From 7fb53d54960ec87127d64ec6972a6731e00b6084 Mon Sep 17 00:00:00 2001 From: Luis Barrueco Date: Mon, 15 Jun 2026 16:14:12 -0300 Subject: [PATCH] feat: disable httpChallenge when DNS challenge is configured As documented in the README's "Configuring wildcard SSL using DNS" section, the necessary pieces for DNS-01 ACME challenges to work are already baked into Traefik's recipe, though they were originally considered for provisioning wildcard certificates. Furthermore, in environments where the server is not exposed to the internet, the default HTTP-01 challenge mechanism doesn't work, so taking advantage of this alternative method makes complete sense. This change causes ACME validations to be done always using DNS when LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard certificate requests Traefik uses the HTTP-01 challenge method, which doesn't work in servers behind a firewall. We should amend the related section in the [operators handbook](https://docs.coopcloud.tech/operators/handbook/#running-an-offline-coop-cloud-server) to make a not about the possibility of using DNS challenges in those scenarios as well. --- README.md | 13 +++++++------ abra.sh | 2 +- traefik.yml.tmpl | 4 ++++ 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 2a71d90..b845d48 100644 --- a/README.md +++ b/README.md @@ -32,15 +32,16 @@ 3. Insert the secret: `abra app secret insert usersfile v1 -f usersfile 4. Redploy your app: `abra app deploy -f ` -## Configuring wildcard SSL using DNS +## Configuring SSL using DNS -Automatic certificate generation will Just Work™ for most recipes which use a fixed -number of subdomains. For some recipes which need to work across arbitrary +Automatic certificate generation will Just Work™ for most recipes which use a +fixed number of subdomains. If your server can't be reached from the Internet, +or if you're deploying a recipe that needs to work across arbitrary subdomains, like [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and -[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll -need to give Traefik access to your DNS provider so that it can carry out -Letsencrypt DNS challenges. +[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring +the use of wildcard certificates,) you can give Traefik access to your DNS provider +so that it can carry out Letsencrypt DNS challenges. 1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers can be easily added, see diff --git a/abra.sh b/abra.sh index ac93525..9a1fab8 100644 --- a/abra.sh +++ b/abra.sh @@ -1,3 +1,3 @@ -export TRAEFIK_YML_VERSION=v30 +export TRAEFIK_YML_VERSION=v31 export FILE_PROVIDER_YML_VERSION=v12 export ENTRYPOINT_VERSION=v5 diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl index d51f7f8..0ad4a07 100644 --- a/traefik.yml.tmpl +++ b/traefik.yml.tmpl @@ -127,8 +127,10 @@ certificatesResolvers: email: {{ env "LETS_ENCRYPT_EMAIL" }} storage: /etc/letsencrypt/staging-acme.json caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" + {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }} httpChallenge: entryPoint: web + {{- end }} {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }} dnsChallenge: provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }} @@ -140,8 +142,10 @@ certificatesResolvers: acme: email: {{ env "LETS_ENCRYPT_EMAIL" }} storage: /etc/letsencrypt/production-acme.json + {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }} httpChallenge: entryPoint: web + {{- end }} {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }} dnsChallenge: provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}