And when a request for discourse.newhost.com hits the server, it gets a new cert for let's encrypt, directs the traffic to the multisite container and life is good.
It appears that with traefik:v2.10 I am going to have to crank up a new container with new labels every time the hosts change. Is that right? This seems much, much less desirable than the old way.
That's what I was afraid of. Thanks for confirming. This is just so different from how traefik 1.7 works.
So every time I add a new client on a multisite instance I have to spin up a new traefik container with updated labels, or switch to something other than docker for configuration, right?
I guess the solution would be to switch to sometihng lke consul to manage both storing the certs as well as telling traefik which container to proxy for?
I would assume that you can add a label to a container, you can at least add a label to a Docker service.
Traefik EE supports clustered LetsEncrypt, I think they use consul for it.
You could also use a container behind Traefik for LE cert creation and to provide the certs, either as file or via http (proof of concept) or via consul.
Oh! So I could have traefik pass https traffic straight through to a Discourse container that did its own certificate management? That could solve my problems. I'd also need it to pass port 80 straight through and not do that redirect so that the challenge could get to Discourse/acme.
For plain TCP passthrough, you need to use a TCP router and not enable TLS in Traefik. But it has the disadvantage, that you can only use HostSNI(`*`) and therefore only have a single service on a TLS port.
The usual option is to let Traefik handle and terminate TLS and forward unencrypted.
Another option is to let Traefik handle and terminate TLS and forward encrypted using insecureSkipVerify to a target service with an unknown cert (non LE verified).
Right. That's why I hadn't thought that would work.
I guess what I need to do for the domains that I can't use DNS challenges for (i.e., client sites that are CNAMEs to a domain that I do control) is to have my Ansible tooling change--or even just test test-- the DNS before launching a container that depends on DNS to be in place. A test would at least keep me from spinning up a container that would get me immediately rate limited.
Finally! This is sounding like my solution. I thought that the DNS challenge should be able to work, but on my first reading of the process it looked like there was another record that was at play. Turns out there is, but it will Just Work if there's a CNAME for the other record too.
and somewhere, somehow, I RTFM and put my DigitalOcean key in the Right Place (I think I can!).
Is that all I need to do? (A pet peeve is when someone asks "do I just do x" and my thought is, "why don't you try and find out?" and now I'm understanding that for me "trying it out" is 3 minute's work, but for them, it might be an hour or more, and I've pretty much just finished moving everyone to traefik2 with http challenges).
Thanks so very much
EDIT: I'll take the as a yes. I'll give it a shot and report back. Thanks again!