doc: add CNAME support and gotchas
This commit is contained in:
parent
39331e41a8
commit
0503253cfe
2 changed files with 33 additions and 2 deletions
|
@ -181,3 +181,23 @@ and the message should help in figuring out the mistake(s) in the configuration,
|
||||||
|
|
||||||
When using the file provider,
|
When using the file provider,
|
||||||
one easy way to check if the dynamic configuration is well-formed is to validate it with the [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json).
|
one easy way to check if the dynamic configuration is well-formed is to validate it with the [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json).
|
||||||
|
|
||||||
|
## Why does Let's Encrypt wildcard certificate renewal/generation with DNS challenge fail?
|
||||||
|
|
||||||
|
If you're trying to renew wildcard certificates, with DNS challenge,
|
||||||
|
and you're getting errors such as:
|
||||||
|
|
||||||
|
```txt
|
||||||
|
msg="Error renewing certificate from LE: {example.com [*.example.com]}"
|
||||||
|
providerName=letsencrypt.acme error="error: one or more domains had a problem:
|
||||||
|
[example.com] acme: error presenting token: gandiv5: unexpected authZone example.com. for fqdn example.com."
|
||||||
|
```
|
||||||
|
|
||||||
|
then it could be due to `CNAME` support.
|
||||||
|
|
||||||
|
In which case, you should make sure your infrastructure is properly set up for a
|
||||||
|
`DNS` challenge that does not rely on `CNAME`, and you should try disabling `CNAME` support with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
LEGO_DISABLE_CNAME_SUPPORT=true
|
||||||
|
```
|
||||||
|
|
|
@ -283,8 +283,19 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
|
||||||
# ...
|
# ...
|
||||||
```
|
```
|
||||||
|
|
||||||
!!! important
|
!!! warning "`CNAME` support"
|
||||||
A `provider` is mandatory.
|
|
||||||
|
`CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
|
||||||
|
but there are a few cases where they can be [problematic](../../getting-started/faq/#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
|
||||||
|
|
||||||
|
If needed, `CNAME` support can be disabled with the following environment variable:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
LEGO_DISABLE_CNAME_SUPPORT=true
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! important
|
||||||
|
A `provider` is mandatory.
|
||||||
|
|
||||||
#### `providers`
|
#### `providers`
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue