4.3.2.2 LetsEncrypt DNS challenge in production

If you are provisioning a qa, staging or production environment behind a VPN and wish to use LetsEncrypt there are 2 options depending on your DNS server provider.

1. Using Traefik supported DNS challenge APIs

2. Manually creating static LetsEncrypt certs and TXT records

If your DNS is cloud managed using a supported provider, Traefik can use an access token to automatically generate the TXT records required for LetsEncrypt to validate your domain.

Traefik supported DNS Challenge APIs

Traefik supports APIs for the following cloud DNS providers:

Traefik Let's Encrypt Documentation - Traefik

In this example, Google Domains is the configured provider. The environment variable GOOGLE_DOMAINS_ACCESS_TOKEN is manually added to the Github environment as a secret.

Environment variables are configured in Github Actions and custom variables like this must be passed through to your workflows. These are explained in the Create a Github Environment section.

environment:
 - GOOGLE_DOMAINS_ACCESS_TOKEN=${GOOGLE_DOMAINS_ACCESS_TOKEN}
command:
 - --certificatesresolvers.certResolver.acme.dnschallenge=true
 - --certificatesresolvers.certResolver.acme.dnschallenge.provider=googledomains
 - --certificatesresolvers.certResolver.acme.email=<your email address>
 - --certificatesresolvers.certResolver.acme.storage=acme.json

Manually creating static LetsEncrypt certs and TXT records

If you are not using one of Traefik's supported DNS providers, for example if you are hosting your own DNS server, then you can manually create the LetsEncrypt static files .crt and .key by using the certbot tool.

1. Install certbot on your laptop

2. Run this command to generate a wildcard LetsEncrypt cert for each of your environment domains:

sudo certbot certonly --manual -d <your-domain> -d '*.<your-domain>'

The process after that is guided by the CLI. Running the command will give you the following prompt:

Please deploy a DNS TXT record under the name:

_acme-challenge.<your-domain>.

with the following value:

<TXT RECORD VALUE HERE>

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.<your-domain>.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

At this point you need to go to control panel of your DNS server and create the TXT record for the domains as instructed.

Once the process succeeds, it should write 2 certificate files .crt and .key to your local machine.

3. You must place these 2 files on your environment servers where the Traefik Docker container can access them in a shared volume. This process is identical to the next step: Static TLS certificates.