Which Let's Encrypt (ACME) challenge?

I recently did a heap of research into ACME challenges and came away almost as confused as when I started. Which challenge is recommended to be used, I'm assuming DNS or TLS over HTTP?

I managed to get DNS challenge working but every time I make changes and add new services I'd have to wait up to several hours before they would work (this really caught me out early on). I've also recently read that DNS challenge can open you up to possible security issues?

Does this mean I should be using TLS over the other two? I was assuming DNS was faster, but...



The 3 challenges are safe.

  • The TLS challenge is the simplest and fastest.
  • The DNS challenge is useful for wildcard certificates (can be slow because DNS propagation is slow).
  • The HTTP challenge is useful in some case when TLS challenge cannot be used.

So all that time messing with DNS challenge when I could have just used TLS :grin:.
I'm actually struggling to wrap my head around where you would use a wildcard with Traefik so as to figure out if I will need it or not. I have been researching but can't seem to fully grasp it.
Is it just a case of being a catchall for any sub domains that haven't been predefined as a host in Traefik?
Does this apply to www in front of domain. ie. how do you handle this in traefik as haven't figured that bit out yet.
Thanks for the help.

If you have many apps which each require their own domain, then you may want to have a wild card domain. For instance, Google has a cert for *.google.com which covers photos.google.com, drive.google.com, maps.google.com, etc.

Most certs today allow Subject Alternate Names (SANs) which allow you to specify a limited number of domains. So most people use SANs to cover the www sub domain. For instance, if your cert is for example.com, then one of your SANs could be www.example.com.

So if you only have a few subdomains you want to cover, just use a SAN. If you have many, get a wild card cert.

I'm not sure how to configure Traefik to include a SAN when it renews a cert with Let's Encrypt, but I'm pretty sure it is possible.

Thanks, that was very helpful.