From 33e4b6b9b5fb1473203f8553cda492cb6658c8e0 Mon Sep 17 00:00:00 2001
From: poduck <poduck@gmail.com>
Date: Wed, 3 Dec 2025 16:48:50 -0500
Subject: [PATCH] feat(traefik): Add DNS challenge for wildcard SSL
 certificates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

HostRegexp patterns don't work with HTTP challenge because Traefik
can't request certificates for dynamic subdomains. Switched to DNS
challenge using DigitalOcean provider for *.smoothschedule.com wildcard.

Requires DO_AUTH_TOKEN environment variable to be set.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../compose/production/traefik/traefik.yml    | 19 +++++++++++++++++--
 smoothschedule/docker-compose.production.yml  |  4 +++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/smoothschedule/compose/production/traefik/traefik.yml b/smoothschedule/compose/production/traefik/traefik.yml
index db824b7..dc8b413 100644
--- a/smoothschedule/compose/production/traefik/traefik.yml
+++ b/smoothschedule/compose/production/traefik/traefik.yml
@@ -28,6 +28,17 @@ certificatesResolvers:
       httpChallenge:
         entryPoint: web
 
+  letsencrypt-dns:
+    # DNS challenge for wildcard certificates (*.smoothschedule.com)
+    acme:
+      email: 'admin@smoothschedule.com'
+      storage: /etc/traefik/acme/acme.json
+      dnsChallenge:
+        provider: digitalocean
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+
 http:
   routers:
     # Main domain and www
@@ -86,7 +97,7 @@ http:
         certResolver: letsencrypt
 
     # Wildcard subdomain router for tenant subdomains
-    # Each subdomain gets its own certificate via HTTP challenge
+    # Uses DNS challenge for wildcard certificate (*.smoothschedule.com)
     # Routes to nginx which serves the frontend SPA and proxies /api/ to Django
     subdomain-router:
       rule: 'HostRegexp(`{subdomain:[a-z0-9-]+}.smoothschedule.com`)'
@@ -96,7 +107,11 @@ http:
         - csrf
       service: nginx
       tls:
-        certResolver: letsencrypt
+        certResolver: letsencrypt-dns
+        domains:
+          - main: "smoothschedule.com"
+            sans:
+              - "*.smoothschedule.com"
 
     flower-secure-router:
       rule: 'Host(`smoothschedule.com`)'
diff --git a/smoothschedule/docker-compose.production.yml b/smoothschedule/docker-compose.production.yml
index f12b326..05498e1 100644
--- a/smoothschedule/docker-compose.production.yml
+++ b/smoothschedule/docker-compose.production.yml
@@ -40,11 +40,13 @@ services:
       - django
     volumes:
       - production_traefik:/etc/traefik/acme
+    environment:
+      # DigitalOcean API token for DNS challenge (wildcard certs)
+      - DO_AUTH_TOKEN=${DO_AUTH_TOKEN}
     ports:
       - '0.0.0.0:80:80'
       - '0.0.0.0:443:443'
       - '0.0.0.0:5555:5555'
-      - '0.0.0.0:5555:5555'
 
   nginx:
     build: