I set up SSL certificates for my internal services behind Traefik, but I was having some issues obtaining the certificates. I ended up having to add this line in my Docker compose file to bypass PiHole which is controlling the internal hostnames for my domain:
- --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
After adding that, I was able to successfully pull a cert. The issue is, I have a firewall set up that blocks DNS requests from everywhere except my DNS servers (PiHole), so I had to pause that rule temporarily to get the request to go through.
Wondering what I can do here (if anything) to resolve this without having to disable my firewall rules regularly.
I would start by testing if you can resolve acme-v02.api.letsencrypt.org from the PiHole and if not, see what you need to unblock that.
Did some more testing to get some details. The error I am getting from Traefik is that Cloudflare cannot create the record because it already exists (PiHole already has the entries). If I delete the records from PiHole, Traefik can then create the TXT records in Cloudflare.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System PiHole Network-wide ad-blocker (DNS sinkhole) SSL Secure Sockets Layer, for transparent encryption
3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #470 for this sub, first seen 31st Jan 2024, 14:55] [FAQ] [Full list] [Contact] [Source code]
Create a new rule on the firewall to allow DNS requests to cloudflare from that host only.
That is what I ended up doing temporarily, but I think I will just make it temporarily permanent. I could likely set up another Docker container to run a DNS server connected to a DoH resolver, and use that container as the DNS server for Traefik, but that’s a lot of work.
deleted by creator