v0.42.1: wildcard cert via controller route (entrypoint domains don't issue)

Empirically (staging on 9201): traefik v3 issues a cert from a router-level tls.domains but NOT from the entrypoint http.tls.domains. So the wildcard moves to RenderControllerRoute (the always-present anchor): when DNS-01 ACME is configured it carries tls.certResolver+domains *.<domain>+apex, and every other router serves that wildcard by SNI (no per-app labels). Reverts v0.42.0's dead entrypoint-domains + TraefikData.Domain. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 18:04:39 +02:00
parent 84c3e84641
commit e61e7dd8fc
5 changed files with 66 additions and 44 deletions
@@ -19,15 +19,6 @@ entryPoints:
    http:
      tls:
        certResolver: letsencrypt
-{{- if .CFAPIToken}}
-        # Wildcard proactive issuance (DNS-01 only — HTTP-01 can't do wildcards): traefik obtains
-        # *.<domain> (+ apex) at startup, so every router serves the real cert by SNI match with no
-        # per-app labels and the cert is ready before the first client connects.
-        domains:
-          - main: "*.{{.Domain}}"
-            sans:
-              - "{{.Domain}}"
-{{- end}}
 {{- end}}

 providers: