Traefik Series Part 2 | Using Let’s Encrypt DNS-01 Challenge with Cloudflare
You can find a free version of this post here: https://svenvg.com/posts/traefik-essentials-reverse-proxy-with-docker-lets-encrypt/
Traefik uses the HTTP Challenge by default to complete the LetsEncrypt process. Another way is to use the DNS Challenge.
In this article we will setup DNS01 Challenge with Cloudflare for LetsEncrypt.
Differences HTTP vs DNS
HTTP-01
The HTTP-01 challenge is the most common method for domain validation used by Let’s Encrypt. Here’s a summary of the process and its key points:
Process:
- Token Generation: Let’s Encrypt provides a token to your ACME client.
- File Placement: The ACME client places a file containing the token and an account key thumbprint on your web server at `http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>`.
- Validation Attempt: Let’s Encrypt attempts to retrieve the file from your web server to verify it.
- Outcome: If Let’s Encrypt successfully retrieves and verifies the file, validation is successful, allowing certificate issuance. If it fails, a new certificate request is needed.
DNS-01
The DNS-01 challenge is a method for proving domain control by adding a specific value to a TXT record in your DNS settings. Here’s a summary of its process, key points, and pros and cons:
Process:
- Token Generation: Let’s Encrypt provides a token to your ACME client.
- TXT Record Creation: Your ACME client creates a TXT record from the token and your account key, placing it at `_acme-challenge.<YOUR_DOMAIN>`.
- DNS Query: Let’s Encrypt queries the DNS system for this TXT record.
- Outcome: If the correct record is found, you can proceed to issue a certificate.
Let's get started!
If you need to setup Traefik from the beginning check here
Cloudflare API
First we need to create the needed API keys with Cloudflare.
Go the API page and login with your Cloudflare Account.
Create a API Key on the link above.
- Select Create Token
- Select a template Edit zone DNS
- Make sure that the Permissions is set to Zone / DNS / Edit
- By Zone Resources you can select for which domain the API key will be used
- Select Continue to summary.
- Review the token summary. Select Edit token to make adjustments. You can also edit a token after creation.
- Select Create Token to generate the token’s secret.
Save this API Key. We will need this later on.
Docker
In order to add the API keys to the Traefik container we need too the environment variables below to the docker-compose.yml for Traefik
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}Create a .env file in the same dictionary as your docker-compose.yml
nano .envIn this .env file place the following content.
CF_API_EMAIL= <Your cloudflare email>
CF_DNS_API_TOKEN= <Your API Token>Traefik Configuration
In your traefik.yml config file remove the httpChallenge part And add the dnsChallenge.
Full traefik.yml
api:
dashboard: true # Optional can be disabled
insecure: true # Optional can be disabled
debug: false # Optional can be Enabled if needed for troubleshooting
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: frontend # Optional; Only use the "proxy" Docker network, even if containers are on multiple networks.
certificatesResolvers:
letencrypt:
acme:
email: youremail@email.com
storage: /certs/acme.json
caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 10 #Optional to wait x second before checking with the DNS ServerWe will need to recreate the contianer for the environment variables to be picked up
docker compose up -d --force-recreateThats it! When Traefik needs a certificate it will create a txt record in your dns zone using the API and remove it when the validation is completed.
