feat: disable httpChallenge when DNS challenge is configured #112

Merged

decentral1se merged 2 commits from luisb/traefik:feat/favor-LE-dns-challenge-if-enabled into master 2026-06-19 12:56:54 +00:00

Conversation 3 Commits 2 Files Changed 4 +13 -7

luisb commented 2026-06-16 16:28:49 +00:00

Contributor

Copy Link

As documented in the README's "Configuring wildcard SSL using DNS"
section, the necessary pieces for DNS-01 ACME challenges to work are
already baked into Traefik's recipe, though they were originally
considered for provisioning wildcard certificates. Furthermore, in
environments where the server is not exposed to the internet, the
default HTTP-01 challenge mechanism doesn't work, so, taking advantage
of this alternative method makes complete sense.

This change causes ACME validations to be done always using DNS when
LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard
certificate requests Traefik uses the HTTP-01 challenge method, which
doesn't work in servers behind a firewall.

We should amend the related section in the operators handbook
to make a not about the possibility of using DNS challenges in those
scenarios as well.

• I have deployed and tested my changes
  I tested this with both a server "exposed" to the internet and one behind a firewall. The first one continued to use the HTTP-01 challenge because no DNS-related settings were added to it, and the second one was successfully able to provision certificates (even though it's only reachable within the LAN).
• I have updated relevant versions in abra.sh
• I have added a release note entry

As documented in the README's "Configuring wildcard SSL using DNS" section, the necessary pieces for DNS-01 ACME challenges to work are already baked into Traefik's recipe, though they were originally considered for provisioning wildcard certificates. Furthermore, in environments where the server is not exposed to the internet, the default HTTP-01 challenge mechanism doesn't work, so, taking advantage of this alternative method makes complete sense. This change causes ACME validations to be done always using DNS when LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard certificate requests Traefik uses the HTTP-01 challenge method, which doesn't work in servers behind a firewall. We should amend the related section in the [operators handbook](https://docs.coopcloud.tech/operators/handbook/#running-an-offline-coop-cloud-server) to make a not about the possibility of using DNS challenges in those scenarios as well. * [x] I have deployed and tested my changes I tested this with both a server "exposed" to the internet and one behind a firewall. The first one continued to use the HTTP-01 challenge because no DNS-related settings were added to it, and the second one was successfully able to provision certificates (even though it's only reachable within the LAN). * [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash) * [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

❤️ 1

luisb added 2 commits 2026-06-16 16:28:49 +00:00

feat: disable httpChallenge when DNS challenge is configured ... 7fb53d5496

As documented in the README's "Configuring wildcard SSL using DNS"
section, the necessary pieces for DNS-01 ACME challenges to work are
already baked into Traefik's recipe, though they were originally
considered for provisioning wildcard certificates. Furthermore, in
environments where the server is not exposed to the internet, the
default HTTP-01 challenge mechanism doesn't work, so taking advantage
of this alternative method makes complete sense.

This change causes ACME validations to be done always using DNS when
LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard
certificate requests Traefik uses the HTTP-01 challenge method, which
doesn't work in servers behind a firewall.

We should amend the related section in the
[operators handbook](https://docs.coopcloud.tech/operators/handbook/#running-an-offline-coop-cloud-server)
to make a not about the possibility of using DNS challenges in those
scenarios as well.

chore: add next release info for LE DNS-01 related changes 73832b8833

luisb requested review from decentral1se 2026-06-16 16:28:50 +00:00

luisb requested review from fauno 2026-06-16 16:28:50 +00:00

decentral1se reviewed 2026-06-16 17:42:39 +00:00

decentral1se left a comment

Owner

Copy Link

Nice, it looks good to me. I think @fauno will have to judge it. I have no way of testing this myself. Can merge if people have confidence in it 1) working 2) not breaking other peoples shit 🙃. Thanks for the work!

Nice, it looks good to me. I think @fauno will have to judge it. I have no way of testing this myself. Can merge if people have confidence in it 1) working 2) not breaking other peoples shit 🙃. Thanks for the work!

fauno commented 2026-06-16 22:38:41 +00:00

Owner

Copy Link

looks good!

looks good!

fauno approved these changes 2026-06-16 22:39:10 +00:00

decentral1se merged commit b39bb5adaf into master 2026-06-19 12:56:54 +00:00

decentral1se referenced this issue from a commit 2026-06-19 12:56:55 +00:00

feat: disable httpChallenge when DNS challenge is configured (#112)

Sign in to join this conversation.

Reviewers

No Reviewers

fauno

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

3wordchant aadil abra-bot ammaratef45 amras BornDeleuze carla cas coopcloud decentral1se fauno javielico jjsfunhouse kawaiipunk knoflook moosemower moritz notplants oxaliq p4u1 renovate-bot simon stevensting trav yksflip

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/traefik#112

Allow edits from maintainers

No description provided.