Traefik: Let’sEncrypt Wildcards via Cloudflare
Maybe I’m just grouchy in my old age, but the documentation for Traefik seems awful. The information you need for setting up LetsEncrypt is split across multiple pages, and to make matters worse there’s lots of old information out there for v1.x that simply doesn’t work on the 2.x.
Rather than take the time to contribute to the documentation like a functional human being, here’s my minimalist configuration that “Works For Me” for a wildcard cert from LetsEncrypt, via Cloudflare’s DNS:
# traefik.yml ("static" configuration) entryPoints: http: address: ":80" http: redirections: entrypoint: to: https scheme: https https: address: ":443" certificatesResolvers: letsencrypt: acme: email: "email@example.com" storage: "/etc/traefik/acme.json" # replace this with any rw mounted volume. ## uncomment the next line for staging so you don't rate-limit yourself. # caServer: https://acme-staging-v02.api.letsencrypt.org/directory dnsChallenge: provider: "cloudflare" delayBeforeCheck: 0 resolvers: - "22.214.171.124:53" - "126.96.36.199:53"
# routes.yml ("dynamic" configuration) http: routers: traefik_dashboard: entryPoints: - https service: api@internal rule: "Host(`host.domain.comm`)" tls: options: default certResolver: letsencrypt domains: - main: "host.some.domain.com" sans: - "*.domain.com" tls: options: default: sniStrict: true minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Finally, in your docker or whatever config for Traefik’s container, set these environment variables:
Again, this “works for me” but some experimentation is probably required, and the logging is terrible, it almost never lets you know what’s going on. :(