Traefik with SSL: understanding ACME

Traefik with SSL: understanding ACME

Enabling SSL certificates with automated renewals for Traefik in my Homelab setup turned out to be quite straightforward. All I had to do was configure Let’s Encrypt as the Certificate Authority (CA) with Cloudflare as the DNS provider in Traefik’s config files, and then activate it for services in the Docker Compose file. Once all the configurations were in place, Let’s Encrypt promptly issued certificates for the specified subdomains as outlined in the Traefik config. It left me in a bit of a ‘what just happened’ state.

While the Traefik container logs include info on some key events, it was not sufficient to understand the ACME protocol flow. I wanted to see API interactions between Traefik, the Let’s Encrypt server, and Cloudflare in order to understand the complete ACME flow. To gain a better understanding, I redirected the Traefik container’s traffic via BurpSuite proxy. This captured a comprehensive list of the APIs involved, aligning perfectly with the ACME flow specified in RFC 8555.

In this post, I’m sharing the configurations used and a rundown of the captured APIs in the ACME flow, giving you a peek into the process of generating a new Let’s Encrypt SSL certificate.

Traefik setup without SSL

Let’s assume the Traefik VM has the IP192.168.0.123. There are four URLs representing different services (arbitrarily chosen for this post) that need to be routed through Traefik:

  • Traefik Dashboard: An internal service of Traefik running on port 8080.
  • whoami: A Docker container residing in the same VM.
  • Dozzle: Service in another VM within the same network.
  • example.com: Represents an external URL.
ServiceBeforeAfter
Traefik dashboardhttp://192.168.0.123:8080http://192.168.0.123:8080
whoamihttp://192.168.0.123/whoamihttp://192.168.0.123/whoami
Dozzlehttps://192.168.0.124:2443/dozzlehttp://192.168.0.123/dozzle
example.comhttps://example.comhttp://192.168.0.123/example

As you can see, we are unifying all services to be accessible via the Trafik VM IP with HTTP. Services except Traefik dashboard are now available on the specified paths.

Docker DNS issue in air-gapped network
fig 1: Traefik HTTP Setup

Here are the docker compose file and Traefik static & dynamic configuration files for the HTTP setup:

Docker Compose file:
traefik/docker-compose.yml
 1 2 3 4 5 6 7 8 91011121314151617
services:traefik:image:"traefik:v2.11"container_name:"traefik"ports:-"80:80"-"8080:8080"volumes:-"/var/run/docker.sock:/var/run/docker.sock:ro"-"/home/ubuntu/traefik/etc/traefik:/etc/traefik"whoami:image:"traefik/whoami"container_name:"whoami"labels:-"traefik.enable=true"-"traefik.http.routers.whoami.rule=PathPrefix(`/whoami`)"-"traefik.http.routers.whoami.entrypoints=web"

Traefik Static Configuration file:
traefik/etc/traefik/traefik.yml
 1 2 3 4 5 6 7 8 910111213
log:level:DEBUGapi:insecure:trueaccessLog:falseproviders:docker:exposedByDefault:falsefile:directory:"/etc/traefik/sites"entryPoints:web:address:":80"

Traefik Dynamic Configuration files:
traefik/etc/traefik/sites/dozzle.yml
 1 2 3 4 5 6 7 8 9101112131415
http:routers:dozzle:rule:PathPrefix(`/dozzle`)entryPoints:webservice:dozzle@fileservices:dozzle:loadBalancer:serversTransport:dozzleservers:-url:"https://192.168.0.124:2443/dozzle"serversTransports:dozzle:insecureSkipVerify:true

traefik/etc/traefik/sites/example.yml
 1 2 3 4 5 6 7 8 9101112
http:routers:example:rule:PathPrefix(`/example`)entryPoints:webservice:example@fileservices:example:loadBalancer:passHostHeader:falseservers:-url:"https://example.com"

Traefik setup with SSL

Our next goal is to establish SSL - all URLs will be directed to port443.

We also need to setup automated certificate renewals using Let’s Encrypt certificates for mitigating the overhead of managing the SSL certificate manually.

Here is the plan:

ServiceBeforeAfter
Traefik dashboardhttp://192.168.0.123:8080https://nas.mycustomservice.local/dashboard
whoamihttp://192.168.0.123/whoamihttps://nas.mycustomservice.local/whoami
Dozzlehttps://192.168.0.123/dozzlehttps://nas.mycustomservice.local/dozzle
example.comhttp://192.168.0.123/examplehttps://nas.mycustomservice.local/example

Note that the Traefik dashboard is no longer bound to a port, but under a URL path.

Docker DNS issue in air-gapped network
fig 2: Traefik HTTPS Setup

We will attach the domain namenas.mycustomservice.local instead of the IP192.168.0.123. Additionally, for demo purposes, I’m planning to addtest1.test2.mycustomservice.local as an alias for this domain and also*.nas.mycustomservice.local to make the services available with subdomain access in case if required.

Here are the DNS records, local network IPs will make the services to be available within the Homelab network:

A       nas                    192.168.0.123A       test.local             192.168.0.123CNAME   *.nas                  nas.mycustomservice.local

Here are the docker compose file and Traefik static & dynamic configuration files for the HTTPS setup. Additional lines are highlighted:

Docker Compose file:
traefik/docker-compose.yml
 1 2 3 4 5 6 7 8 910111213141516171819202122232425
services:traefik:image:"traefik:v2.11"container_name:"traefik"ports:-"80:80"-"8080:8080"-"443:443"volumes:-"/var/run/docker.sock:/var/run/docker.sock:ro"-"/home/ubuntu/traefik/etc/traefik:/etc/traefik"environment:CLOUDFLARE_DNS_API_TOKEN:"<token>"CLOUDFLARE_ZONE_API_TOKEN:"<token>"whoami:image:"traefik/whoami"container_name:"whoami"labels:-"traefik.enable=true"-"traefik.http.routers.whoami.rule=PathPrefix(`/whoami`)"-"traefik.http.routers.whoami.entrypoints=web"-"traefik.http.routers.whoami.middlewares=http2https@file"-"traefik.http.routers.whoami-secure.rule=PathPrefix(`/whoami`)"-"traefik.http.routers.whoami-secure.entrypoints=websecure"-"traefik.http.routers.whoami-secure.tls=true"

To generate Cloudflare API tokens, refer tohttps://go-acme.github.io/lego/dns/cloudflare/#api-tokens

Traefik Static Configuration file:
traefik/etc/traefik/traefik.yml
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334
log:level:DEBUGapi:insecure:trueaccessLog:falseproviders:docker:exposedByDefault:falsefile:directory:"/etc/traefik/sites"entryPoints:web:address:":80"websecure:address:":443"certificatesResolvers:letEncryptStagingResolver:acme:caServer:https://acme-staging-v02.api.letsencrypt.org/directoryemail:[email protected]storage:/etc/traefik/acme.jsondnsChallenge:provider:cloudflareletEncryptProductionResolver:acme:email:[email protected]storage:/etc/traefik/acme.jsondnsChallenge:provider:cloudflare

Traefik Dynamic Configuration files:

Note: UseletEncryptStagingResolver during testing, and switch toletEncryptProductionResolver once finalized.

traefik/etc/traefik/sites/letsencrypt.yml
 1 2 3 4 5 6 7 8 910
tls:stores:default:defaultGeneratedCert:resolver:letEncryptProductionResolverdomain:main:"nas.mycustomservice.local"sans:-"*.nas.mycustomservice.local"-"test1.test2.mycustomservice.local"

traefik/etc/traefik/sites/dozzle.yml
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526
http:routers:dozzle:rule:PathPrefix(`/dozzle`)entryPoints:webservice:dozzle@filemiddlewares:-http2httpsdozzle-secure:rule:PathPrefix(`/dozzle`)entryPoints:websecureservice:dozzle@filetls:{}services:dozzle:loadBalancer:serversTransport:dozzleservers:-url:"https://192.168.0.124:2443/dozzle"serversTransports:dozzle:insecureSkipVerify:truemiddlewares:http2https:redirectScheme:scheme:https

traefik/etc/traefik/sites/example.yml
 1 2 3 4 5 6 7 8 910111213141516171819
http:routers:example:rule:PathPrefix(`/example`)entryPoints:webservice:example@filemiddlewares:-http2httpsexample-secure:rule:PathPrefix(`/example`)entryPoints:websecureservice:example@filetls:{}services:example:loadBalancer:passHostHeader:falseservers:-url:"https://example.com"

Once saved, Traefik would contact Let’s Encrypt server to issue SSL certificates. If you monitor DNS records, you could see temporary DNS records getting created in Cloudflare.

This completes the SSL certificate setup,https://nas.mycustomservice.local/<service_path> would give the service access.

The generated SSL certificate can be viewed at/etc/traefik/acme.json:

/etc/traefik/acme.json
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334
{"letEncryptStagingResolver":{"Account":{"Email":"[email protected]","Registration":{"body":{"status":"valid","contact":["mailto:[email protected]"]},"uri":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789"},"PrivateKey":"MIIJKQIB...F9t44KnJ","KeyType":"4096"},"Certificates":[{"domain":{"main":"*.nas.mycustomservice.local","sans":["nas.mycustomservice.local","test1.test2.mycustomservice.local"]},"certificate":"LS0tLS1...LS0tLS0K","key":"LS0tLS1...S0tLS0tCg==","Store":"default"}]},"letEncryptProductionResolver":{"Account":null,"Certificates":null}}

What’s happening internally?

The diagram below depicts the typical sequence of requests for SSL certificate issuance by Traefik using the ACME protocol (Let’s Encrypt as Certificate Authority) and with DNS challenge type (Cloudflare as DNS provider).

SSL issuance process
fig 3: SSL certificate issuance process with ACME

[Debugging] How to view API requests?

Burp Suite proxy was utilized to capture these API requests. Initially, the proxy was enabled, and the CA certificate was exported in DER format. Subsequently, it was converted to PEM format using the following command:

openssl x509 -in /path/to/burp_ca.der -out /path/to/burp_ca.pem -outform pem

This file was then transferred to the VM hosting the Traefik container, and the docker-compose file was updated as shown below. This enabled to view all the APIs in BurpSuite’sProxy > HTTP History.

traefik/docker-compose.yml
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728
services:traefik:image:"traefik:v2.11"container_name:"traefik"ports:-"80:80"-"8080:8080"-"443:443"volumes:-"/var/run/docker.sock:/var/run/docker.sock:ro"-"/home/ubuntu/traefik/etc/traefik:/etc/traefik"-"/home/ubuntu/traefik/burp_ca.pem:/etc/ssl/certs/burp_ca.pem"environment:CLOUDFLARE_DNS_API_TOKEN:"<token>"CLOUDFLARE_ZONE_API_TOKEN:"<token>"HTTP_PROXY:"<IP_of_the_machine_with_burpsuite_proxy>"HTTPS_PROXY:"<IP_of_the_machine_with_burpsuite_proxy>"whoami:image:"traefik/whoami"container_name:"whoami"labels:-"traefik.enable=true"-"traefik.http.routers.whoami.rule=PathPrefix(`/whoami`)"-"traefik.http.routers.whoami.entrypoints=web"-"traefik.http.routers.whoami.middlewares=http2https@file"-"traefik.http.routers.whoami-secure.rule=PathPrefix(`/whoami`)"-"traefik.http.routers.whoami-secure.entrypoints=websecure"-"traefik.http.routers.whoami-secure.tls=true"

Cloudflare ↔ Traefik ↔ Let’s Encrypt API Interaction

Here’s the expanded version with request and response details for each API call recorded in BurpSuite: (click on each request to expand details)

