4.3.2.2 LetsEncrypt DNS challenge in production
If you are provisioning a qa, staging or production environment behind a VPN and wish to use LetsEncrypt there are 2 options depending on your DNS server provider.
Using Traefik supported DNS challenge APIs
Manually creating static LetsEncrypt certs and TXT records
If your DNS is cloud managed using a supported provider, Traefik can use an access token to automatically generate the TXT records required for LetsEncrypt to validate your domain.
Traefik supported DNS Challenge APIs
Traefik supports APIs for the following cloud DNS providers:
In this example, Google Domains is the configured provider. The environment variable GOOGLE_DOMAINS_ACCESS_TOKEN is manually added to the Github environment as a secret.
Environment variables are configured in Github Actions and custom variables like this must be passed through to your workflows. These are explained in the Create a Github Environment section.
Manually creating static LetsEncrypt certs and TXT records
If you are not using one of Traefik's supported DNS providers, for example if you are hosting your own DNS server, then you can manually create the LetsEncrypt static files .crt and .key by using the certbot tool.
Install certbot on your laptop
Run this command to generate a wildcard LetsEncrypt cert for each of your environment domains:
The process after that is guided by the CLI. Running the command will give you the following prompt:
At this point you need to go to control panel of your DNS server and create the TXT record for the domains as instructed.
Once the process succeeds, it should write 2 certificate files .crt and .key to your local machine.
You must place these 2 files on your environment servers where the Traefik Docker container can access them in a shared volume. This process is identical to the next step: Static TLS certificates.
Last updated