İlginizi Çekebilir
  1. Ana Sayfa
  2. DevOps
  3. Setting up Wildcard Certificates Using Traefik, Let’s Encrypt and Acme-Dns

Setting up Wildcard Certificates Using Traefik, Let’s Encrypt and Acme-Dns


In this post, we are going to create a setup of Traefik on Kubernetes with CRDs and Let’s Encrypt with wildcard certificates, while also enabling Traefik to be highly available. This setup also allows you to continue using your existing DNS provider, even if it doesn’t have an API for usage with cert-manager. The only requirement is that it supports wildcard, CNAME and NS entries. To create this setup, we will be using cert-manager and acme-dns.


– Kubernetes cluster

– Traefik with CRD configuration installed on Kubernetes

– Helm v3

– DNS provider with wildcard, CNAME and NS capability, either self-hosted or provided

– separate IP for acme-dns

Installing cert-mgr

First, we are going to install cert-manager ( This tool is responsible for automatically requesting new LetsEncrypt certificates and keeping them up to date.


We will use the namespace cert-manager to install it.

Add the Jetstack Helm repo (, afterwards install cert-manager.

The installCRDs=true allows you to automatically manage all custom resources cert-manager requires with Helm instead of having to manually apply a manifest yaml.

Installing acme-dns

Next, we are going to install acme-dns (, which will serve the necessary TXT records LetsEncrypt requires for wildcard certificates. For this purpose, we will create a simple Helm chart using the command “helm create acme-dns”.


Open the values.yaml file Helm created. Change the image repository to “joohoi/acme-dns” and change the nodeSelector to match the node acme-dns will run on, e.g. “ “””


Create a new config.yaml file under the templates folder, which will contain our ConfigMap for acme-dns.

Copy the configuration from into the ConfigMap and replace domain, nsname, nsadmin and records with your chosen domain and IP(s).



Next, open the deployment.yaml and change the kind to a DaemonSet, remove “:{{ .Chart.AppVersion }}” from the container image, add the DNS port and the ConfigMap we just created as well as a volume for the data acme-dns will store. The final file should look something like this:



Note that I also changed the livenessProbe and readinessProbe path to “/health”, which acme-dns provides out of the box.


For the sake of simplicity, I used hostPath and hostPort for persistent storage and access to the DNS port. In case you are using a cloud provider like AWS, you may want to change hostPort and hostPath to use a LoadBalancer type Service and Persistent Volumes.


Finally, create a namespace for acme-dns with “kubectl create namespace acme-dns” and run “helm install acme-dns <path to chart folder> –namespace acme-dns”


Registering an account with acme-dns


In order to use acme-dns, you first need to register with your instance. From within your cluster, execute


curl -X POST http://acme-dns.acme-dns.svc.cluster.local/register


Adjust the service URL to your cluster if, for example, you use a different hostname suffix.

You will receive a JSON response like this:



Adding DNS entries


We can now add all necessary DNS entries. The domain acme-dns will use needs the following two entries: NS A


This tells the DNS servers that acme-dns is responsible for “*”, and that it is reachable under If you also have an IPv6 address pointing to acme-dns, simply create an additional AAAA entry.


All domains that you want to authenticate need a DNS entry like the following one for “*”: CNAME


Be aware that if you want to serve additional domains or you need to generate certificates that your applications need to use, **every** domain you want to authenticate needs such an entry. For example, a mailserver under “” needs an entry like CNAME


Creating a ClusterIssuer


Next, we are going to create a ClusterIssuer. This will instruct cert-manager to use acme-dns for generating new certificates.


Create a new json file acme-dns-creds.json, which should look something like this for “*”:



As with the DNS entries, **every** domain you want to authenticate needs a new entry. An additional mailserver under “” requires the file to look more like this:



Note that you can re-use the already existing credentials you created for “*”.

Afterwards, create a secret from the json file:

Create and apply a ClusterIssuer manifest with the following content:



Adjust the host if, for example, your cluster uses a different host suffix.


Adding Certificates


The next step is to create Certificate objects. Each represents one certificate cert-manager should request and keep up to date. Their manifest should look like this:




This guide assumes Traefik runs in the “traefik” namespace. Adjust that to your case if necessary.


Create and apply one Certificate manifest for each wildcard certificate you want to have. You can check the state of the certificate by using “kubectl describe”.


Equipping traefik with the generated certificates



As with the Certificate object, adjust the namespace if necessary.


Add the following two volumes and volume mounts to your traefik manifest:



Make sure that the secretName matches the secretName you specified in the Certificate.

Now add the configuration file to Traefik, for example using an additional CLI argument:



Finally, apply the new Traefik manifest and watch your sites get served using your shiny new wildcard certificate!

TAGs: Traefik,Let’s Encrypt,Acme-Dns,wildcard certificate

Yorum Yap

Yazar Hakkında

Having completed his undergraduate degree at Rosenheim University of Applied Sciences, Christopher Zentgraf now works as a software developer in the transportation industry in Germany.

Yorum Yap