Does anybody have a guide to setting up the DNS-01 challenge on NS8, and incorporating the resulting certificates into Traefik for HTTPS routing?
I have HTTP-01 working, but it requires that services are exposed to the Internet via HTTP in the first instance, and I have internal services accessed via DNS name that I do not want exposed to the internet.
Searching the forum provides some references to doing this on NS7, but I am unsure about the applicability to NS8.
Traefik can obtain certificates through DNS-01, as documented here Let's Encrypt | Traefik | v2.4
Maybe it is possible to edit some .yml file in NS8 Traefik’s configuration. I don’t remember if someone in this forum was successful with it.
Once a solution is found, we can improve the official documentation with it.
Just further to this - I obtained a wildcard certificate (*.mydomain.net) manually, and imported it into Traefik.
This works for added HTTP Routes, but not for mail instances.
The reason is the install-certificates script for mail does not check for a domain wildcard, and only looks for the mail FQDN (i.e mail.mydomain.net)
From
The relevant section:
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
I am assuming I could replicate the wildcard certificate/key into redis to match the mail hostname, but that would require additional steps when the certificate is updated.
It would be more better for the script to check for a wildcard domain match first and use that rather than just checking ${MAIL_HOSTNAME}.
I’ll see if I can figure out some code to do that.
Thank you for investigating this issue. We also have an open bug related to it: Wildcard custom certificates cannot be used for modules configuration · Issue #7004 · NethServer/dev · GitHub
So this is my go at the relevant chunk of code, replacing
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
exit 2
fi
with
# In the first instance, look for a wildcard domain certificate
domain=`echo ${MAIL_HOSTNAME} | sed -n 's/[^.]*\.//p'`
wildcard="*.${domain}"
redis-exec HGET "module/${mtraefik}/certificate/${wildcard}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${wildcard}" cert | base64 -d > server.pem
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
# look for the MAIL_HOSTNAME certificate
echo "[INFO] ${service_image} wildcard certificate for ${domain} not found" 1>&2
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
fi
# Do we have a valid certificate to install?
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
exit 2
fi
It installed my wildcard certificate as expected into both dovecot and postfix.
I guess other modules may have a similar script.
Hi,
Are there any updates on the following topics?
As there have been no updates on this matter, I manually replaced the certificate files (selfsigned.crt and selfsigned.key) with the wildcard certificate in the following directory:
/home/traefik1/.config/state/
This solution is functioning correctly on all nodes and remains effective even after a reboot.
Note:
I also updated the certificates for Dovecot and Postfix at the following locations:
/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data//home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/I just discovered that this has already been posted previously at the following link:
Hi everybody
I was able to retrieve my first test certificate using DNS-01 challenge 
and I hope we can bring this feature a step further.
runagent -m traefik1traefik.yaml with the help of Let's Encrypt | Traefik | v2.4 by choosing your provider:defaultEntryPoints:
- http
- https
file: {}
log:
level: INFO
noColor: true
accessLog: {}
entryPoints:
http:
address: :80
https:
address: :443
providers:
file:
directory: /etc/traefik/configs
tls:
certResolver: acmeServer
options: {}
certificatesResolvers:
acmeServer:
acme:
email: 'homer@springfield.com'
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: /etc/traefik/acme/acme.json
dnsChallenge:
provider: infomaniak
delayBeforeCheck: 3
ping:
manualRouting: true
api: {}
core:
defaultRuleSyntax: v3
INFOMANIAK_ACCESS_TOKEN for my DNS provider Infomaniak.../systemd/user/traefik.service as described here: Custom ACME Server - tls error to server - #6 by Tbaile--env=INFOMANIAK_ACCESS_TOKEN=<my-token> \
systemctl --user daemon-reloadsystemctl --user restart traefikFinally I was able to create the certificate (I had to increase the default timeout):
[root@test ~]# api-cli run module/traefik1/set-certificate --data '{"fqdn":"test1.mydomain.com", "sync_timeout":120}'
Warning: using user "cluster" credentials from the environment
{"obtained": true}
However, I don’t like the part with editing the service file. Does anybody know a better way?
Hi Ronny, thank you for diving into the DNS-01 challenge!
To avoid modifying the .service unit, the latest update includes a special gift: Install custom CA certificate in Traefik · Issue #7300 · NethServer/dev · GitHub
The solution for issue 7300 is not limited to custom CA certificates. You can pass any environment variable to Traefik with it, including the provider’s token. And this is exactly what we need to make DNS-01 work.
dns01.env with:INFOMANIAK_ACCESS_TOKEN=***
.env file to Podman:runagent -m traefik1 python3 -c 'import agent ; agent.set_env("PODMAN_RUN_OPTS", "--env-file=dns01.env")'
This approach is better than exposing the token in the container command line.
If this works, somebody could write a complete Howto post with detailed steps.
From the API point of view (set-acme-server/get-acme-server), we probably need to handle the DNS-01 challenge beside HTTP-01 and the new default, TLS-ALPN-01.
Hello Davide
You are welcome and thank you for your input! It was fun to dive into new technologies and to provide some information to a great product.
After removing the token from ../systemd/user/traefik.service and following your two steps, I can confirm this is working now:
traefik1@test state]$ env | grep INFOMANIAK
[traefik1@test state]$ env | grep PODMAN
PODMAN_RUN_OPTS=--env-file=dns01.env
[traefik1@test state]$ systemctl --user daemon-reload
[traefik1@test state]$ systemctl --user restart traefik
[root@test ~]# api-cli run module/traefik1/set-certificate --data '{"fqdn":"test3.mydomain.com", "sync_timeout":120}'
Warning: using user "cluster" credentials from the environment
{"obtained": true}
However, sometimes I ran into a timeout obtaining a certificate and I don’t know why. How can I get more verbose log information apart from the UI traefik1 app log?