traefik DNS-01 challenge support

[abdulbasetbasher]

High Level Plan

• Add a challenge-mode property to the traefik plugin. The default should be tls, and it should be a global property. Folks can set it to dns to switch to dns-based challenges.
• Add support for dns-provider-* properties. Example from the letsencrypt plugin here
• Add support for a global dns-provider property. This should be exposed in the dokku traefik:report output.
• Update the template to switch challenge modes and set env vars as expected. The dns-provider env vars can be retrieved by PropertyGetAllByPrefix (needs to be implemented in bash since there is only a golang wrapper)
• Update docs

Description of feature

i was using dns-challenge with nginx proxy via dokku-letsencrypt

when i moved my app to traefik it did't work, because wildcard certificate generation require DNS-01 challenge

i think traefik-vhosts template can be edited to support DNS-01 challenge

https://doc.traefik.io/traefik/https/acme/#dnschallenge

[josegonzalez]

There is a plugin trigger named traefik-template-source that can be used to provide an alternative compose template with your desired config.

That said, do you have a proposal for an alternative method for setting challenge config?

[abdulbasetbasher]

thank you for clarify
i'm not expert in programing , but i think something like this will be helpful to users if they can change traefik property of dns-challenge enabled

{{ if $.TRAEFIK_LETSENCRYPT_EMAIL }}
      - --certificatesresolvers.leresolver.acme.caserver={{ $.TRAEFIK_LETSENCRYPT_SERVER }}
      - --certificatesresolvers.leresolver.acme.email={{ $.TRAEFIK_LETSENCRYPT_EMAIL }}
      - --certificatesresolvers.leresolver.acme.storage=/data/acme.json
      - --certificatesresolvers.leresolver.acme.tlschallenge=true
{{ end }}

to

{{ if $.TRAEFIK_LETSENCRYPT_EMAIL }}
      - --certificatesresolvers.leresolver.acme.caserver={{ $.TRAEFIK_LETSENCRYPT_SERVER }}
      - --certificatesresolvers.leresolver.acme.email={{ $.TRAEFIK_LETSENCRYPT_EMAIL }}
      - --certificatesresolvers.leresolver.acme.storage=/data/acme.json
      {{ if $.TRAEFIK_LETSENCRYPT_DNS_ENABLED }}
       - --certificatesresolvers.leresolver.acme.dnschallenge=true
       - --certificatesresolvers.leresolver.acme.dnschallenge.provider={{ $.TRAEFIK_LETSENCRYPT_DNS_PROVIDER }}
      {{ else }}
      - --certificatesresolvers.leresolver.acme.tlschallenge=true
      {{ end }}
{{ end }}

also need command to add to environment to compose template

for example if dns-provider set to Cloudflare environment should contains these tow keys

environment:
      - CLOUDFLARE_EMAIL=CLOUDFLARE_ACCOUNT_EMAIL_ADDRESS
      - CLOUDFLARE_DNS_API_TOKEN=CLOUDFLARE_TOKEN_GOES_HERE

the user should be able to add any key to environment

see: https://github.com/dokku/dokku-letsencrypt#dns-01-challenge

[josegonzalez]

Is this something you'd be willing to sponsor development on?

[josegonzalez]

I've been thinking a bit more about this. The traefik implementation isn't so great because some folks might want to use different providers depending on the app, yet you need to reconfigure traefik to add more labels for each provider. The naive approach of using one provider might be fine, but seems fairly limiting.

That said, this is a good candidate for someone wanting to contribute to Dokku (or sponsor the work). I don't use traefik for load balancing (openresty/nginx are the proxies I use) so I won't be working on this actively unless sponsored, but if someone wants to work on it, feel free to ping me on slack/discord and I'll be happy to walk you through it.