feat: disable httpChallenge when DNS challenge is configured (#112 )

As documented in the README's "Configuring wildcard SSL using DNS" section, the necessary pieces for DNS-01 ACME challenges to work are already baked into Traefik's recipe, though they were originally considered for provisioning wildcard certificates. Furthermore, in environments where the server is not exposed to the internet, the default HTTP-01 challenge mechanism doesn't work, so, taking advantage of this alternative method makes complete sense. This change causes ACME validations to be done always using DNS when LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard certificate requests Traefik uses the HTTP-01 challenge method, which doesn't work in servers behind a firewall. We should amend the related section in the [operators handbook](https://docs.coopcloud.tech/operators/handbook/#running-an-offline-coop-cloud-server) to make a not about the possibility of using DNS challenges in those scenarios as well. * [x] I have deployed and tested my changes I tested this with both a server "exposed" to the internet and one behind a firewall. The first one continued to use the HTTP-01 challenge because no DNS-related settings were added to it, and the second one was successfully able to provision certificates (even though it's only reachable within the LAN). * [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash) * [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes) Reviewed-on: #112 Co-authored-by: Luis Barrueco <yo@luisb.xyz> Co-committed-by: Luis Barrueco <yo@luisb.xyz>
2026-06-19 12:56:52 +00:00
4 changed files with 13 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -32,15 +32,16 @@
 3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
 4. Redploy your app: `abra app deploy -f <domain>`

-## Configuring wildcard SSL using DNS
+## Configuring SSL using DNS

-Automatic certificate generation will Just Work™ for most recipes  which use a fixed
-number of subdomains. For some recipes which need to work across arbitrary
+Automatic certificate generation will Just Work™ for most recipes which use a
+fixed number of subdomains. If your server can't be reached from the Internet,
+or if you're deploying a recipe that needs to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
-need to give Traefik access to your DNS provider so that it can carry out
-Letsencrypt DNS challenges.
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
+the use of wildcard certificates,) you can give Traefik access to your DNS provider
+so that it can carry out Letsencrypt DNS challenges.

 1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
   can be easily added, see
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v30
+export TRAEFIK_YML_VERSION=v31
 export FILE_PROVIDER_YML_VERSION=v12
 export ENTRYPOINT_VERSION=v5
--- a/release/next
+++ b/release/next
@ -0,0 +1 @@
+letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -127,8 +127,10 @@ certificatesResolvers:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/staging-acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      httpChallenge:
        entryPoint: web
+      {{- end }}
      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
@ -140,8 +142,10 @@ certificatesResolvers:
    acme:
      email: {{ env "LETS_ENCRYPT_EMAIL" }}
      storage: /etc/letsencrypt/production-acme.json
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      httpChallenge:
        entryPoint: web
+      {{- end }}
      {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
      dnsChallenge:
        provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
				`@ -0,0 +1 @@`
				letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.