admin/felhom-controller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v0.42.0: real Let's Encrypt cert via wildcard proactive issuance

Browse Source 
traefik's websecure entrypoint now declares http.tls.domains *.<domain>+apex so
it proactively obtains the wildcard via Cloudflare DNS-01 at startup (cert ready
before first client, every router serves it by SNI). Gated on CFAPIToken (DNS-01).
TraefikData gains Domain; ensureTraefik wires cfg.Customer.Domain.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
authentik Default Admin
2026-06-11 17:48:15 +02:00
parent 80216e6ce5
commit 84c3e84641
5 changed files with 42 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
controller/internal/infra/infra.go
+4 -1
View File
@@ -40,8 +40,11 @@ type FileSpec struct {
}
// TraefikData is the per-customer input for the traefik stack. ACMEEmail empty → no Let's Encrypt
// (traefik serves self-signed); CFAPIToken empty → HTTP-01 instead of Cloudflare DNS-01, and no .env.
// (traefik serves self-signed); CFAPIToken empty → HTTP-01 instead of Cloudflare DNS-01, and no .env
// (and no wildcard — HTTP-01 can't issue wildcards). Domain drives the wildcard proactive-issuance
// SAN (`*.<Domain>` + apex) when DNS-01 is in use.
type TraefikData struct {
Domain string
ACMEEmail string
CFAPIToken string
}