diff --git a/smoothschedule/compose/production/traefik/traefik.yml b/smoothschedule/compose/production/traefik/traefik.yml index db824b7..dc8b413 100644 --- a/smoothschedule/compose/production/traefik/traefik.yml +++ b/smoothschedule/compose/production/traefik/traefik.yml @@ -28,6 +28,17 @@ certificatesResolvers: httpChallenge: entryPoint: web + letsencrypt-dns: + # DNS challenge for wildcard certificates (*.smoothschedule.com) + acme: + email: 'admin@smoothschedule.com' + storage: /etc/traefik/acme/acme.json + dnsChallenge: + provider: digitalocean + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + http: routers: # Main domain and www @@ -86,7 +97,7 @@ http: certResolver: letsencrypt # Wildcard subdomain router for tenant subdomains - # Each subdomain gets its own certificate via HTTP challenge + # Uses DNS challenge for wildcard certificate (*.smoothschedule.com) # Routes to nginx which serves the frontend SPA and proxies /api/ to Django subdomain-router: rule: 'HostRegexp(`{subdomain:[a-z0-9-]+}.smoothschedule.com`)' @@ -96,7 +107,11 @@ http: - csrf service: nginx tls: - certResolver: letsencrypt + certResolver: letsencrypt-dns + domains: + - main: "smoothschedule.com" + sans: + - "*.smoothschedule.com" flower-secure-router: rule: 'Host(`smoothschedule.com`)' diff --git a/smoothschedule/docker-compose.production.yml b/smoothschedule/docker-compose.production.yml index f12b326..05498e1 100644 --- a/smoothschedule/docker-compose.production.yml +++ b/smoothschedule/docker-compose.production.yml @@ -40,11 +40,13 @@ services: - django volumes: - production_traefik:/etc/traefik/acme + environment: + # DigitalOcean API token for DNS challenge (wildcard certs) + - DO_AUTH_TOKEN=${DO_AUTH_TOKEN} ports: - '0.0.0.0:80:80' - '0.0.0.0:443:443' - '0.0.0.0:5555:5555' - - '0.0.0.0:5555:5555' nginx: build: