Provide valid & dynamic certs with a Traefik instance behind another one

Context

I've a "particular" setup where I have a first frontend server (server0) that receive all public web traffic and at least one another host (server1) on a private network only.

I don't know how to enable HTTPS for services hosted on private network host(s) (server1).

Here's a scheme of my architecture:

 [ Internet ] --- [ Server 0 ] --- [ Server 1] +-----------------------+ +-----------------------+ | Docker | | Docker | | +-------------------+ | | +-------------------+ | | | Traefik | | | | Traefik | | | | Service A | | | | Service B | | | +-------------------+ | | +-------------------+ | +-----------------------+ +-----------------------+ 

I basically use wildcard DNS (all pointing to server0) to expose services on each host. For example:

• traefik.server0.mydomain
• servicea.server0.mydomain
• traefik.server1.mydomain
• serviceb.server1.mydomain

My attempts:

server0(http,https), server1(http)

On server0:

• http, https and traefik entrypoints
• docker enabled
• static rules for server1
  • http, https entrypoints
  • pass header
  • rule: HostRegexp:{subdomain:.*}.server1.mydomain
  • target: http://server1

On server1:

• http, traefik entrypoints
• docker enabled

# server0:/etc/traefik/traefik.toml [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [entryPoints.traefik] address=":8080" [api] [ping] [file] directory = "/etc/traefik/config.d" [docker] watch = true exposedByDefault = false network = "traefik" [acme] email = "[email protected]" storage = "/data/acme.json" entryPoint = "https" onHostRule = true [acme.httpChallenge] entryPoint = "http" # server0:/etc/traefik/config.d/server1.toml [frontends] [frontends.server1] entryPoints = ["http", "https"] backend = "server1" passHostHeader = true [frontends.server1.routes] [frontends.server1.routes.main] rule = "HostRegexp:{subdomain:.*}.server1.mydomain" [backends] [backends.server1] [backends.server1.servers] [backends.server1.servers.main] url = "http://server1.local" # server1:/etc/traefik/traefik.toml [entryPoints] [entryPoints.http] address = ":80" [entryPoints.traefik] address=":8080" [api] [ping] [docker] watch = true exposedByDefault = false network = "traefik" 

Result:

• traefik.server0.mydomain: OK, valid certificate (Let's Encrypt)
• serviceA.server0.mydomain: OK, valid certificate (Let's Encrypt)
• traefik.server1.mydomain: OK, invalid certificate (Traefik default cert)

server0(http,https), server1(http,https)

On server0:

• http, https and traefik entrypoints
• docker enabled
• static rules for server1
  • http, https entrypoints
  • pass header
  • rule: HostRegexp:{subdomain:.*}.server1.mydomain
  • target: https://server1

On server1:

• http,https,traefik entrypoints
• docker enabled

# server0:/etc/traefik/traefik.toml [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [entryPoints.traefik] address=":8080" [api] [ping] [file] directory = "/etc/traefik/config.d" [docker] watch = true exposedByDefault = false network = "traefik" [acme] email = "[email protected]" storage = "/data/acme.json" entryPoint = "https" onHostRule = true [acme.httpChallenge] entryPoint = "http" # server0:/etc/traefik/config.d/server1.toml [frontends] [frontends.server1] entryPoints = ["http", "https"] backend = "server1" passHostHeader = true [frontends.server1.routes] [frontends.server1.routes.main] rule = "HostRegexp:{subdomain:.*}.server1.mydomain" [backends] [backends.server1] [backends.server1.servers] [backends.server1.servers.main] url = "https://server1.local" # server1:/etc/traefik/traefik.toml [entryPoints] [entryPoints.http] address = ":80" [entryPoints.https] address = ":443" [entryPoints.https.tls] [entryPoints.traefik] address=":8080" [api] [ping] [docker] watch = true exposedByDefault = false network = "traefik" [acme] email = "[email protected]" storage = "/data/acme.json" entryPoint = "https" onHostRule = true [acme.httpChallenge] entryPoint = "http" Result: * `traefik.server0.mydomain`: OK, valid certificate (Let's Encrypt) * `serviceA.server0.mydomain`: OK, valid certificate (Let's Encrypt) * `traefik.server1.mydomain`: internal server error (no log), invalid certificate (Traefik default cert) I don't know which options to use to have correct behavior ...