admin/felhom-controller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
29a9dcdd8c5b2a9c2cbebc8b7eac3383830d4951
felhom-controller/REPORT.md
T
admin 8fcd49304d docs(v0.42.1): REPORT (real wildcard cert) + README controller-route/wildcard-anchor 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 18:30:42 +02:00

3.3 KiB
Raw Blame History

REPORT — v0.42.1: real Let's Encrypt wildcard cert (wildcard proactive issuance)

Repo: felhom-controller · Version: 0.42.1 · Date: 2026-06-11 Pushed commits: 84c3e84 (v0.42.0, superseded) → e61e7dd (v0.42.1) · paired with felhom-agent v0.21.0 (split-horizon LAN resolver — depends on this real cert) + golden rebake (controller 0.42.1).

What shipped

The base-infra traefik obtained no real cert (acme.json empty) — both routers relied on the websecure entrypoint-default certResolver, which does not trigger proactive DNS-01 issuance, so everything ran on traefik's self-signed default (masked externally only by the tunnel's noTLSVerify). This blocked LAN-direct (a LAN client TLS-handshakes straight to traefik and needs the real cert).

  • infra.RenderControllerRoute(domain, wildcardTLS) — the always-present controller route is now the wildcard-issuance anchor: when DNS-01 ACME is configured (CFAPIToken && Email) it carries router-level tls.certResolver: letsencrypt + tls.domains: [{main: "*.<domain>", sans: ["<domain>"]}], so traefik proactively obtains *.<domain> + apex at startup via Cloudflare DNS-01. Every other router (filebrowser, future apps) then serves that one wildcard by SNI match — no per-app certresolver labels, real cert ready before the first client connects. stacks.wireController passes wildcardTLS = (CFAPIToken != "" && Email != "").
  • Key empirical finding (staging on 9201): traefik v3 issues a cert from a router-level tls.domains but NOT from the entrypoint-level http.tls.domains (acme.json stayed 0 bytes with the latter). v0.42.0's entrypoint-domains attempt + TraefikData.Domain was reverted.

Validation (staging → prod on guest 9201)

  • CF token pre-check: active, scoped to demo-felhom.eu, DNS read OK (DNS:Edit confirmed by the run).
  • Staging (Fake LE): with the router-level wildcard, acme.json went 0 → populated; felhom.*, files.*, and arbitrary anything.demo-felhom.eu all presented *.demo-felhom.eu (issuer (STAGING)) — one wildcard, zero per-app labels.
  • Prod switch: wiped acme.json, clean first-boot render (no caServer, no entrypoint domains) → PROD wildcard issued (acme.json ~16 KB).
  • GATE (from dooplex, real LAN host, direct to guest IP): felhom.demo-felhom.eu + files.demo-felhom.eu200 ssl_verify=0; issuer C=US, O=Let's Encrypt, CN=YR1 (real prod LE); subject CN=*.demo-felhom.eu, SAN *.demo-felhom.eu, demo-felhom.eu. Dashboard title Vezérlőpult — Felhom.eu.

Live deploy

  • Built + pushed 0.42.1; deployed to 9201 (clean first-boot: wipe acme.json → controller renders prod traefik.yml + wildcard route → traefik obtains the prod wildcard).
  • Golden rebaked with controller 0.42.1 → local:backup/vzdump-lxc-9100-2026_06_11-18_10_11.tar.zst (fresh provisions get a real wildcard cert on first boot).

Notes

  • The traefik dashboard route (dynamic/dashboard.yml) remains deferred (needs a generated basic-auth hash) — routing/cert for filebrowser + controller work without it.
  • HTTP-01 path (ACME email but no CF token) can't issue wildcards → falls back to a plain TLS route (self-signed). The felhom production always uses Cloudflare DNS-01, so the wildcard path is the norm.
Reference in New Issue View Git Blame Copy Permalink