I need one thing clarified since I’m not very good at networking.
First of all, we have got everything running fine with: docker-compose.yml
We have setup custom domain names and that’s also working.
But, since we are planning on making API-calls from the OpenCore instance, I guess we need to run the docker-compose-letsencrypt version so that we can obtain a SSL certificate.
The server that is running the opencore instance does not have a public IP, which is stated in the docs it has to be.
But instead we have a DNAT to route the traffic to the OpenCore server.
Is it possible to get it running like that?
But assuming its like NAT and you have not mapped port 80 and 443 , then no, it will not work.
If the internet cannot connect to your traefik on port 80 and 443 you cannot use HTTP01 with let’s encrypt, in that case you can use DNS01 or you will ned to run without ssl ( you can also run with self issued certificates but then you need to do ALOT of work to make it trusted in all images and i do not want to support that over the forum )
Hmm, I just reread what you wrote, I think I misunderstood. The server itself does NOT need a public IP; it just needs to be reachable from a public IP. (Not even that, it needs to be reachable on the DNS names you want to use. So, imagining you’re using DynDNS because the IP keeps changing, this will still work) on port 80 and 443.
If that is the case, you can use Let’s Encrypt with HTTP-01 just fine and do NOT need to set up something that will allow Traefik to update your DNS zone.
So, can people on the internet (Let’s Encrypt’s servers) reach the Traefik Ingress Controller on port 80 and 443? Then you can use docker-compose-letsencrypt.yml.
The upside of using HTTP-01 is it requires almost no setup besides allowing internet traffic into Traefik. The downside is, every time the certificate needs to be renewed, someone needs to “hit” the page (click bypass certificate warning) to trigger a renewal. So, once every 3 months, you will have a small downtime window.
If you need a lot of subdomains for agents and you could potentially hit the rate limiter on Let’s Encrypt (app.openiap.io does that), to avoid that, you can request a wildcard * certificate instead, but that is not supported using HTTP-01.
Or if the server cannot be public on the internet, but you are using a public domain for access (many big enterprises use split DNS, where parts of the DNS zones are only accessible internally but are still using a public DNS domain), in those cases, you can still use Let’s Encrypt but need to “prove” you own the domain to Let’s Encrypt in a different way. The most common way to do that is to use DNS-01 with Let’s Encrypt, where you add a signed record to DNS while requesting a new certificate.
docker-compose-letsencrypt-dns01.yml has an example of how you can set that up using Cloudflare and Google DNS, but there are many more on Traefik’s documentation page.
The upside is you greatly decrease the number of requests to Let’s Encrypt by using wildcard * certificates, and Traefik will automatically renew the certificate a week before they expire.
The downside is it requires a lot more setup and the ability to allow Traefik to update your DNS zone (not an easy sell to the local IT department in most big enterprises).