Oh! So I could have traefik pass https traffic straight through to a Discourse container that did its own certificate management? That could solve my problems. I'd also need it to pass port 80 straight through and not do that redirect so that the challenge could get to Discourse/acme.
For plain TCP passthrough, you need to use a TCP router and not enable TLS in Traefik. But it has the disadvantage, that you can only use HostSNI(`*`) and therefore only have a single service on a TLS port.
The usual option is to let Traefik handle and terminate TLS and forward unencrypted.
Another option is to let Traefik handle and terminate TLS and forward encrypted using insecureSkipVerify to a target service with an unknown cert (non LE verified).
Right. That's why I hadn't thought that would work.
I guess what I need to do for the domains that I can't use DNS challenges for (i.e., client sites that are CNAMEs to a domain that I do control) is to have my Ansible tooling change--or even just test test-- the DNS before launching a container that depends on DNS to be in place. A test would at least keep me from spinning up a container that would get me immediately rate limited.
Finally! This is sounding like my solution. I thought that the DNS challenge should be able to work, but on my first reading of the process it looked like there was another record that was at play. Turns out there is, but it will Just Work if there's a CNAME for the other record too.
and somewhere, somehow, I RTFM and put my DigitalOcean key in the Right Place (I think I can!).
Is that all I need to do? (A pet peeve is when someone asks "do I just do x" and my thought is, "why don't you try and find out?" and now I'm understanding that for me "trying it out" is 3 minute's work, but for them, it might be an hour or more, and I've pretty much just finished moving everyone to traefik2 with http challenges).
Thanks so very much
EDIT: I'll take the as a yes. I'll give it a shot and report back. Thanks again!