As documented in the README's "Configuring wildcard SSL using DNS"
section, the necessary pieces for DNS-01 ACME challenges to work are
already baked into Traefik's recipe, though they were originally
considered for provisioning wildcard certificates. Furthermore, in
environments where the server is not exposed to the internet, the
default HTTP-01 challenge mechanism doesn't work, so, taking advantage
of this alternative method makes complete sense.
This change causes ACME validations to be done always using DNS when
LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard
certificate requests Traefik uses the HTTP-01 challenge method, which
doesn't work in servers behind a firewall.
We should amend the related section in the [operators handbook](https://docs.coopcloud.tech/operators/handbook/#running-an-offline-coop-cloud-server)
to make a not about the possibility of using DNS challenges in those
scenarios as well.
* [x] I have deployed and tested my changes
I tested this with both a server "exposed" to the internet and one behind a firewall. The first one continued to use the HTTP-01 challenge because no DNS-related settings were added to it, and the second one was successfully able to provision certificates (even though it's only reachable within the LAN).
* [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
* [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)
Reviewed-on: coop-cloud/traefik#112
Co-authored-by: Luis Barrueco <yo@luisb.xyz>
Co-committed-by: Luis Barrueco <yo@luisb.xyz>
By default, swarm services use ingress mode port publishing, which is
not ideal for traefik (it breaks IPv6 ingress and there is no need to
load-balance traffic between multiple traefik instances or to route it
from multiple swarm nodes)
This PR switches traefik's port publishing mode to `host` for all of
its exposed ports as well as:
* change traefik's update order to stop-first (there cannot be multiple
containers exposing the same port when using host-mode publishing)
* use `endpoint_mode: dnsrr` instead of the default `vip`
* remove all overrides from `compose.host.yml`, leaving the file empty
for backwards compatibility
/!\ This is a breaking change
Closes: #52
* [x] I have deployed and tested my changes
* [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)
Reviewed-on: coop-cloud/traefik#88
Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
Co-authored-by: mirsal <mirsal@mirsal.fr>
Co-committed-by: mirsal <mirsal@mirsal.fr>
luisb
moritz
decentral1se
dannygroenewegen
p4u1
mirsal
Raghav
ammaratef45
marlon