search

spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.9k stars 1.04k forks source link

Allow traefik to use certbot dns-01 authorisation or alternative certificate retrieval methods #2673

Open mabeltron opened 1 year ago

mabeltron commented 1 year ago

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. The playbook expects traefik to be able to make certbot certificate requests using http-01, where traefik exposes a .well-known URI for authorisation by LetsEncrypt. Matrix servers that are behind reverse proxies cannot necessarily request certbot certificates in this way as this would require exposing the traefik instance to an external network.

Describe the solution you'd like. Certbot dns-01 is supported by traefik and uses DNS services to authenticate certificate requests:

Describe alternatives you've considered Adding a traefik config to use dns-01 in my installation or being able to configure another ACME client such as acme.sh.

Additional context If traefik fails to retrieve an SSL certificate, other dependencies fail, specifically matrix-coturn, and the system does not initialise correctly. Attempting to run traefik without ssl also seems to have issues, and it would be desirable to encrypt traffic between a proxy and the server.

spantaleev commented 1 year ago

The Traefik Ansible role allows for some customizability, so should you wish to use DNS validation for ACME, you can do it.

Feel free to update the docs with details about your experience.

sidewinder94 commented 1 year ago

I've encountered the issue.

You can configure traefik to use the DNS validation for let's encrypt using the following configuration in your vars.yml :

# I need a DNS acme challenge, not the default http(s) one / this overrides the default ACME configuration without having to disable it, since it would have a wide range of side effects
devture_traefik_configuration_extension_yaml: |
  certificatesResolvers:
    default:
      acme:
        # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
        email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
        dnsChallenge:
          provider: cloudflare
          resolvers: 
            - "1.1.1.1:53"
            - "8.8.8.8:53"
        storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}

# Configure the environment variables needed by traefik to automate the ACME DNS CHallenge
devture_traefik_environment_variables: |
  CF_API_EMAIL=redacted
  CF_ZONE_API_TOKEN=redacted
  CF_DNS_API_TOKEN=redacted
  LEGO_DISABLE_CNAME_SUPPORT=true

This example is for cloudflare as it is where my DNS zone is managed.

The list of supported providers is available here: https://doc.traefik.io/traefik/https/acme/#providers

mabeltron commented 1 year ago

@sidewinder94 Thanks, I knew it would be around somewhere, I'm not that familiar with Traefik so that is perfect for what I need.