Cloudflare
Server (Traefik)
GET /directory
Request
12345
GET /directory HTTP/1.1Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Accept-Encoding:gzip, deflate, brConnection:close
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:23 GMTContent-Type:application/jsonContent-Length:821Cache-Control:public, max-age=0, no-cacheX-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"aXXX5so4OUM":"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417","keyChange":"https://acme-staging-v02.api.letsencrypt.org/acme/key-change","meta":{"caaIdentities":["letsencrypt.org"],"termsOfService":"https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf","website":"https://letsencrypt.org/docs/staging-environment/"},"newAccount":"https://acme-staging-v02.api.letsencrypt.org/acme/new-acct","newNonce":"https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce","newOrder":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order","renewalInfo":"https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/","revokeCert":"https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"}
HEAD /acme/new-nonce
Request
123
HEAD /acme/new-nonce HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Response
12345678
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:23 GMTCache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_1>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800
POST /acme/new-acct
Request
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526
POST /acme/new-acct HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1979Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":{"contact":["mailto:[email protected]"],"termsOfServiceAgreed":true},"protected":{"alg":"RS256","jwk":{"kty":"RSA","n":"txHVs5DnkevYfwsxT...qJRoxmQYVNdo-Gp0G5MeIFaAk","e":"AQAB"},"nonce":"<nonce_1>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-acct"},"signature":"PkiNgKlURafo...8V2yQRzibY"}
Response
 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627
HTTP/2 201 CreatedServer:nginxDate:Mon, 15 Apr 2024 22:44:24 GMTContent-Type:application/jsonContent-Length:907Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Link:<https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf>;rel="terms-of-service"Location:https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789Replay-Nonce:<nonce_2>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"key":{"kty":"RSA","n":"txHVs5DnkevYfwsxTSndw...Gp0G5MeIFaAk","e":"AQAB"},"contact":["mailto:[email protected]"],"initialIp":"<server_ip>","createdAt":"2024-04-15T22:44:24.238667243Z","status":"valid"}
POST /acme/new-order
Request
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829303132
POST /acme/new-order HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1210Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":{"identifiers":[{"type":"dns","value":"*.nas.mycustomservice.local"},{"type":"dns","value":"nas.mycustomservice.local"},{"type":"dns","value":"test1.test2.mycustomservice.local"}]},"protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_2>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/new-order"},"signature":"iHW7BjmDfBxv6hO...m3B2BPtUxk_7Jzw"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637
HTTP/2 201 CreatedServer:nginxDate:Mon, 15 Apr 2024 22:44:24 GMTContent-Type:application/jsonContent-Length:648Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Location:https://acme-staging-v02.api.letsencrypt.org/acme/order/123456789/11122233344Replay-Nonce:<nonce_3>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"status":"pending","expires":"2024-04-22T22:44:24Z","identifiers":[{"type":"dns","value":"*.nas.mycustomservice.local"},{"type":"dns","value":"nas.mycustomservice.local"},{"type":"dns","value":"test1.test2.mycustomservice.local"}],"authorizations":["https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111","https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222","https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"],"finalize":"https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344"}
POST /acme/authz-v3/11111111111
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/11111111111 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_3>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"},"signature":"pYj8p8yW2FCFJrr...fLpx4jtFAHjFFM2-SA"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:25 GMTContent-Type:application/jsonContent-Length:392Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_4>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA","token":"<token_1>"}],"wildcard":true}
HEAD /acme/new-nonce
Request
123
HEAD /acme/new-nonce HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Response
12345678
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:25 GMTCache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_5>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800
HEAD /acme/new-nonce
Request
123
HEAD /acme/new-nonce HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Response
12345678
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:25 GMTCache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_6>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800
POST /acme/authz-v3/22222222222
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/22222222222 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_5>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222"},"signature":"Hh2nnXUaDQe...Kqvz5Tliq19FRNpg5Q"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637383940
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:25 GMTContent-Type:application/jsonContent-Length:816Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_7>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/eeeEEE","token":"<token_2>"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB","token":"<token_2>"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/dddDDD","token":"<token_2>"}]}
POST /acme/authz-v3/33333333333
