From 4b5d60c149f685b7eb38aea8d1b7b3854f538f17 Mon Sep 17 00:00:00 2001 From: lon <114724657+longregen@users.noreply.github.com> Date: Tue, 13 Aug 2024 17:29:48 +0200 Subject: [PATCH] Add DNS-01 challenge to configuring-playbook-ssl-certificates.md --- docs/configuring-playbook-ssl-certificates.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 596f9300e..9796a3153 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -98,3 +98,24 @@ aux_file_definitions: certFile: /ssl/cert.pem keyFile: /ssl/privkey.pem ``` + +## Configuring DNS-01 ACME Challenges + +You can configure traefik to use the DNS-01 validation for Let's Encrypt. This is less frequent than using the normal HTTP challenge, but it can be helpful to hide your public IP from Let's Encrypt logs or if your matrix server is running behind a proxy that prevents the HTTP challenge to succeed. This is an example for how to edit the `vars.yml` file if you're using Cloudflare: + +```yaml +devture_traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true +devture_traefik_config_certificatesResolvers_acme_dnsChallenge_provider: "cloudflare" +devture_traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: 60 +devture_traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers: + - "1.1.1.1:53" +devture_traefik_environment_variables_additional_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true +``` + +Make sure to change the value of "provider" to your particular DNS solution, and provide the appropriate environment variables. The full list of supported providers is available here: https://doc.traefik.io/traefik/https/acme/#providers + +This example assumes you're using Cloudflare to manage your DNS zone. Note that it requires the use of two tokens: one for reading all zones (`CF_ZONE_API_TOKEN`) and another that must be able to edit the particular domain you're using (`CF_DNS_API_TOKEN`). For security, it's recommended that you create two fine-grained tokens for this purpose, but you might choose to use the same token for both.