Traefik: Let'sEncrypt Wildcards via Cloudflare

Traefik: Let’sEncrypt Wildcards via Cloudflare

Maybe I’m just grouchy in my old age, but the documentation for Traefik seems awful. The information you need for setting up LetsEncrypt is split across multiple pages, and to make matters worse there’s lots of old information out there for v1.x that simply doesn’t work on the 2.x.

Rather than take the time to contribute to the documentation like a functional human being, here’s my minimalist configuration that “Works For Me” for a wildcard cert from LetsEncrypt, via Cloudflare’s DNS:

# traefik.yml ("static" configuration)
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: https
          scheme: https
  https:
    address: ":443"

certificatesResolvers:
  letsencrypt:
    acme:
      email: "your@email.here"
      storage: "/etc/traefik/acme.json" # replace this with any rw mounted volume.

      ## uncomment the next line for staging so you don't rate-limit yourself.
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      dnsChallenge:
        provider: "cloudflare"
        delayBeforeCheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

# routes.yml ("dynamic" configuration)
http:
  routers:
    traefik_dashboard:
      entryPoints:
        - https
      service: api@internal
      rule: "Host(`host.domain.comm`)"
      tls:
        options: default
        certResolver: letsencrypt
        domains:
          - main: "host.some.domain.com"
            sans:
              - "*.domain.com"
tls:
  options:
    default:
      sniStrict: true
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Finally, in your docker or whatever config for Traefik’s container, set these environment variables:

CF_API_EMAIL=your@email.here
CF_API_KEY=YOURSECRETKEYFROMCLOUDFLAREHERE

Again, this “works for me” but some experimentation is probably required, and the logging is terrible, it almost never lets you know what’s going on. :(

Author:

fwaggle

Published:

2020-07-20T16:44:00+1000

Modified:

2020-08-02T08:26:50Z

Filed under:

linux

Location:

Horsham, VIC, Australia

Navigation: Older Entry Newer Entry