domain making this free of cost and all of the software using is FOSS. We use Docker to keep thing simple and it is mostly just copy and paste from official documentation.
DuckDNS: ( https://www.duck...
so you tried the token in clear text instead of a secrets file and didnt work either?
Yes, I tried
the only option you have is to buy a domain and use cloudflare tunnel i guess
I did this once, but I'm still going to test it with this video tutorial. I believe it will work. In the case of traefik, there may be some configuration that is missing. But this is a virtual test machine that I have. I'll create another one from scratch and try again
maybe if your cgnat have an ipv6 address or an open port
your config is correct, the only missing link is the ip on duckdns
Which Linux base do you use to install runtipi?
ubuntu 24.04
the proxmox is on debian 12
im telling you 100% is your cgnat, you have to ask your operator for an ipv6 address or some port open for you to use
I'll take a look at that. Thank you very much for the help.
since the idea of Tipi is to run a cert per app, im closing this, i give up on a wildcard cert for the domian.