mirror of
https://github.com/fosrl/docs-v2.git
synced 2026-03-11 13:16:44 +00:00
Remove Pangolin Cloud CTA from wildcard domains doc
This commit is contained in:
AstralDestiny
committed by
Owen Schwartz
Owen Schwartz
parent
9d4a7b37b5
commit
a32dec8a91
@@ -3,12 +3,6 @@ title: "Wildcard Domains"
|
||||
description: "Configure wildcard SSL certificates for automatic subdomain security with DNS-01 challenge"
|
||||
---
|
||||
|
||||
import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
|
||||
|
||||
<PangolinCloudTocCta />
|
||||
|
||||
|
||||
|
||||
Wildcard certificates allow you to secure unlimited subdomains with a single SSL certificate, eliminating the need to generate individual certificates for each subdomain. Pangolin uses Traefik's built-in Let's Encrypt integration to automatically manage these certificates.
|
||||
|
||||
<Warning>
|
||||
@@ -28,15 +22,13 @@ It is highly recommended that you read the [official Traefik documentation](http
|
||||
## Benefits of Wildcard Certificates
|
||||
|
||||
<CardGroup cols={3}>
|
||||
<Card title="Single Certificate" icon="certificate">
|
||||
<Card icon="certificate" title="Single Certificate">
|
||||
Secure unlimited subdomains with one certificate, reducing management overhead.
|
||||
</Card>
|
||||
|
||||
<Card title="Instant Subdomains" icon="bolt">
|
||||
<Card icon="bolt" title="Instant Subdomains">
|
||||
Add new subdomains without waiting for certificate generation (up to a few minutes).
|
||||
</Card>
|
||||
|
||||
<Card title="Rate Limit Friendly" icon="shield">
|
||||
<Card icon="shield" title="Rate Limit Friendly">
|
||||
Reduce Let's Encrypt rate limit impact by using fewer certificate requests.
|
||||
</Card>
|
||||
</CardGroup>
|
||||
@@ -61,20 +53,11 @@ The [rate limits](https://letsencrypt.org/docs/rate-limits/) for Let's Encrypt a
|
||||
<Step title="Stop the stack">
|
||||
Make sure the stack is not running before making configuration changes.
|
||||
</Step>
|
||||
|
||||
<Step title="Update Traefik configuration">
|
||||
Update the Traefik configuration to use the DNS-01 challenge instead of the HTTP-01 challenge. This tells Traefik to use your DNS provider to create the DNS records needed for the challenge.
|
||||
</Step>
|
||||
|
||||
<Step title="Configure Pangolin">
|
||||
Set the `prefer_wildcard_cert` flag to `true` in the Pangolin configuration file for your domain. This is also configurable in the Pangolin dashboard (once restarted).
|
||||
|
||||
```yaml title="config.yml" highlight={4}
|
||||
domains:
|
||||
domain1:
|
||||
base_domain: "example.com"
|
||||
prefer_wildcard_cert: true
|
||||
```
|
||||
Set the `prefer_wildcard_cert` flag to `true` in the Pangolin configuration file for your domain. Or update it on the Domains page in the Pangolin dashboard.
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
@@ -94,7 +77,7 @@ This is the default config generated by the installer. This is shown here for re
|
||||
<Accordion title="1. HTTP Challenge Configuration">
|
||||
Tell Traefik to use the `web` entrypoint for the HTTP challenge.
|
||||
|
||||
```yaml title="traefik_config.yml" highlight={4,5}
|
||||
```yaml traefik_config.yml {4,5}
|
||||
certificatesResolvers:
|
||||
letsencrypt:
|
||||
acme:
|
||||
@@ -105,11 +88,10 @@ This is the default config generated by the installer. This is shown here for re
|
||||
caServer: "https://acme-v02.api.letsencrypt.org/directory"
|
||||
```
|
||||
</Accordion>
|
||||
|
||||
<Accordion title="2. Dynamic Configuration">
|
||||
Set the cert resolver to `letsencrypt` and the entrypoint to `websecure` in the dynamic config.
|
||||
|
||||
```yaml title="dynamic_config.yml"
|
||||
```yaml dynamic_config.yml
|
||||
next-router:
|
||||
rule: "Host(`pangolin.example.com`) && !PathPrefix(`/api/v1`)"
|
||||
service: next-service
|
||||
@@ -127,7 +109,7 @@ This is the default config generated by the installer. This is shown here for re
|
||||
<Step title="1. Configure DNS Challenge">
|
||||
Tell Traefik to use your DNS provider for the DNS challenge. In this example, we are using Cloudflare.
|
||||
|
||||
```yaml title="traefik_config.yml" highlight={4,5}
|
||||
```yaml traefik_config.yml {4,5}
|
||||
certificatesResolvers:
|
||||
letsencrypt:
|
||||
acme:
|
||||
@@ -139,11 +121,10 @@ This is the default config generated by the installer. This is shown here for re
|
||||
caServer: "https://acme-v02.api.letsencrypt.org/directory"
|
||||
```
|
||||
</Step>
|
||||
|
||||
<Step title="2. Add Wildcard Domains">
|
||||
Add the domain and wildcard domain to the domains section of the next (front end) router in the dynamic config. This tells Traefik to generate a wildcard certificate for the base domain and all subdomains.
|
||||
|
||||
```yaml title="dynamic_config.yml" highlight={8-12}
|
||||
```yaml dynamic_config.yml {9,10,11,12}
|
||||
next-router:
|
||||
rule: "Host(`pangolin.example.com`) && !PathPrefix(`/api/v1`)"
|
||||
service: next-service
|
||||
@@ -157,11 +138,10 @@ This is the default config generated by the installer. This is shown here for re
|
||||
- "*.example.com"
|
||||
```
|
||||
</Step>
|
||||
|
||||
<Step title="3. Add Environment Variables">
|
||||
Add the environment variables for your DNS provider to the Traefik service in the docker compose file. This allows Traefik to authenticate with your DNS provider to create the DNS records needed for the challenge.
|
||||
|
||||
```yaml title="docker-compose.yml" highlight={11-13}
|
||||
```yaml docker-compose.yml {11,12,13}
|
||||
traefik:
|
||||
image: traefik:v3.4.0
|
||||
container_name: traefik
|
||||
@@ -202,26 +182,26 @@ Traefik supports most DNS providers. You can find a full list of supported provi
|
||||
<Step title="Start the stack">
|
||||
Start the stack and watch the logs. You should notice that Traefik is making calls to your DNS provider to create the necessary records to complete the challenge.
|
||||
</Step>
|
||||
|
||||
<Step title="Check logs">
|
||||
For debugging purposes, you may find it useful to set the log level of Traefik to `debug` in the `traefik_config.yml` file.
|
||||
</Step>
|
||||
|
||||
<Step title="Test new resource">
|
||||
After Traefik is done waiting for the cert to verify, try to create a new resource with an unused subdomain. Traefik should not try to generate a new certificate, but instead use the wildcard certificate. The domain should also be secured immediately instead of waiting for a new certificate to be generated.
|
||||
</Step>
|
||||
|
||||
<Step title="Verify certificate">
|
||||
You can also check the volume (in the example above at `config/letsencrypt/`) for the correct certificates. In the `acme.json` file you should see something similar to the following. Note the `*.` in the domain.
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
```json highlight={5}
|
||||
```json {5}
|
||||
{
|
||||
"Certificates": [
|
||||
{
|
||||
"domain": {
|
||||
"main": "*.example.com"
|
||||
"main": "example.com",
|
||||
"sans": [
|
||||
"*.example.com"
|
||||
]
|
||||
},
|
||||
"certificate": "...",
|
||||
"key": "...",
|
||||
@@ -238,22 +218,22 @@ Traefik supports most DNS providers. You can find a full list of supported provi
|
||||
**Problem**: Wildcard certificate not being created.
|
||||
|
||||
**Solutions**:
|
||||
|
||||
- Verify DNS provider credentials are correct
|
||||
- Check that API token has proper permissions
|
||||
- Ensure domain ownership and DNS access
|
||||
- Review Traefik logs for specific error messages
|
||||
</Accordion>
|
||||
|
||||
<Accordion title="DNS challenge failing">
|
||||
**Problem**: DNS-01 challenge not completing.
|
||||
|
||||
**Solutions**:
|
||||
|
||||
- Verify DNS provider is supported by Traefik
|
||||
- Check API token permissions and scope
|
||||
- Ensure DNS propagation has completed
|
||||
- Review provider-specific configuration
|
||||
</Accordion>
|
||||
|
||||
<Accordion title="Old certificates still being used">
|
||||
**Problem**: Traefik using old HTTP-01 certificates.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user