Traefik v2 with ACME DNS-01 Challenge

SummittDweller · May 19, 2020, 4:01pm

I'm really struggling here. Long story, short... My previous use of Traefik 1.x and ACME HTTP-01 challenges to enable provision of Let's Encrypt certificates raises security concerns for my IT department. Their policy is that a server has to be secure and pass a barrage of tests BEFORE ports can be opened to the world. My problem is the HTTP-01 challenge has to find an 'A' record in our DNS in order to validate our domain ownership, but that has to happen first and it fails because our ports can't be opened until it's secure. A bit of a chicken versus egg dilemma.

So a colleague of mine proposed using an ACME DNS-01 challenge instead, and doing so with a CNAME record in an accessible DNS, a process that I don't entirely understand. My colleague suggested these references:

CNAME Following

An Example Ingress Controller’s Implementation of DNS verification:
https://docs.traefik.io/https/acme/#dnschallenge

We tried to implement this plan in my Traefik 1.x environment and got back errors that we were unable to decipher. Rather than posting those in this forum, I elected to bite-the-bullet and upgrade to Traefik 2.x, and I've done that, but I'm still unable to obtain certs using DNS-01.

The latest manifestation of my configuration and tests are documented in https://dlad.summittdweller.com/en/posts/074-simplified-testing-traefik-2-with-acme-dns-01/, and my initial question is this:

What does the log statement No ACME certificate generation required for domains [\"dgdocker3.grinnell.edu\"]. really mean? (See below)

time="2020-05-19T11:20:32-04:00" level=debug msg="Looking for provided certificate(s) to validate [\"dgdocker3.grinnell.edu\"]..." providerName=dns.acme routerName=traefik-secure@docker rule="Host(`dgdocker3.grinnell.edu`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
time="2020-05-19T11:20:32-04:00" level=debug msg="No ACME certificate generation required for domains [\"dgdocker3.grinnell.edu\"]." providerName=dns.acme routerName=traefik-secure@docker rule="Host(`dgdocker3.grinnell.edu`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"

Thanks in advance for any insight you can provide.

Topic		Replies	Views
Problem renewing the cert with DNS-01 challenge Traefik v2 (latest) letsencrypt-acme	2	3250	October 29, 2020
Lets encrypt dns challenge via traefik docker compose (problem only on arch) Traefik v2 (latest) letsencrypt-acme	6	2031	May 28, 2023
Traefik Letsencrypt TLSChallenge - Documentation Incomplete? Traefik v2 (latest) letsencrypt-acme	12	194	February 24, 2024
RequireAndVerifyClientCert and ACME TLS-ALPN-01 Traefik v2 (latest) letsencrypt-acme	3	314	September 18, 2022
DNS-01 challenge fails Traefik v3 (beta) docker , letsencrypt-acme	11	307	December 16, 2023

Traefik v2 with ACME DNS-01 Challenge

Related Topics