cloudflare dns challenge

[lawso017]

trafficstars

Just in case you'd find it useful, I'm a big fan of using Cloudflare's DNS challenge to easily generate trusted certs when using private IP addresses.

I wired this in using the commit below, and three additional variables in my pigsty.yml:

    dns_cloudflare_api_token: "{{ lookup('env', 'DNS_CLOUDFLARE_API_TOKEN') }}"
    repo_packages: "{{ repo_packages_default + ['python3-certbot-dns-cloudflare'] }}"
    infra_packages: "{{ infra_packages_default + ['python3-certbot-dns-cloudflare'] }}"

The only caveat is that you really don't want this running on multiple nodes simultaneously... so I added "run_once" to the sign-cert operation. It needs to be serialized so you don't have multiple nodes modifying DNS records at the same time.

Thanks again!

[lawso017]

... a true HA setup with redundant infra nodes required a bit more work to properly store & distribute keys. I started running into LetsEncrypt rate limits, which further highlighted the point that really there should be one node managing certbot, and that one certbot-enabled node should distribute certs to the other reverse proxies.

Your nginx configuration is spot-on and quite sophisticated, however I'm wondering if you have used Caddy?

Given the ease of accessing shared storage with Minio already bundled in the stack, Caddy is Go-based and does a beautiful job synchronizing certificates out of shared storage in multi-node HA setup. The nginx configuration would translate easily to Caddy I think, and could simplify life in a certbot-enabled environment.

[Vonng]

This is a great feature, I'll merge it before the next release.

I’ve used Caddy and it’s a fantastic web server, but I’m not sure whether we should migrate from Nginx to Caddy—the main concern is user familiarity. After all, Nginx still offers top-tier performance and the largest user base.

That said, I do think introducing a dedicated Caddy role as an alternative implementation to Nginx could be an excellent idea.