!!! info "Variables may vary depending on the Provider."
Please note this guide may vary depending on the provider you use.
The only things changing are the names of the variables you will need to define in order to configure your provider so it can create DNS records.
Please refer the [list of providers](../../../https/acme.md#providers) given right above and replace all the environment variables with the ones described in this documentation.
## Setup
- Create a `docker-compose.yml` file with the following content:
- Replace `postmaster@mydomain.com` by your **own email** within the `certificatesresolvers.myresolver.acme.email` command line argument of the `traefik` service.
- Run `docker-compose up -d` within the folder where you created the previous file.
- Wait a bit and visit `https://your_own_domain` to confirm everything went fine.
!!! Note
If you uncommented the `acme.caserver` line, you will get an SSL error, but if you display the certificate and see it was emitted by `Fake LE Intermediate X1` then it means all is good.
(It is the staging environment intermediate certificate used by let's encrypt).
You can now safely comment the `acme.caserver` line, remove the `letsencrypt/acme.json` file and restart Traefik to issue a valid certificate.
## Explanation
What changed between the initial setup:
- We configure a second entry point for the https traffic:
```yaml
command:
# Traefik will listen to incoming request on the port 443 (https)
To configure the provider, and avoid having the secrets exposed in plaintext within the docker-compose environment section,
you could use docker secrets.
The point is to manage those secret files by another mean, and read them from the `docker-compose.yml` file making the docker-compose file itself less sensitive.
- Create a directory named `secrets`, and create a file for each parameters required to configure you provider containing the value of the parameter:
for example, the `ovh_endpoint.secret` file contain `ovh-eu`
```text
./secrets
├── ovh_application_key.secret
├── ovh_application_secret.secret
├── ovh_consumer_key.secret
└── ovh_endpoint.secret
```
!!! Note
You could store those secrets anywhere on the server,
just make sure to use the proper path for the `file` directive fo the secrets definition in the `docker-compose.yml` file.
Still think about changing `postmaster@mydomain.com`&`whoami.mydomain.com` by your own values.
Let's explain a bit what we just did:
- The following section allow to read files on the docker host, and expose those file under `/run/secrets/[NAME_OF_THE_SECRET]` within the container:
```yaml
secrets:
# secret name also used to name the file exposed within the container
ovh_endpoint:
# path on the host
file: "./secrets/ovh_endpoint.secret"
ovh_application_key:
file: "./secrets/ovh_application_key.secret"
ovh_application_secret:
file: "./secrets/ovh_application_secret.secret"
ovh_consumer_key:
file: "./secrets/ovh_consumer_key.secret"
services:
traefik:
# expose the predefined secret to the container by name
secrets:
- "ovh_endpoint"
- "ovh_application_key"
- "ovh_application_secret"
- "ovh_consumer_key"
```
- The environment variable within our `whoami` service are suffixed by `_FILE` which allow us to point to files containing the value, instead of exposing the value itself.
The acme client will read the content of those file to get the required configuration values.
```yaml
environment:
# expose the path to file provided by docker containing the value we want for OVH_ENDPOINT.
