Traefik with Strato DNS

maximilienkohl · May 2, 2025, 12:59pm

Hello together

I am just starting to encrypt my containers via certificates with https. That's when I came across Traefik.

I have strato as my DNS provider. Has anyone of you scohn managed to connect the DNS from Strato to Traefik. As far as I know Strato does not have an API.

Is there an alternative way to get Let's Encrypt certificates via my DNS provider without an API?

Greetings
Max

bluepuma77 · May 2, 2025, 5:12pm

Sure, you can get a LetsEncrypt TLS cert with httpChallenge or tlsChallenge without DNS provider interaction. It just works, as long as the domain points to the IP of Traefik. Check simple Traefik example.

You only need dnsChallenge with provider API to issue wildcard certificates.

maximilienkohl · May 3, 2025, 7:14am

Hey @bluepuma77

Thanks for you're fast reply!

Is there also a way without publish my traefik local IP to a public DNS?

I checked out you're example. You mentioned wildcard certificates. What are the downsites of my setup without having one from traefik?

How can I use an internal DNS for DNS queries so traefik will resolve for example grafana.myinternaldomain.com?

bluepuma77 · May 3, 2025, 2:28pm

If you want private (sub-)domain names, then you do need to use dnsChallenge. It has a mode for which you can manually create the TXT entry, but you would need to do that every 3 months.

You can have a public (sub-)domain with a private IP, meaning it can’t be reached from the Internet. Probably not best practice, but it works.

For your own DNS, you would need to set that up in your router or with a dedicated DNS server within your network.

maximilienkohl · May 3, 2025, 8:36pm

Don't I then have to enter my local IP in the public dns?

bluepuma77 · May 4, 2025, 7:08am

For dnsChallenge the LetsEncrypt service does not try to validate the IP. It only checks with the public DNS provider for a TXT record.

So you can have a public domain (example.com), create a zone there (local.example.com, maybe by registering a fake IP for it), then create a wildcard (*.local.example.com).

You can’t get a LetsEncrypt cert for a non-public or non-existing main domain name.

maximilienkohl · May 4, 2025, 8:23am

Can I also use a toplevel like *.example.com without local infront of example.com?

bluepuma77 · May 4, 2025, 10:30am

Yes. example.com needs to be a real domain with a provider. You can create a LetsEncrypt TLS wildcard cert, have a local DNS server (router, hosts file, etc), which resolves whatever.example.com only locally to a local IP, where Traefik is running.

Topic		Replies	Views
Let's Encrypt CNAME Flattening Traefik v2 docker	0	617	March 23, 2020
Let's encrypt for a lot of domains automatically Traefik v2 docker , docker-swarm , letsencrypt-acme	14	4203	October 23, 2023
Letsencrypt dnsChallenge with traefik standalone - how to provide the API key variable for the challenge provider Traefik v2 letsencrypt-acme	2	397	June 19, 2021
Traefik with letsencrypt and self hosted DNS Traefik v3 (latest) docker , letsencrypt-acme	4	1916	March 15, 2024
Help Encrypt dnsChallenge Provider External Program Traefik v2 letsencrypt-acme	1	833	October 28, 2019

Traefik with Strato DNS

Related topics