DNS challenge and wildcard certificates
Expected behavior, generate only one wildcard cert for all apps, but instead runtipi still generates a single cert per app.
Traefik .yml
api:
dashboard: true
insecure: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: false
file:
directory: /etc/traefik/dynamic
watch: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
websecure:
address: ":443"
http:
tls:
certResolver: myresolver
domains:
- main: xxxx.duckdns.org
sans:
- *.xxxx.duckdns.org
certificatesResolvers:
myresolver:
acme:
email: xxxxxxx
storage: /shared/acme.json
dnsChallenge:
provider: duckdns
log:
level: ERROR
acme.json
{
"myresolver": {
"Account": {
"Email": "xxxx",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:xxxx"
]
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1920811146"
},
"PrivateKey": "MIIJJwIBAAKCAgEAuO6tmc0tUn5ipSoQtNeq2AkAudkMMUKjIazmdCENdL>
"KeyType": "4096"
},
"Certificates": [
{
"domain": {
"main": "xxxx.duckdns.org"
},
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY3akNDQk5hZ0F3S>
"key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0V>
"Store": "default"
},
{
"domain": {
"main": "doozle.xxxx.duckdns.org"
},
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUYvRENDQk9TZ0F3S>
"key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0V>
"Store": "default"
}
}
]
}
}
36 Replies
also tipi-compose.yml at user-config for the token
services:
runtipi-reverse-proxy:
ports:
- 8080:8080
environment:
DUCKDNS_TOKEN: xxxxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxxxxxx
ls
ok, i found the problem and the solution, but some parser in the script won
t let me apply it
you guys are declaring it like this on the docker-compose and it generates a cert for each domain
traefik.http.routers.dashboard-secure.rule: Host(
${DOMAIN}) && PathPrefix(
/`)
traefik.http.routers.dashboard-secure.service: dashboard
traefik.http.routers.dashboard-secure.entrypoints: websecure
traefik.http.routers.dashboard-secure.tls.certresolver: myresolver
to generate a wildcard we need this in the compose
traefik.http.routers.dashboard-secure.tls.domains[0].main: example.com
traefik.http.routers.dashboard-secure.tls.domains[0].sans: *.example.com
but some parser expects alphanumeric only and wont let me add *.domainUnknown User•4mo ago
Message Not Public
Sign In & Join Server To View
acme.json will be auto populated i just pasted here to show that the certificates are not the same
what you are missing is the custom tipi-compose.yml where you declare the duckdns token
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
did you persist your traefik config?
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
im using a redirect on adguard to my ip yes
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
also yes, im running a duckdns container to update it
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
you have to set to your external ip, it will only work local if you dont open the ports anyway
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
and when your dns redirects to you, it stays local too
well, all i did for it to work was add the token to tipi-compose and change the traekif to dns challenge
you did both, maybe delete the certs dir? let it re-create them
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
yes
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
remove the ones you have at traefik/tls
see if it create new ones and correct ones this time
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
the reason i created this help is because it creates application.xxxx.duckdns.org
one for each app
not a wildcard
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
yes, xxxx.duckdns.org
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
i didnt even use the optionals, just provider: duckdns
same at the tipi-compose, no optional jus the token
maybe since you are hiding the token behind the root dir, runtipi don`t have access and cant load it?
i know its a better security practice, but try on clear text just to see if it works
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
and the extar declarations on entrypoints i use are not needed also, yours is cleaner
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
so you tried the token in clear text instead of a secrets file and didnt work either?
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
the only option you have is to buy a domain and use cloudflare tunnel i guess
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
maybe if your cgnat have an ipv6 address or an open port
your config is correct, the only missing link is the ip on duckdns
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
ubuntu 24.04
the proxmox is on debian 12
im telling you 100% is your cgnat, you have to ask your operator for an ipv6 address or some port open for you to use
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
since the idea of Tipi is to run a cert per app, im closing this, i give up on a wildcard cert for the domian.