forked from coop-cloud/traefik
Fix Cloudlfare DNS (#104)
<!-- Thank you for doing recipe maintenance work! Please mark all checklist items which are relevant for your changes. Please remove the checklist items which are not relevant for your changes. Feel free to remove this comment. --> Apologies for submitting changes and then immediately undoing some of them. I made a mistake previously by assuming that letsdebug.net tests were sufficient to confirm that this setup was working. But, it turns out that my site was still failing to get valid SSL certs. After digging into the Lego docs I realized I needed to be using different environment variables, which I added here. Once I deployed these changes to a fresh VPS on a different domain with a more straightforward configuration, I confirmed that HTTPS connections to the Traefik dashboard worked just fine. Please let me know if there's anything else I can do to verify these fixes so I can be extra-super-sure that it's good to go. I'm still new to a lot of this and clearly have lots to learn. As a treat, I also added `generate=false` flags to the DNS secrets for other providers, as discussed in my previous PR. Cheers! * [x] I have deployed and tested my changes Deployed on a fresh VPS, confirmed that HTTPS connections work after deploying these changes * [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash) No version update needed * [x] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes) This does remove the two environment variables that I introduced in my prior PR. Since those haven't been picked up in a release, I'm hoping this is an acceptable regression. Those two variables are both perfectly valid, they just require an account-wide API token which is unnecessarily risky in my opinion. But if we want to keep them in, I'm happy to put things back as they were :) * [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes) Not necessary Reviewed-on: coop-cloud/traefik#104 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech> Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech> Co-authored-by: Zigzagill <zigzagill@proton.me> Co-committed-by: Zigzagill <zigzagill@proton.me>
This commit is contained in:
+16
-14
@@ -38,7 +38,7 @@ COMPOSE_FILE="compose.yml"
|
||||
## Enable dns challenge (for wildcard domains)
|
||||
## https://go-acme.github.io/lego/dns/#dns-providers
|
||||
#LETS_ENCRYPT_DNS_CHALLENGE_ENABLED=1
|
||||
## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun.
|
||||
## *Currently* one of ovh, gandi, gandiv5, digitalocean, azure, porkbun, and cloudflare.
|
||||
## Uncomment the corresponding provider below to insert your secret token/key.
|
||||
#LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER=ovh
|
||||
|
||||
@@ -47,25 +47,25 @@ COMPOSE_FILE="compose.yml"
|
||||
#OVH_ENABLED=1
|
||||
#OVH_APPLICATION_KEY=
|
||||
#OVH_ENDPOINT=
|
||||
#SECRET_OVH_APP_SECRET_VERSION=v1
|
||||
#SECRET_OVH_CONSUMER_KEY=v1
|
||||
#SECRET_OVH_APP_SECRET_VERSION=v1 # generate=false
|
||||
#SECRET_OVH_CONSUMER_KEY=v1 # generate=false
|
||||
|
||||
## Gandi, https://gandi.net
|
||||
## note(3wc): only "V5" (new) API is supported, so far
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
|
||||
#GANDI_API_KEY_ENABLED=1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1 # generate=false
|
||||
|
||||
## Gandi, https://gandi.net
|
||||
## note: uses GandiV5 Personal Access Token
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
|
||||
#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
|
||||
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
|
||||
#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
## DigitalOcean, https://digitalocean.com
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
|
||||
#DIGITALOCEAN_ENABLED=1
|
||||
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
|
||||
#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
## Azure, https://azure.com
|
||||
## To insert your Azure client secret:
|
||||
@@ -76,24 +76,26 @@ COMPOSE_FILE="compose.yml"
|
||||
#AZURE_CLIENT_ID=
|
||||
#AZURE_SUBSCRIPTION_ID=
|
||||
#AZURE_RESOURCE_GROUP=
|
||||
#SECRET_AZURE_SECRET_VERSION=v1
|
||||
#SECRET_AZURE_SECRET_VERSION=v1 # generate=false
|
||||
|
||||
## Porkbun, https://porkbun.com
|
||||
## To insert your secrets:
|
||||
## abra app secret insert 1312.net pb_api_key v1 pk1_413
|
||||
## abra app secret insert 1312.net pb_s_api_key v1 sk1_612
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.porkbun.yml"
|
||||
#SECRET_PORKBUN_API_KEY_VERSION=v1
|
||||
#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1
|
||||
#SECRET_PORKBUN_API_KEY_VERSION=v1 # generate=false
|
||||
#SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1 # generate=false
|
||||
|
||||
## Cloudflare, htps://cloudflare.com
|
||||
## To insert your secrets:
|
||||
## abra app secret insert {myapp.example.coop} cf_email v1 "<CLOUDFLARE_EMAIL>"
|
||||
## abra app secret insert {myapp.example.coop} cf_api_key v1 "<CLOUDFLARE_API_KEY>"
|
||||
## cf_api_key is an account API key from Cloudflare that has DNS read + edit permission
|
||||
## abra app secret insert {myapp.example.coop} cf_dns_token v1 "<CLOUDFLARE_DNS_API_TOKEN>"
|
||||
## abra app secret insert {myapp.example.coop} cf_zone_token v1 "<CLOUDFLARE_ZONE_API_TOKEN>"
|
||||
## These can be the same token or different tokens
|
||||
## cf_dns_token needs DNS edit access, cf_zone_token needs zone edit access
|
||||
## See LEGO docs for more info: https://go-acme.github.io/lego/dns/cloudflare/index.html
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
|
||||
#SECRET_CLOUDFLARE_EMAIL_VERSION=v1 # generate=false
|
||||
#SECRET_CLOUDFLARE_API_KEY_VERSION=v1 # generate=false
|
||||
#SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION=v1 # generate=false
|
||||
#SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION=v1 # generate=false
|
||||
|
||||
#####################################################################
|
||||
# Manual wildcard certificate insertion #
|
||||
|
||||
@@ -3,16 +3,16 @@ version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- CLOUDFLARE_EMAIL_FILE=/run/secrets/cf_email
|
||||
- CLOUDFLARE_API_KEY_FILE=/run/secrets/cf_api_key
|
||||
- CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_token
|
||||
- CLOUDFLARE_ZONE_API_TOKEN_FILE=/run/secrets/cf_zone_token
|
||||
secrets:
|
||||
- cf_email
|
||||
- cf_api_key
|
||||
|
||||
- cf_dns_token
|
||||
- cf_zone_token
|
||||
|
||||
secrets:
|
||||
cf_email:
|
||||
name: ${STACK_NAME}_cf_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
|
||||
cf_dns_token:
|
||||
name: ${STACK_NAME}_cf_dns_token_${SECRET_CLOUDFLARE_DNS_API_TOKEN_VERSION}
|
||||
external: true
|
||||
cf_api_key:
|
||||
name: ${STACK_NAME}_cf_api_key_${SECRET_CLOUDFLARE_API_KEY_VERSION}
|
||||
cf_zone_token:
|
||||
name: ${STACK_NAME}_cf_zone_token_${SECRET_CLOUDFLARE_ZONE_API_TOKEN_VERSION}
|
||||
external: true
|
||||
|
||||
Reference in New Issue
Block a user