4.3.2.2 LetsEncrypt DNS challenge in production

If you are provisioning a qa, staging or production environment behind a VPN and wish to use LetsEncrypt there are 2 options depending on your DNS server provider.

1. Using Traefik supported DNS challenge APIs

2. Manually creating static LetsEncrypt certs and TXT records

If your DNS is cloud managed using a supported provider, Traefik can use an access token to automatically generate the TXT records required for LetsEncrypt to validate your domain.

Traefik supported DNS Challenge APIs

Traefik supports APIs for the following cloud DNS providers and the secrets required can be passed to the Traefik service as environment variables:

Traefik Let's Encrypt Documentation - Traefik

In this example, Google Domains is the configured provider. The environment secret GOOGLE_DOMAINS_ACCESS_TOKEN would be manually added to the Github environment.

Github environment secrets are all automatically passed through to the deploy process and appended to docker-compose files where the following syntax is used.

Edit the docker compose deploy files to ensure that the Traefik service can access the environment variables it requires.

traefik:
  .. <locate the environment and command block and make the following edits>
  environment:
   - GOOGLE_DOMAINS_ACCESS_TOKEN=${GOOGLE_DOMAINS_ACCESS_TOKEN}
  command:
   - --certificatesresolvers.certResolver.acme.dnschallenge=true
   - --certificatesresolvers.certResolver.acme.dnschallenge.provider=googledomains
   - --certificatesresolvers.certResolver.acme.email=<your email address>
   - --certificatesresolvers.certResolver.acme.storage=acme.json

Manually creating static LetsEncrypt certs and TXT records

If you are not using one of Traefik's supported DNS providers, for example if you are hosting your own DNS server, then you can manually create the LetsEncrypt static files .crt and .key by using the certbot tool.

1. Install certbot on your laptop

2. Run this command to generate a wildcard LetsEncrypt cert for each of your environment domains:

sudo certbot certonly --manual -d <your-domain> -d '*.<your-domain>'

The process after that is guided by the CLI. Running the command will give you the following prompt:

Please deploy a DNS TXT record under the name:

_acme-challenge.<your-domain>.

with the following value:

<TXT RECORD VALUE HERE>

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.<your-domain>.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

At this point you need to go to control panel of your DNS server and create the TXT record for the domains as instructed.

Once the process succeeds, it should write 2 certificate files fullchain.pem and privkey.pem to your local machine. The content of these files must be provided to the traefik service at runtime. The process required to implement this is equivalent to the next step: Static TLS certificates.