4.3.2.2 LetsEncrypt DNS challenge in production
Last updated
Last updated
If you are provisioning a qa, staging or production environment behind a VPN and wish to use LetsEncrypt there are 2 options depending on your DNS server provider.
Using Traefik supported DNS challenge APIs
Manually creating static LetsEncrypt certs and TXT records
If your DNS is cloud managed using a supported provider, Traefik can use an access token to automatically generate the TXT records required for LetsEncrypt to validate your domain.
Traefik supports APIs for the following cloud DNS providers and the secrets required can be passed to the Traefik service as environment variables:
In this example, Google Domains is the configured provider. The environment secret GOOGLE_DOMAINS_ACCESS_TOKEN would be manually added to the Github environment.
Github environment secrets are all automatically passed through to the deploy process and appended to docker-compose files where the following syntax is used.
Edit the docker compose deploy files to ensure that the Traefik service can access the environment variables it requires.
If you are not using one of Traefik's supported DNS providers, for example if you are hosting your own DNS server, then you can manually create the LetsEncrypt static files .crt and .key by using the certbot tool.
Install certbot on your laptop
Run this command to generate a wildcard LetsEncrypt cert for each of your environment domains:
The process after that is guided by the CLI. Running the command will give you the following prompt:
At this point you need to go to control panel of your DNS server and create the TXT record for the domains as instructed.
Once the process succeeds, it should write 2 certificate files fullchain.pem
and privkey.pem
to your local machine. The content of these files must be provided to the traefik service at runtime. The process required to implement this is equivalent to the next step: Static TLS certificates.