Skip to content

Certificates and domain matching

Jump to bottom
Yuzerion edited this page Jan 31, 2025 · 3 revisions

Certificates and domain matching

Certificates

  • autocert DOES NOT register certificate for each route. Instead, it registers for all autocert.domains in your config.yml into a single certificate. All HTTP(s) requests to GoDoxy will be handled by the same certificate.

  • autocert uses https://github.com/go-acme/lego, just like Traefik and similar go written reverse proxies. It grabs a cert using ACME and Let's Encrypt by DNS-01 challenge.

  • autocert obtain / renew certificates automatically, with 1 hour cooldown for every failed requests. It only renew when these conditions are met:

    • autocert is enabled but no certs are found under certs/
    • autocert.domains does not match current certs
    • certs are about to expire in a month

Domain matching

(Docker only) By default, proxy.aliases is set to container_name.

Default behavior

Given that no match_domains is set in config.yml.

A route with short alias app can be accessed at:

  • app.*
  • app.*.*
  • etc.

A route with FQDN alias app.example.com can be accessed at:

  • app.example.com
  • app.example.com.*

Using match domains

Given that you have set match_domains in config.yml to these:

match_domains:
  - example.com
  - example.app

A route with short alias app can only be accessed at:

  • app.example.com
  • app.example.app

A route with FQDN alias app.example.com can be accessed at:

  • app.example.com
  • app.example.com.example.com (rare case)
  • app.example.com.example.app (rare case)

Use case example

Given your main domain is my.app

  • Add my.app to autocert.domains and match_domains in config.yml 
    autocert:
  domains:
    - my.app
match_domains:
  - my.app
  • When you want your app to connect thru *.my.app, use short aliases like adguard, sonarr, etc. 
    services:
  adguard:
    ...
    labels:
      proxy.aliases: adguard
  sonarr:
    ...
    labels:
      proxy.aliases: sonarr
  • When you want your app to only connect thru other domains (i.e. *.other.app) but not *.my.app
    • use FQDN aliases, e.g. adguard.other.app, sonarr.other.app
    • add *.other.app to autocert.domains 
    # docker compose
services:
  adguard:
    ...
    labels:
      proxy.aliases: adguard.other.app
  sonarr:
    ...
    labels:
      proxy.aliases: sonarr.other.app

# config.yml
autocert:
  domains:
    - my.app
    - other.app # add here
Clone this wiki locally