R
Runtipi4mo ago
Otar

DNS challenge and wildcard certificates

Expected behavior, generate only one wildcard cert for all apps, but instead runtipi still generates a single cert per app. Traefik .yml api: dashboard: true insecure: true providers: docker: endpoint: "unix:///var/run/docker.sock" watch: true exposedByDefault: false file: directory: /etc/traefik/dynamic watch: true entryPoints: web: address: ":80" http: redirections: entryPoint: to: websecure websecure: address: ":443" http: tls: certResolver: myresolver domains: - main: xxxx.duckdns.org sans: - *.xxxx.duckdns.org certificatesResolvers: myresolver: acme: email: xxxxxxx storage: /shared/acme.json dnsChallenge: provider: duckdns log: level: ERROR acme.json { "myresolver": { "Account": { "Email": "xxxx", "Registration": { "body": { "status": "valid", "contact": [ "mailto:xxxx" ] }, "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1920811146" }, "PrivateKey": "MIIJJwIBAAKCAgEAuO6tmc0tUn5ipSoQtNeq2AkAudkMMUKjIazmdCENdL> "KeyType": "4096" }, "Certificates": [ { "domain": { "main": "xxxx.duckdns.org" }, "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY3akNDQk5hZ0F3S> "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0V> "Store": "default" }, { "domain": { "main": "doozle.xxxx.duckdns.org" }, "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUYvRENDQk9TZ0F3S> "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0V> "Store": "default" } } ] } }
36 Replies
Otar
OtarOP4mo ago
also tipi-compose.yml at user-config for the token services: runtipi-reverse-proxy: ports: - 8080:8080 environment: DUCKDNS_TOKEN: xxxxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxxxxxx ls ok, i found the problem and the solution, but some parser in the script wont let me apply it you guys are declaring it like this on the docker-compose and it generates a cert for each domain traefik.http.routers.dashboard-secure.rule: Host(${DOMAIN}) && PathPrefix(/`) traefik.http.routers.dashboard-secure.service: dashboard traefik.http.routers.dashboard-secure.entrypoints: websecure traefik.http.routers.dashboard-secure.tls.certresolver: myresolver to generate a wildcard we need this in the compose traefik.http.routers.dashboard-secure.tls.domains[0].main: example.com traefik.http.routers.dashboard-secure.tls.domains[0].sans: *.example.com but some parser expects alphanumeric only and wont let me add *.domain
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
acme.json will be auto populated i just pasted here to show that the certificates are not the same what you are missing is the custom tipi-compose.yml where you declare the duckdns token
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
did you persist your traefik config?
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
im using a redirect on adguard to my ip yes
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
also yes, im running a duckdns container to update it
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
you have to set to your external ip, it will only work local if you dont open the ports anyway
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
and when your dns redirects to you, it stays local too well, all i did for it to work was add the token to tipi-compose and change the traekif to dns challenge you did both, maybe delete the certs dir? let it re-create them
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
yes
Otar
OtarOP4mo ago
No description
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
remove the ones you have at traefik/tls see if it create new ones and correct ones this time
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
the reason i created this help is because it creates application.xxxx.duckdns.org one for each app not a wildcard
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
yes, xxxx.duckdns.org
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
i didnt even use the optionals, just provider: duckdns same at the tipi-compose, no optional jus the token maybe since you are hiding the token behind the root dir, runtipi don`t have access and cant load it? i know its a better security practice, but try on clear text just to see if it works
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
and the extar declarations on entrypoints i use are not needed also, yours is cleaner
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
so you tried the token in clear text instead of a secrets file and didnt work either?
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
the only option you have is to buy a domain and use cloudflare tunnel i guess
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
maybe if your cgnat have an ipv6 address or an open port your config is correct, the only missing link is the ip on duckdns
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
ubuntu 24.04 the proxmox is on debian 12 im telling you 100% is your cgnat, you have to ask your operator for an ipv6 address or some port open for you to use
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
Otar
OtarOP4mo ago
since the idea of Tipi is to run a cert per app, im closing this, i give up on a wildcard cert for the domian.

Did you find this page helpful?