I have set up certbot on Ubuntu and successfully created my certificate with
--standalone. The same system may use other certs for other fqdns that end up on the same system as well later.
I have added traefik v2.9 to this system. Traefik listens to ports 80 en 443. I have configured traefik with a 'file provider' so that it uses the separately certbot-created certificate. This works. See https://community.traefik.io/t/traefik-v2-and-docker-compose-no-default-certificate/16146/5
Some of the future services on this Ubuntu system (e.g.
postscreen will listen directly on port 25) will not be managed via traefik. So I want to keep cert management and traefik separate. Use certbot to manage the certs and have traefik use some of them.
The certs renewal config looks like this:
[renewalparams] account = [snip] pref_challs = http-01, server = https://acme-v02.api.letsencrypt.org/directory authenticator = standalone
Now, I think that if traefik is running on port 80 certbot will not be able to renew because traefik is already listening on that port. What is the best way to solve this conundrum? One way is of course to have traefik not listen to port 80 and purely work on 443. Another might be to have traefik catch the Path
/.well-known/acme-challenge/on port 80, serve the contents as a very simple web server, and use certbot with webroot, maybe (and if so: how)? Or should I move cert management to the traefik container (I'm running traefik in docker) anyway, and make sure the container's cert contents are mapped via docker compose volumes to the file system outside the traefik container?