Certificates and domain matching
Certificates
GoDoxy DOES NOT register certificate for each route. Instead, it registers for all
autocert.domainsin yourconfig.ymlthen combine into one certificate. All HTTP(s) requests to GoDoxy will be handled by the same certificate.GoDoxy uses https://github.com/go-acme/lego, similar to other reverse proxies powered by Golang. Powered by ACME and Let's Encrypt via DNS-01 challenge.
GoDoxy obtain / renew certificates automatically, with 1 hour cooldown for every failed requests. It only renew when these conditions are met:
autocertis enabled but no certs are found undercerts/autocert.domainsdoes not match current certs- Certificates are about to expire in a month
You can either also use existing (self-signed) certificate.
Using Existing SSL Certificate
autocert:
provider: local
# path relative to /app
cert_path: certs/cert.crt
key_path: certs/priv.keyAuto SSL with Cloudflare
autocert:
provider: cloudflare
email: your-email@example.com
domains:
- "*.yourdomain.com"
options:
auth_token: your-zone-api-token
Auto SSL with Custom Internal CA
You may use internal CA like step-ca for issuing certificates.
Use step-ca as an example:
export ACME_URL=https://acme.internal
# get root certs and save to `certs/roots.pem`
# assume that `certs/` is mounted to `/app/certs` (by default)
curl -k https://${ACME_URL}/roots.pem > certs/roots.pemautocert:
provider: custom
email: your-email@example.com
domains:
- "*.yourdomain.com"
ca_dir_url: https://acme.internal/acme/acme/directory
ca_certs:
- certs/roots.pemEAB
If you are using EAB (External Account Binding), you can set eab_kid and eab_hmac in autocert.options. It can also be used with custom ACME CA.
autocert:
provider: custom
email: your-email@example.com
domains:
- "*.yourdomain.com"
options:
eab_kid: your-eab-kid
eab_hmac: base64-encoded-hmacAuto SSL with other DNS providers
Check DNS-01 Providers
Troubleshooting
If you encounter issues, try these steps:
Set
LEGO_DISABLE_CNAME_SUPPORT=1if your domain has a CNAME record.Use a different DNS server.
yamlservices: app: container_name: godoxy ... environment: - LEGO_DISABLE_CNAME_SUPPORT=1 dns: - 1.1.1.1 - 1.1.1.2
Domain matching
An alias can either be short alias or FQDN (Fully Qualified Domain Name) alias.
Docker
Uses container name as short alias by default, unless proxy.aliases is specified.
General
Without match_domains
When no match_domains is set in config.yml, a route with short alias app can be accessed at:
app.anydomain.comapp.*.anydomain.com- ...
A route with FQDN alias app.example.com can be accessed at:
app.example.comapp.*.example.com
Using match_domains
This feature is useful when you want to limit routes to certain domains.
With match_domains set under config.yml like this:
match_domains:
- example.com
- example.orgA route with short alias app can only be accessed at:
app.example.comapp.example.org
A route with FQDN alias app.example.com can be accessed at:
app.example.comapp.*.example.comapp.*.example.org
Use case example for match_domains
Given your main domain is my.app
Add
my.apptoautocert.domainsandmatch_domainsinconfig.ymlyamlautocert: domains: - my.app match_domains: - my.appUse short aliases like
adguardandsonarrwhen you want them to be accessible at your main domainyamlservices: adguard: # adguard.my.app ... labels: proxy.aliases: adguard sonarr: # sonarr.my.app ... labels: proxy.aliases: sonarrUse FQDN aliases like
adguard.other.appandsonarr.other.appwhen you want them to be accessible at other domainsyaml# docker compose services: adguard: ... labels: proxy.aliases: adguard.other.app sonarr: ... labels: proxy.aliases: sonarr.other.app # config.yml autocert: domains: - my.app