The traefik learning curve can be high at first. Even I had to wrap my head around it for quite some time. But when you have it set up, its a breeze. Cert management at its best, especcially when you use the DNS authentication, which is superb, especially for your typical broadband connection with dynamic IP assignment.
Edit: Scrolling through the guide a bit. You can use
mkdir -p /path/to/new/folders
instead of
mkdir /path/to/new
mkdir /path/to/new/folder
Quote
It's important to add that LetsEncrypt only supports wildcard domains (i.e. *.yourdomain.com) - and if you have (or plan on having) many containers, and you want to reference them by machine name, ala container.yourdomain.com - you will need wildcards - and therefore you'll need a DNS provider that supports the LetsEncrypt ACME API.
That statement is not completely correct. Letsencrypt only allows for specific domains to be assigned with a cert- this includes subdomains in particular. - So I wouldn't write *.yourdomain.com but rather something like service1.yourdomain.com. However, you are right that you actually want to use wildcard certs *.yourdomain.com you need to use DNS authentication.
Quote
There is a comprehensive (and growing) list of eligible DNS providers - but it's important to stress that while the Traefik website may list your provider, that provider may be linked to a specific version of LEGO - which Traefik may not have included in a release yet. It's worth checking the LEGO release page for your provider and then checking if that version of LEGO is included in Traefik via the Traefik release page. One reason this article took a while to write was that the author needed support for their DNS provider - LEGO supported it, but that LEGO version wasn't in Traefik until 2.2.2.
Cloudflare served me well in that case on multiple servers/domains.
Quote
Next up - consider running your containers within a subdomain - not as a subdomain. i.e. if you want to run ZoneMinder - consider zoneminder.yoursubdomain.yourdomain.com instead of zoneminder.yourdomain.com. This is for three reasons:
Security through obscurity. Can work but doesn't have to.
Quote
TOML vs YAML. Love it or hate it.
Quote
Now I'm jealous with my config beeing on 2.0 state.
Quote
Be carefull using this. At least in 1.7 there was a bug that I encountered that made it so when switching from staging to prod, it renewed certs on every restart. Maybe throw away the acme.json content just to be sure afterwards.
Overall some good thoughts on the configuration.
Greetings
David