From f183fe485fbf204064a2689677ed1436742ee53f Mon Sep 17 00:00:00 2001 From: jack Date: Sun, 22 Mar 2026 04:18:21 +0700 Subject: [PATCH] revert: switch back to HTTP-01 until Cloudflare NS propagation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DNS-01 + wildcard cert requires Cloudflare to be authoritative NS. Until propagation completes, use httpChallenge on port 80. Plan after Cloudflare NS is active: 1. Switch back to dnsChallenge in traefik.yml.j2 2. Re-enable tls.stores.default.defaultGeneratedCert in routes.yml.j2 3. Clear acme.json → Traefik issues *.csrx.ru wildcard cert Co-Authored-By: Claude Sonnet 4.6 --- .../templates/traefik/dynamic/routes.yml.j2 | 14 ++------------ roles/services/templates/traefik/traefik.yml.j2 | 9 +++------ 2 files changed, 5 insertions(+), 18 deletions(-) diff --git a/roles/services/templates/traefik/dynamic/routes.yml.j2 b/roles/services/templates/traefik/dynamic/routes.yml.j2 index 6f49a70..e90a531 100644 --- a/roles/services/templates/traefik/dynamic/routes.yml.j2 +++ b/roles/services/templates/traefik/dynamic/routes.yml.j2 @@ -1,18 +1,8 @@ # Traefik dynamic routing config — generated by Ansible # Do not edit manually; re-run ansible-playbook deploy.yml -# ── Wildcard TLS certificate via Cloudflare DNS-01 ──────────────────────────── -# One cert covers ALL *.csrx.ru subdomains + root csrx.ru. -# Adding a new service = zero cert wait time, Traefik reuses this cert. -tls: - stores: - default: - defaultGeneratedCert: - resolver: letsencrypt - domain: - main: "*.{{ domain_base }}" - sans: - - "{{ domain_base }}" +# NOTE: wildcard cert (*.csrx.ru) будет включён после переноса NS на Cloudflare. +# Тогда переключим ACME на dnsChallenge и добавим tls.stores.default.defaultGeneratedCert http: routers: diff --git a/roles/services/templates/traefik/traefik.yml.j2 b/roles/services/templates/traefik/traefik.yml.j2 index 5a72160..9511cdf 100644 --- a/roles/services/templates/traefik/traefik.yml.j2 +++ b/roles/services/templates/traefik/traefik.yml.j2 @@ -93,12 +93,9 @@ certificatesResolvers: acme: email: "{{ acme_email }}" storage: /acme/acme.json - dnsChallenge: - provider: cloudflare - # Use Cloudflare DNS resolvers to avoid propagation delays - resolvers: - - "1.1.1.1:53" - - "1.0.0.1:53" + # TODO: switch to dnsChallenge after Cloudflare NS propagation + httpChallenge: + entryPoint: web providers: file: