disable acme on traefik
Not great, but cloudflare was not liking my DNS config.
the issue was a TXT/SPF record on bb8.fun
Since *.bb8.fun CNAMEs to bb8.fun
_acme-challenge.bb8.fun TXT is the same
as TXT bb8.fun, and that means any rogue
TXT records (such as TXT/spf) will equate
with renewal being screwed up.
since I'm anyway renewing some of my other certs manually,
this just sets up *.bb8.fun as another manual cert for now
Diff
docker/traefik.tf | 34 ++++++++++++++++++++--------------
docker/conf/traefik.toml | 37 +++++++------------------------------
2 files changed, 19 insertions(+), 52 deletions(-)
@@ -1,23 +1,7 @@
resource "docker_container" "traefik" {
name = "traefik"
image = docker_image.traefik17.image_id
labels {
label = "traefik.enable"
value = "true"
}
labels {
label = "traefik.http.routers.api.rule"
value = "Host('traefik.in.bb8.fun')"
}
labels {
label = "traefik.http.routers.api.service"
value = "api@internal"
}
ports {
internal = 80
@@ -74,6 +58,20 @@
"/home/nemo/projects/personal/certs/tatooine.club/privkey.pem",
)
file = "/etc/traefik/tatooine.club.key"
}
upload {
content = file(
"/home/nemo/.acme.sh/*.bb8.fun_ecc/*.bb8.fun.key",
)
file = "/etc/traefik/star.bb8.fun.key"
}
upload {
content = file(
"/home/nemo/.acme.sh/*.bb8.fun_ecc/fullchain.cer",
)
file = "/etc/traefik/star.bb8.fun.crt"
}
@@ -118,8 +116,4 @@
name = "bridge"
}
env = [
"CLOUDFLARE_EMAIL=${var.cloudflare_email}",
"CLOUDFLARE_API_KEY=${var.cloudflare_key}",
]
}
@@ -6,11 +6,16 @@
[accessLog]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/traefik/star.bb8.fun.crt"
keyFile = "/etc/traefik/star.bb8.fun.key"
[[entryPoints.https.tls.certificates]]
certFile = "/etc/traefik/git.captnemo.in.crt"
keyFile = "/etc/traefik/git.captnemo.in.key"
[[entryPoints.https.tls.certificates]]
@@ -21,7 +26,6 @@
keyFile = "/etc/traefik/tatooine.club.key"
[docker]
@@ -32,37 +36,6 @@
[file]
[backends]
[web]
address = ":1111"
readOnly = true
[web.metrics.prometheus]
[acme]
email = "acme@captnemo.in"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = false
onDemand = false
acmelogging = true
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 120
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
[[acme.domains]]
main = "*.bb8.fun"
[[acme.domains]]
main = "*.in.bb8.fun"