Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Wildcard certificate not working #4360

Closed
geovanygameros opened this issue Nov 22, 2024 · 5 comments
Closed

[Bug]: Wildcard certificate not working #4360

geovanygameros opened this issue Nov 22, 2024 · 5 comments

Comments

@geovanygameros
Copy link

Error Message and Logs

I've been following this documentation to set up a wildcard domain for one application with no success.

What I want to achieve is the following setup for a SaaS application:

Image

I have several projects with a defined domain and they are working fine. However, I want all the rest subdomains to be sent to App 3

Steps to Reproduce

I set up a wildcard A DNS record in Cloudflare pointing to my server's IP address (*.mydomain.com)

Based on your documentation, I ended up with a proxy file like this:

networks:
  coolify:
    external: true
services:
  traefik:
    container_name: coolify-proxy
    image: 'traefik:v3.1'
    restart: unless-stopped
    environment:
      - CLOUDFLARE_API_KEY=xxx
      - CLOUDFLARE_DNS_API_TOKEN=xxx
      - CLOUDFLARE_EMAIL=xxx
      - CLOUDFLARE_ZONE_API_TOKEN=xxx
    extra_hosts:
      - 'host.docker.internal:host-gateway'
    networks:
      - coolify
    ports:
      - '80:80'
      - '443:443'
      - '443:443/udp'
      - '8080:8080'
    healthcheck:
      test: 'wget -qO- http://localhost:80/ping || exit 1'
      interval: 4s
      timeout: 2s
      retries: 5
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - '/data/coolify/proxy:/traefik'
    command:
      - '--ping=true'
      - '--ping.entrypoint=http'
      - '--api.dashboard=true'
      - '--api.insecure=false'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.https.address=:443'
      - '--entrypoints.http.http.encodequerysemicolons=true'
      - '--entryPoints.http.http2.maxConcurrentStreams=50'
      - '--entrypoints.https.http.encodequerysemicolons=true'
      - '--entryPoints.https.http2.maxConcurrentStreams=50'
      - '--entrypoints.https.http3'
      - '--providers.docker.exposedbydefault=false'
      - '--providers.file.directory=/traefik/dynamic/'
      - '--providers.file.watch=true'
      - '--certificatesresolvers.letsencrypt.acme.httpchallenge=true'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge=true'
      - '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'
      - '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0'
      - '--providers.docker=true'
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=http
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.server.port=8080
      - traefik.http.routers.traefik.tls.domains[0].main=mydomain.com
      - traefik.http.routers.traefik.tls.domains[0].sans=*.mydomain.com
      - coolify.managed=true
      - coolify.proxy=true

Then in my application's container labels, I'm following the "SaaS" instructions. So I have something like this:

traefik.enable=true
traefik.http.routers.my-app-3-router.rule=HostRegexp(`{subdomain:[a-zA-Z0-9-]+}.mydomain.com`)
traefik.http.routers.my-app-3-router.entryPoints=https
traefik.http.routers.my-app-3-router.middlewares=gzip
traefik.http.routers.my-app-3-router.service=my-app-3-service
traefik.http.services.my-app-3-service.loadbalancer.server.port=3000
traefik.http.routers.my-app-3-router.tls=true
traefik.http.routers.my-app-3-router.tls.certresolver=letsencrypt
traefik.http.routers.my-app-3-router.rule=HostRegexp(`{subdomain:[a-zA-Z0-9-]+}.mydomain.com`)
traefik.http.routers.my-app-3-router.entryPoints=http
traefik.http.routers.my-app-3-router.middlewares=redirect-to-https

Then after restarting the proxy and my app, I get the following error when I go to any subdomain. E.g. customer1.mydomain.com
(for the subdomains that are explicitly defined like "App 1" "App 2", they work fine)

Image

Am I missing something?

Example Repository URL

No response

Coolify Version

v4.0.0-beta.370

Are you using Coolify Cloud?

No (self-hosted)

Operating System and Version (self-hosted)

Ubuntu 24.04.1 LTS

Additional Information

I saw these similar discussions but none of them have a clear answer:
@geovanygameros geovanygameros added 🐛 Bug Reported issues that need to be reproduced by the team. 🔍 Triage Issues that need assessment and prioritization. labels Nov 22, 2024
@djsisson
Copy link
Contributor

@geovanygameros that syntax for regexp is for version 2 of traefik

for v3, you can replace with either:

HostRegexp(`.+`)

or

HostRegexp(`^.+\.domain\.com$`)

@geovanygameros
Copy link
Author

geovanygameros commented Nov 22, 2024
edited
Loading

Hey @djsisson, thanks for the answer. I updated my app's container labels with:

HostRegexp(`.+`)

also with:

HostRegexp(`^.+\.mydomain\.com$`)

And restarted the app and proxy, but I still have the same issue.

Also, I'm doing all these updates on the Coolify UI. I don't know if this has any influence

@djsisson
Copy link
Contributor

@geovanygameros can you paste your proxy logs:

docxker logs coolify-proxy

@geovanygameros
Copy link
Author

@djsisson I don't see any log

Image

I noticed that I have both HTTP and DNS challenges. Could that have something to do?

 - '--certificatesresolvers.letsencrypt.acme.httpchallenge=true'
 - '--certificatesresolvers.letsencrypt.acme.dnschallenge=true'

@geovanygameros
Copy link
Author

I finally managed to make it work with the following app config 🚀

traefik.http.routers.my-app-3-router-https.rule=HostRegexp(`^.+\.mydomain\.com$`)
traefik.http.routers.my-app-3-router-https.priority=0
traefik.http.routers.my-app-3-router-https.entryPoints=https
traefik.http.routers.my-app-3-router-https.tls=true
traefik.http.routers.my-app-3-router-https.tls.certresolver=letsencrypt
traefik.http.routers.my-app-3-router-https.middlewares=gzip
traefik.http.routers.my-app-3-router-https.service=my-app-3-service

# HTTP Router (for redirecting to HTTPS)
traefik.http.routers.my-app-3-router-http.rule=HostRegexp(`^.+\.mydomain\.com$`)
traefik.http.routers.my-app-3-router-http.priority=0
traefik.http.routers.my-app-3-router-http.entryPoints=http
traefik.http.routers.my-app-3-router-http.middlewares=redirect-to-https

# Define HTTPS Middleware (Compression)
traefik.http.middlewares.gzip.compress=true

# Define HTTP to HTTPS Redirection Middleware
traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

# Service Definition
traefik.http.services.my-app-3-service.loadbalancer.server.port=3000

caddy_0.encode=zstd gzip
caddy_0.handle_path.0_reverse_proxy={{upstreams 3000}}
caddy_0.handle_path=*
caddy_0.header=-Server
caddy_0.try_files={path} /index.html /index.php
caddy_0=://
caddy_ingress_network=coolify

I think the key was to use different router names for HTTP and HTTPS to avoid duplicate definitions

@github-actions github-actions bot removed 🐛 Bug Reported issues that need to be reproduced by the team. 🔍 Triage Issues that need assessment and prioritization. labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@geovanygameros @djsisson