add wildcard cert doc

2025-05-12 21:30:43 +01:00 · 2025-01-02 23:08:18 -05:00 · 2025-01-02 23:08:18 -05:00 · 76bc65e3b3
commit 76bc65e3b3
parent f1a602efc3
4 changed files with 133 additions and 5 deletions
--- a/packages/docusaurus/docs/02-Getting
+++ b/packages/docusaurus/docs/02-Getting
@ -73,7 +73,7 @@ Port: 8080

 :::tip

-After you create your resource if you are using https certificates with LetsEncrypt (default) then you must wait some time after a target is created for your certificate to be granted and loaded by Traefik. This should take no more than a few minutes. For instant access, consider setting up wildcard certificates.
+After you create your resource if you are using https certificates with Let's Encrypt (default) then you must wait some time after a target is created for your certificate to be granted and loaded by Traefik. This should take no more than a few minutes. For instant access, consider setting up wildcard certificates.

 :::

@ -102,4 +102,4 @@ For advanced auth control with users, roles, passwords, pins, or email whitelist
 5. Choose how long this invite will be valid for and choose `Create Invitation`
 6. If you chose not to send the email or it is not setup, then be sure to copy the invite and send it to the user

-The new user will be prompted to setup a password and verify their email (if SMTP is supported). They will show up in your table once they confirm their account.
+The new user will be prompted to setup a password and verify their email (if SMTP is supported). They will show up in your table once they confirm their account.
--- a/packages/docusaurus/docs/03-Pangolin/01-overview.md
+++ b/packages/docusaurus/docs/03-Pangolin/01-overview.md
@ -15,7 +15,7 @@ _Sites page of Pangolin showing multiple site-to-site tunnels connected to the c
 - Expose private resources on your network **without opening ports**.
 - Secure and easy to configure site-to-site connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
 - Built-in support for any WireGuard client.
- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
+- Automated **SSL certificates** (https) via [Let's Encrypt](https://letsencrypt.org/).

 ### Identity & Access Management

--- a/packages/docusaurus/docs/03-Pangolin/02-config.md
+++ b/packages/docusaurus/docs/03-Pangolin/02-config.md
@ -111,7 +111,7 @@ Pangolin is configured using a `config.yml` file. The file is expected to be mou

 ```yaml
 app:
-    base_url: https://proxy.example.com
+    base_url: https://example.com
    log_level: info
    save_logs: false

@ -132,7 +132,7 @@ traefik:

 gerbil:
    start_port: 51820
-    base_endpoint: proxy.example.com
+    base_endpoint: example.com
    use_subdomain: false
    block_size: 16
    subnet_group: 10.0.0.0/8
--- a/packages/docusaurus/docs/03-Pangolin/03-wildcard-certs.md
+++ b/packages/docusaurus/docs/03-Pangolin/03-wildcard-certs.md
@ -1 +1,129 @@
 # Wildcard Certificates with Let's Encrypt
+
+:::warning
+
+Before setting up wildcard certificates, you must have a domain that you own and control. You must also have access to the DNS records for this domain.
+
+:::
+
+Since Pangolin uses Traefik as a reverse proxy, it has built-in support for Let's Encrypt certificates. This allows you to easily secure your Pangolin instance and all proxied resources with HTTPS. Lets Encrypt provides free SSL certificates, which are automatically renewed.
+
+If you used the default settings during installation, your Traefik instance should be setup to use `HTTP-01` challenge for certificate generation. This challenge is the easiest to configure and requires that the Traefik instance be accessible from the internet on port 80.
+
+It is highly reccommended that you read the [official Traefik documentation](https://doc.traefik.io/traefik/https/acme/) on ACME and Let's Encrypt before proceeding.
+
+## Benefits of Wildcard Certificates
+
+1. Wildcard certificates allow you to secure your base domain and all subdomains with a single certificate. This reduces the number of certificates you need to manage.
+2. You can add new subdomains to resources without needing to generate a new certificate each time. Without a wildcard certificate, you would need to wait (up to a few minutes usually) for a new certificate to be generated and loaded by Traefik.
+3. The [rate limits](https://letsencrypt.org/docs/rate-limits/) for Let's Encrypt are per domain. Using a wildcard certificate reduces the number of domains you have, which can help you avoid hitting these limits.
+
+## Setting Up Wildcard Certificates
+
+1. Update the Traefik configuration to use the DNS-01 challenge instead of the HTTP-01 challenge. This tells Traefik to use your DNS provider to create the DNS records needed for the challenge.
+2. Set the `prefer_wildcard_cert` flag to `true` in the Pangolin configuration file.
+
+## Traefik Configuration
+
+### Default Config for HTTP-01 Challenge
+
+This is default config generated by the installer. This is shown here for reference to compare with the wildcard config below.
+
+1. Tell Traefik to use the `web` entrypoint for the HTTP challenge.
+
+`traefik_config.yml`
+
+```yaml
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      # highlight-start
+      httpChallenge:
+        entryPoint: web
+      # highlight-end
+      email: admin@example.com
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+```
+
+2. Set the cert resolver to `letsencrypt` and the entrypoint to `websecure` in the dynamic config.
+
+`dynamic_config.yml`
+
+```yaml
+next-router:
+  rule: "Host(`example.com`) && !PathPrefix(`/api/v1`)"
+  service: next-service
+  entryPoints:
+    - websecure
+  tls:
+    certResolver: letsencrypt
+```
+
+### Wildcard Config for DNS-01 Challenge
+
+1. Tell Traefik to use your DNS provider for the DNS challenge. In this example, we are using Cloudflare.
+
+`traefik_config.yml`
+
+```yaml
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      # highlight-start
+      dnsChallenge:
+        provider: "cloudflare" # your DNS provider
+        # see https://doc.traefik.io/traefik/https/acme/#providers
+      # highlight-end 
+      email: "admin@example.com"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+```
+
+2. Add the domain and wildcard domain to the domains section of the next (front end) router in the dynamic config. This tells Traefik to generate a wildcard certificate for the base domain and all subdomains.
+
+`dynamic_config.yml`
+
+```yaml
+next-router:
+  rule: "Host(`example.com`) && !PathPrefix(`/api/v1`)"
+  service: next-service
+  entryPoints:
+    - websecure
+  tls:
+    certResolver: letsencrypt
+    # highlight-start
+    domains:
+      - main: "example.net"
+        sans:
+          - "*.example.net"
+    # highlight-end
+```
+
+3. Add the environment variables for your DNS provider to the Traefik service in the docker compose file. This allows Traefik to authenticate with your DNS provider to create the DNS records needed for the challenge.
+
+`docker-compose.yml`
+
+```yaml
+traefik:
+  image: traefik:v3.1
+  container_name: traefik
+  restart: unless-stopped
+  network_mode: service:gerbil
+  depends_on:
+    pangolin:
+      condition: service_healthy
+  command:
+    - --configFile=/etc/traefik/traefik_config.yml
+  # highlight-start
+  # Add the environment variables for your DNS provider.
+  environment:
+    CF_API_EMAIL: "admin@example.com"
+    CF_API_KEY: "854060790571461693d6214d0b0cb1e6"
+  # highlight-end
+  volumes:
+    - ./config/traefik:/etc/traefik:ro
+    - ./config/letsencrypt:/letsencrypt
+```
+
+Traefik supports most DNS providers. You can find a full list of supported providers and how to configure them in the [official Traefik documentation](https://doc.traefik.io/traefik/https/acme/#providers).