How do I get a Token for DNS challenge?

I am attempting to use a DNS challenge.
My domain registrar that I need to create _acme-challenge text record and place a token into it.

I showed him that I had a certificate and a key and not a token.
He told me that the token is much shorter in length than the certificate or key.

How do I generate a token?

I have been told that the token is much shorter than the certificate or key.

11 Likes

I do not see anything about the _acme-challenge or the token

I am trying to use a DNS challenge on Traefik.

It's a DNS-01 challenge as presented in the Challenge Types article I linked above. The token is generated by the Let's Encrypt server, which is then obtained by your chosen ACME client (often builtin to your service or product) then either automatically written to your DNS (if you have configured that) or presented to you to manually write to your DNS.

11 Likes
10 Likes

The generated acme.json file showd key and certificate but not token. I have been told I need the token in the _acme-challenge txt record. Is this wrong information?

It's correct. Please see the Træfik-specific documentation that I just posted above. It has detailed information for you.

11 Likes

I made an exact copy of the code provided by Traefik and it does not work.

version: "3.3"

services:

  traefik:
    image: "traefik:v2.10"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=me@MyDomain.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.MyDomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

This code will generate the acme.json containing the challenge and key but not the token needed for the DNS txt record

I don't see a certificateResolver defined (not just referenced) anywhere in your code. Please fully read the Configuration Examples (directly linked-to below) and related documentation. You really don't want to be manually configuring a DNS-01 TXT record if such can be automated. Manual configuration sets you up for failure in the future.

12 Likes

I am just trying to learn and yes in the long run I do not want a manual cert update. I just need to walk before I run. I have read that information many times and ended up with the exact code they have to avoid any confusion.

So you are saying I need a certificate resolver definition?
Why was this not in the example code and ultimately where is the token needed for the DNS record?

What is really frustrating is that I can simply install certbod and run certbot --nginx to manually install a http cert on an aws instance in minutes. This Is taking may days without any results.

And here are DNS providers who easily integrate with Let's Encrypt DNS validation

4 Likes

At the moment I already have a DNS domain registrar. Are you suggesting that I need to transfer all my domains to another provider just to see if and/or how Let's Encrypt works with Traefik?

You don't need to transfer a domain to use DNS. You just update your namservers at your domain registrar to those assigned by your DNS provider.

13 Likes

Thanks for the reply, but this is really getting crazy. At some point the new tech is supposed to be a benefit and not yet another rabbit hole.

So If I got this right I need a domain registrar and a different DNS provider to simply use Traefik with Let's Encrypt.

You need a domain registrar, and a DNS provider with an API that Traefik can use, to use DNS validation with Traefik and Let's Encrypt. The DNS provider doesn't have to be different from your domain registrar, but neither does it need to be the same.

12 Likes

You need a domain registrar to have a domain regardless of what you may do with it, including doing nothing with it. Assuming that you actually want to use the domain for anything, you need DNS. Some people use their registrar DNS, but many find it does not meet their needs and use a provider that they find more suitable.

I don't use Traefik, so I have no advice that pertains specifically to that application, but DNS-01 challenges are effortless if you use a supported DNS provider.

12 Likes

Huh, but in your first post you said:

Which would suggest you already have bought a domain and already have a domain registar, right?!

Also, Traefik mentions a list of DNS providers (which can be but don't need to be the same as your DNS registar) supported: Traefik Let's Encrypt Documentation - Traefik

For automated certificate issuance, you should have a DNS provider which is supported by Traefik (/lego, the underlying ACME client used by Traefik) and have Traefik correctly configured to use the API of that provider.

Manually doing the DNS challenge is NOT recommended, although apparently Traefik does support it, looking at the last entry of the supported DNS providers. It does require Traefik to be run interactively though, so it cannot be automated at all.

3 Likes

My Traefik docker-compose file creates a acme.yaml file with all the certifications. Cloudflare also creates a certificate so which one am I using and/or what needs to be done so that there isn't some additional confusion?

Just use that and move on.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.