Provide valid & dynamic certs with a Traefik instance behind another one

Question

Context

I've a "particular" setup where I have a first frontend server (server0) that receive all public web traffic and at least one another host (server1) on a private network only.

I don't know how to enable HTTPS for services hosted on private network host(s) (server1).

Here's a scheme of my architecture:

[ Internet ] --- [ Server 0 ]              --- [ Server 1]
                 +-----------------------+     +-----------------------+
                 | Docker                |     | Docker                |
                 | +-------------------+ |     | +-------------------+ |
                 | | Traefik           | |     | | Traefik           | |
                 | | Service A         | |     | | Service B         | |
                 | +-------------------+ |     | +-------------------+ |
                 +-----------------------+     +-----------------------+

I basically use wildcard DNS (all pointing to server0) to expose services on each host. For example:

• traefik.server0.mydomain
• servicea.server0.mydomain
• traefik.server1.mydomain
• serviceb.server1.mydomain

My attempts:

server0(http,https), server1(http)

On server0:

• http, https and traefik entrypoints
• docker enabled
• static rules for server1
  • http, https entrypoints
  • pass header
  • rule: HostRegexp:{subdomain:.*}.server1.mydomain
  • target: http://server1

On server1:

• http, traefik entrypoints
• docker enabled

# server0:/etc/traefik/traefik.toml
[entryPoints]
    [entryPoints.http]
        address = ":80"
        [entryPoints.http.redirect]
            entryPoint = "https"
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.tls]
    [entryPoints.traefik]
        address=":8080"

[api]
[ping]
[file]
directory = "/etc/traefik/config.d"

[docker]
watch = true
exposedByDefault = false
network = "traefik"

[acme]
email = "foo@bar.com"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
    [acme.httpChallenge]
    entryPoint = "http"


# server0:/etc/traefik/config.d/server1.toml
[frontends]
    [frontends.server1]
        entryPoints = ["http", "https"]
        backend = "server1"
        passHostHeader = true
        [frontends.server1.routes]
            [frontends.server1.routes.main]
                rule = "HostRegexp:{subdomain:.*}.server1.mydomain"
[backends]
    [backends.server1]
        [backends.server1.servers]
            [backends.server1.servers.main]
                url = "http://server1.local"


# server1:/etc/traefik/traefik.toml
[entryPoints]
    [entryPoints.http]
        address = ":80"
    [entryPoints.traefik]
        address=":8080"

[api]
[ping]

[docker]
watch = true
exposedByDefault = false
network = "traefik"

Result:

• traefik.server0.mydomain: OK, valid certificate (Let's Encrypt)
• serviceA.server0.mydomain: OK, valid certificate (Let's Encrypt)
• traefik.server1.mydomain: OK, invalid certificate (Traefik default cert)

server0(http,https), server1(http,https)

On server0:

• http, https and traefik entrypoints
• docker enabled
• static rules for server1
  • http, https entrypoints
  • pass header
  • rule: HostRegexp:{subdomain:.*}.server1.mydomain
  • target: https://server1

On server1:

• http,https,traefik entrypoints
• docker enabled

# server0:/etc/traefik/traefik.toml
[entryPoints]
    [entryPoints.http]
        address = ":80"
        [entryPoints.http.redirect]
            entryPoint = "https"
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.tls]
    [entryPoints.traefik]
        address=":8080"

[api]
[ping]
[file]
directory = "/etc/traefik/config.d"

[docker]
watch = true
exposedByDefault = false
network = "traefik"

[acme]
email = "foo@bar.com"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
    [acme.httpChallenge]
    entryPoint = "http"


# server0:/etc/traefik/config.d/server1.toml
[frontends]
    [frontends.server1]
        entryPoints = ["http", "https"]
        backend = "server1"
        passHostHeader = true
        [frontends.server1.routes]
            [frontends.server1.routes.main]
                rule = "HostRegexp:{subdomain:.*}.server1.mydomain"
[backends]
    [backends.server1]
        [backends.server1.servers]
            [backends.server1.servers.main]
                url = "https://server1.local"


# server1:/etc/traefik/traefik.toml
[entryPoints]
    [entryPoints.http]
        address = ":80"
    [entryPoints.https]
        address = ":443"
        [entryPoints.https.tls]
    [entryPoints.traefik]
        address=":8080"

[api]
[ping]

[docker]
watch = true
exposedByDefault = false
network = "traefik"

[acme]
email = "foo@bar.com"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
    [acme.httpChallenge]
    entryPoint = "http"

Result:

* `traefik.server0.mydomain`: OK, valid certificate (Let's Encrypt)
* `serviceA.server0.mydomain`: OK, valid certificate (Let's Encrypt)
* `traefik.server1.mydomain`: internal server error (no log), invalid certificate (Traefik default cert)
 


I don't know which options to use to have correct behavior ...

Answer 1

Lets-encrypt won't let you verify internal domain because it can't see it/access it. So you need to validate it on public IP. But I'm not sure you'll be able to do exactly what you're asking, you may need to change your DNS a bit.

This article shall help you understand the general issue.