Since nobody has responded to the ACME / Let's Encrypt part of the question yet, I'll chime in: I also use Traefik as a reverse proxy (and an ACME client), one unified instance per machine. (There are some exceptions, like for Mailu that requires its own nginx reverse proxy.) But for Let's Encrypt, I recently switched from the TLS challenge to the DNS challenge. That required switching my DNS server from CoreDNS to PowerDNS, but thus far it seems totally worth it. Now I can easily get TLS certs for servers on my private network at home without opening them up to the internet for HTTP/TLS challenges.
this post was submitted on 20 Jul 2023
20 points (91.7% liked)
Selfhosted
39273 readers
203 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
Can you expand on more detail on how your TLS certs work? Looking to do similar.
I am just running the normal nginx image with /etc/letsencrypt:/etc/ssl/private as volume. certbot does the rest. If you need help with the exact config just search for relevant keywords, there are tons of good tutorials
Here's an overview of the Let's Encrypt DNS challenge type in case you haven't seen it: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
Basically, when Traefik goes to request or renew a certificate, Let's Encrypt tries to look up a special DNS record on your domain so you can prove that the request for the certificate is legit. To make that work, Traefik first hits your DNS provider via API and temporarily inserts that special record so it's there when Let's Encrypt performs the lookup for it. In my particular case, I'm using self-hosted PowerDNS and it's built-in API (configured to only respond via a Wireguard tunnel). But you don't have to self-host DNS for this to work.. Traefik has a long list of supported providers: https://doc.traefik.io/traefik/https/acme/#dnschallenge
Oh this look great, thanks!
So there is no port forwarding needed? Works behind CG-NAT?
No port forwarding needed and works behind CG-NAT—assuming your DNS server is hosted elsewhere.
That's great!
I use a single unified traefik to front all of my services, no matter how they ship. Despite the slight overhead, it's closer to a truly idempotent architecture. I've unfortunately had to test that twice now in my selfhosting career.
Traefik is very solid and I've had very few issues with it I didn't self inflict. Documentation is very thorough.
I also run Traefik and it never stutters. But getting it set up at ALL was a chore. I tried four times and failed. Each time I spent several days full time on it. It's not that I skipped the docs, I actually am a RTFM kinda guy. But too much was implied in the docs and I never really felt like I knew why I was doing stuff. At least for me it was harder to set up than Nextcloud, Jellyfin, Gitea, Resilio and Vaultwarden COMBINED.
Some settings only work in a static config file, others in a "dynamic" config file and then there is container-specific labels too. It all needs to fit in with each other and error mesages were of course hidden away in docker logs. You can attach labels to containers with and without escaping them, and choosing wrong sends you down several rabbit holes at once. The config structure is probably intuitive to Go devs, but that really ain't me. Oh, there's also 3 different but equal formats for conf files too.
I read countless guides and it finally worked on attempt 5. All just because I liked the autoconf for all containers. I could have been done with reverse proxies within a day had I just chosen a different one.
Now I am even debating wether I should keep it at all, because I'd rather not mount the docker sock into my reverse proxy, the one software that ultimately connects to the web directly.
view more: next ›