traefik
Support let's encrypt acme email per container
Welcome!
- [X] Yes, I've searched similar issues on GitHub and didn't find any.
- [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.
What did you expect to see?
I was using jwilder/nginx-proxy as a reverse proxy based on nginx for my docker containers, one of the features that exists there is the ability to provide a separate acme email for each container for example if I have the following containers:
- container A -> test.com ([email protected])
- container B -> test2.com ([email protected]) Now I am migrating to Traefik and looking for similar behavior, but I found in the documentation a global email only, there is no email per container/service. Is this something that needs to be implemented or does it already exist but not specified in the documentation? You might argue that only one email should issue all certificates however this might not work in some advanced deployment architectures like a multi-tenant infrastructure
@rtribotte do you know when this could be started on, also is it possible to create my PR for this?
This feature already exists: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
You have to create several resolvers and assign a resolver on a router/container.
@ldez I don't think this is already exist, I can see from the code there is a force for only one email for all acme resolvers This code is from static_config.go file
func (c *Configuration) ValidateConfiguration() error {
var acmeEmail string
for name, resolver := range c.CertificatesResolvers {
if resolver.ACME != nil && resolver.Tailscale != nil {
return fmt.Errorf("unable to initialize certificates resolver %q, as ACME and Tailscale providers are mutually exclusive", name)
}
if resolver.ACME == nil {
continue
}
if len(resolver.ACME.Storage) == 0 {
return fmt.Errorf("unable to initialize certificates resolver %q with no storage location for the certificates", name)
}
if acmeEmail != "" && resolver.ACME.Email != acmeEmail {
return fmt.Errorf("unable to initialize certificates resolver %q, as all ACME resolvers must use the same email", name)
}
acmeEmail = resolver.ACME.Email
}
return nil
}
Also if it's supported in this way then it's not flexible, because I prefer providing the acme email when I register a new container/service instead of defining this in the static config If this is defined in the static config then it will require a container restart when I have a new email, however, if this is provided dynamically it will be better
Hello @tareksalem,
Thanks for reporting this!
I'm marking this issue as a proposal to be a place to discuss what should be done to be more consistent. After a quick internal discussion, we think we should consider using multiple emails.
Hello is there any update on this? Why is this policy in place? (avoid spam? imposed by LetsEncrypt?) I have two domains and I would like to have two separate certificates with separate email addresses I am stuck with
command traefik error: unable to initialize certificates resolver \"resolver-domain-1\", as all ACME resolvers must use the same email
@rtribotte is this enough? https://github.com/traefik/traefik/compare/v3.1...Emrio:traefik:master I can create a PR
Hello @Emrio,
We have moved the issue status to enhancement, which means that we will evaluate every PR that implements it. Could you open a PR to allow us to review your implementation?
Thanks in advance.
