v0.42.0: real Let's Encrypt cert via wildcard proactive issuance

traefik's websecure entrypoint now declares http.tls.domains *.<domain>+apex so it proactively obtains the wildcard via Cloudflare DNS-01 at startup (cert ready before first client, every router serves it by SNI). Gated on CFAPIToken (DNS-01). TraefikData gains Domain; ensureTraefik wires cfg.Customer.Domain. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 17:48:15 +02:00
parent 80216e6ce5
commit 84c3e84641
5 changed files with 42 additions and 5 deletions
@@ -19,6 +19,15 @@ entryPoints:
    http:
      tls:
        certResolver: letsencrypt
+{{- if .CFAPIToken}}
+        # Wildcard proactive issuance (DNS-01 only — HTTP-01 can't do wildcards): traefik obtains
+        # *.<domain> (+ apex) at startup, so every router serves the real cert by SNI match with no
+        # per-app labels and the cert is ready before the first client connects.
+        domains:
+          - main: "*.{{.Domain}}"
+            sans:
+              - "{{.Domain}}"
+{{- end}}
 {{- end}}

 providers: