Configuring dnsChallenge using RFC2136 as a provider
I followed the steps here https://runtipi.io/docs/guides/dns-challenge-cloudflare and https://runtipi.io/docs/guides/customize-compose-and-traefik to make modifications to the docker compose & traefik configs. I deleted
traefik/tls/* and traefik/shared/acme.json, then restarted runtipi, and the files were regenerated. However, it regenerated a self-signed certificate and in the UI I saw an error about trying to request a certificate from Let's Encrypt for the internal private IP address instead of the domain name.
I added this to user-data/tipi-compose.yml:
and this to traefik/traefik.yml:
(I also set persistTraefikConfig to true in state/settings.json)25 Replies
Alright
So firstly
Remove all the additional configuration you added in tipi compose
Copy the same compose we have in the docs but remove the cloudflare environment variable and add the ones described here https://go-acme.github.io/lego/dns/rfc2136/
Let’s Encrypt client and ACME library written in Go.
RFC2136 :: Let’s Encrypt client and ACME library written in Go.
Configuration for RFC2136.
Also keep the exact same config we have in the docs and just change your provider to rfc2136 and add your email as you already did
Then restart tipi
Set your domain in the settings page
And try to expose an app
It may take a while for traefik to generate the certs though
Usually 1-2 minutes
OK, that's what I had started with, but while troubleshooting I found traefik documentation that pointed me to what I have now. I'll do as you suggest and reply with results.
No change. It doesn't even try to reach my nameserver to make the request to add the challenge.
I get that error when I .. "un expose" the app. When I re-expose it, looking at the logs, I think it see that it already has a certificate (self-signed) for *.mydomain.com so it doesn't need to make one for theapp.mydomain.com and never bothers to try.
Did you set the domain in tipi's settings?
Yep
After setting the domain did you restart?
The domain was already set and I've restarted runtipi several times
There are 3 places to set a domain name-- Settings > Settings, "Domain name" and "Local domain", and then in the App's settings after exposing it "Domain name". If I own example.com, what should the 3 values be?
Currently I have "runtipi.example.com" in the first two and "app.runtipi.example.com" in the app's settings
Set
runtipi.example.com only in the domain field
not local domain
chances are this is the reason it isnt workingShould I leave "Local domain" blank?
just put runtipi.local
Ok, and what about for the app's domain?
Oh cool, that fixed it. It is working for both the main runtipi instance and the app's page. Sweet.
For reference:
In
user-config/tipi-compose.yml:
In traefik/traefik.yml:
Settings > Settings > Domain name: runtipi.example.com
Settings > Settings > Local domain: runtipi.local
My Apps > App > Settings > Domain name: app.runtipi.example.com
Thank you @Stavros!
Is it possible to have it do this for the local domain? Perhaps I should have left Domain name blank and put runtipi.example.com in Local domain?
For example, Scrypted doesn't seem to be allowed to be exposed, so the only way to access it is https://scrypted.runtipi.local/ which uses the self-signed stuff. I want it to use my certresolverUnfortunately not possible
You can't issue ssl certificates for mdns domains
It's not a tipi imitation, it's just not possible
You can just trust the certificate
Right, I know you can't issue certs for .local, but with dnsChallenge I can issue certs for local use using my actual domain, which is what I want to do. I'm not actually exposing anything to the Internet. I just don't want to use runtipi.local, I want to use runtipi.example.com internally with real certs.
Seems that does not work, it uses the self-signed cert unfortunately. I imagine there is some label selection rule or something I could add/change, but I'm not quite clever enough for that. Any ideas?
I see the router rules in
docker-compose.yml -- it seems easy enough to edit and change them to use the certresolver. Is this something I can do in user-config/tipi-compose.yml? Or does that only add statements and not overwrite them? Can I edit docker-compose.yml directly?
Hmm, it seems I would need to rebuild the worker package after editing packages/worker/src/lib/docker/builders/traefik-labels-builder.ts and I'm not sure how to do that. Is it difficult?You can only use tipi compose
That's not really related to traefik labels, thats for the dynamic compose
I would recommend again trying to issue certificates for the local domain
Tipi is not configured for this and chances are you will have a ton of issues
Am I correct in my understanding that it's a simple matter of the labels being applied? It seems to me this would be more reliable than using self-signed certificates. I'm happy to submit patches configuring this as an option if someone might point me in the direction I should be looking. The dynamic compose was the only other location I could find that looked like it might be an app template. Again, looking at scrypted, it seems to inherit a predefined router vs eg. Home Assistant that has routes defined in its docker-compose
I mean by editing the tipi compose and overriding the local domain and local domain secure options.ypi should be able to use domain and dns challenge
As far as I can tell that did work, but it only seemed to apply to the two specific items (I'm not at my desk atm) and not to applications, but maybe I didn't test it thoroughly enough
But again we can't guarantee this will work because tipi is not built this way. Self signed certs are as secure as the ones you get from let's encrypt, same ssl same everything they are just not trusted. The local domain option was added so you can access apps around your network that's where the local comes from
Applications have their own set of labels, so you may need to customize every app with user config
I didn't see any labels defined for scrypted except that it is managed by runtipi. How does it get its labels?
Huh, you can check the runtipi appstore and every app has the labels in the docker compose
GitHub
runtipi-appstore/apps/scrypted/docker-compose.yml at master · runti...
Official Runtipi AppStore. Apps and updates live here! - runtipi/runtipi-appstore
If you are using dynamic config you need to enable the expose and/or expose to local network, if it's not dynamic config you will just see the expose option
Ohhh
Scrypted uses network mode host
Can't apply labels there because it's not in the tipi main Network
How does it get its ssl config? I think it uses the local wildcard cert. it would be cool if I could just have it use the other one it already created
Again local domain is joy meant to be used that way. You can replace the certs in the traefik directory with your own though and use your own local domain certs