[rglullis]

For authentication, I had good luck with authentik as forward proxy.

The one thing that bothers me with traefik is that their implementation of ACME does not work if you have some sort of DNS load balancing. I had one setup with three servers responding to the same domain. It seems the first request )to start the ACME dance) would go to one server, and if the second one (with the .well-known address) is sent to a different one, it will just return a 404 and fail the whole thing. Now I either have * to delegate the certificate management to the service itself or add Caddy as a secondary proxy just to get certificate from it.

* Of course, someone smarter than me will point me to a better solution and I will be forever grateful.

[jackweirdy]

If I am not misunderstanding (sorry if I am) it sounds like you use the http challenge where your cert provider tries to GET your challenge file — if so, could the DNS challenge be better suited? There, you put the challenge in a TXT record value

[rglullis]

You got it, but your solution won't work because of one detail: I can not use the DNS challenge because I am running a managed service provider, and my customers are the ones who own the domain. All I can do is ask them "please add a CNAME to my gateway", and I need to figure out everything else on my side.

[francislavoie]

Sounds like you're looking for Caddy's On-Demand TLS, then. No other server or ACME client does this. https://caddyserver.com/docs/automatic-https#on-demand-tls

[arccy]

ACME supports Delegated Domains for DNS01:

    _acme-challenge.customer.com IN CNAME _acme-challenge.your-automated-domain.org.

[rglullis]

That sounds interesting. Do you literally mean that I should use _acme_challenge or were you giving an example?

In concrete terms: to set up an instance for a customer, I've been asking them to set their domain with a CNAME to "gateway.communick.host", where I have traefik already configured with one TLS HTTP resolver and one DNS resolver. and I've been using the HTTP resolver one. Are you saying that I can just configure to use the DNS resolver and it will work, or do I need to tell my customers to add another record for the delegation to work?

[jspdown]

It might not be suitable for your use case but, have you tried ACME DNS challenge delegation to a different one hosted by yourself?