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/33333333333 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_6>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"},"signature":"O3i3GhFrvTjBsWp...iWgkXuJJ1u7TR8g4"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637383940
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:25 GMTContent-Type:application/jsonContent-Length:830Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_8>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"test1.test2.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/fffFFF","token":"<token_3>"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC","token":"<token_3>"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/gggGGG","token":"<token_3>"}]}
Let's Encrypt Server
Cloudflare
GET /client/v4/zones?name=example.com&per_page=50
Request
1234567
GET /client/v4/zones?name=example.com&per_page=50 HTTP/1.1Host:api.cloudflare.comAuthorization:Bearer <bearer_token_1>User-Agent:cloudflare-go/v4Content-Type:application/jsonAccept-Encoding:gzip, deflate, brConnection:close
Response
 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687
HTTP/2 200 OKDate:Mon, 15 Apr 2024 22:44:26 GMTContent-Type:application/jsonCf-Ray:4ba0722d24fb3b1b-SFOCf-Cache-Status:DYNAMICCache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires:Sun, 25 Jan 1981 05:00:00 GMTSet-Cookie:__cflb=0...D; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:14:27 GMT; HttpOnlyStrict-Transport-Security:max-age=31536000Pragma:no-cacheX-Content-Type-Options:nosniffX-Frame-Options:SAMEORIGINVary:Accept-EncodingSet-Cookie:__cfruid=f...6; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer:cloudflare{"result":[{"id":"zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ","name":"example.com","status":"active","paused":false,"type":"full","development_mode":0,"name_servers":["dina.ns.cloudflare.com","phil.ns.cloudflare.com"],"original_name_servers":null,"original_registrar":null,"original_dnshost":null,"modified_on":"2024-04-02T19:46:42.072328Z","created_on":"2022-12-19T05:26:53.707734Z","activated_on":"2022-12-19T05:38:03.856067Z","meta":{"step":2,"custom_certificate_quota":0,"page_rule_quota":3,"phishing_detected":false,"multiple_railguns_allowed":false},"owner":{"id":null,"type":"user","email":null},"account":{"id":"<acc_id>","name":"<acc_name>"},"tenant":{"id":null,"name":null},"tenant_unit":{"id":null},"permissions":["#zone:read","#zone_settings:read"],"plan":{"id":"0feeeeeeeeeeeeeeeeeeeeeeeeeeeeee","name":"Free Website","price":0,"currency":"USD","frequency":"","is_subscribed":false,"can_subscribe":false,"legacy_id":"free","legacy_discount":false,"externally_managed":false}}],"result_info":{"page":1,"per_page":50,"total_pages":1,"count":1,"total_count":1},"success":true,"errors":[],"messages":[]}
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records
Request
 1 2 3 4 5 6 7 8 910111213141516
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records HTTP/2Host:api.cloudflare.comAuthorization:Bearer <bearer_token_2>User-Agent:cloudflare-go/v4Content-Type:application/jsonContent-Length:174Accept-Encoding:gzip, deflate, br{"created_on":"0001-01-01T00:00:00Z","modified_on":"0001-01-01T00:00:00Z","type":"TXT","name":"nas.mycustomservice.local","content":"BbR...E1I","ttl":120}
Response
 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536
HTTP/2 200 OKDate:Mon, 15 Apr 2024 22:44:27 GMTContent-Type:application/jsonCf-Ray:874f75d4c9b73c12-SFOCf-Cache-Status:DYNAMICSet-Cookie:__cflb=0...F; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:14:28 GMT; HttpOnlyVary:Accept-EncodingSet-Cookie:__cfruid=7...7; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer:cloudflare{"result":{"id":"aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA","zone_id":"zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ","zone_name":"example.com","name":"nas.mycustomservice.local","type":"TXT","content":"BbR...E1I","proxiable":false,"proxied":false,"ttl":120,"locked":false,"meta":{"auto_added":false,"managed_by_apps":false,"managed_by_argo_tunnel":false},"comment":null,"tags":[],"created_on":"2024-04-15T22:44:27.736818Z","modified_on":"2024-04-15T22:44:27.736818Z"},"success":true,"errors":[],"messages":[]}
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records
Request
 1 2 3 4 5 6 7 8 910111213141516
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records HTTP/2Host:api.cloudflare.comAuthorization:Bearer <bearer_token_2>User-Agent:cloudflare-go/v4Content-Type:application/jsonContent-Length:174Accept-Encoding:gzip, deflate, br{"created_on":"0001-01-01T00:00:00Z","modified_on":"0001-01-01T00:00:00Z","type":"TXT","name":"nas.mycustomservice.local","content":"_SN...xi0","ttl":120}
Response
 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536
HTTP/2 200 OKDate:Mon, 15 Apr 2024 22:44:28 GMTContent-Type:application/jsonCf-Ray:874f75dabaee3c12-SFOCf-Cache-Status:DYNAMICSet-Cookie:__cflb=0...F; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:14:29 GMT; HttpOnlyVary:Accept-EncodingSet-Cookie:__cfruid=1...; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer:cloudflare{"result":{"id":"bBbBbBbBbBbBbBbBbBbBbBbBbBbBbBbB","zone_id":"zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ","zone_name":"example.com","name":"nas.mycustomservice.local","type":"TXT","content":"_SN...xi0","proxiable":false,"proxied":false,"ttl":120,"locked":false,"meta":{"auto_added":false,"managed_by_apps":false,"managed_by_argo_tunnel":false,},"comment":null,"tags":[],"created_on":"2024-04-15T22:44:28.444277Z","modified_on":"2024-04-15T22:44:28.444277Z",},"success":true,"errors":[],"messages":[],}
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records
Request
 1 2 3 4 5 6 7 8 910111213141516
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records HTTP/2Host:api.cloudflare.comAuthorization:Bearer <bearer_token_2>User-Agent:cloudflare-go/v4Content-Type:application/jsonContent-Length:204Accept-Encoding:gzip, deflate, br{"created_on":"0001-01-01T00:00:00Z","modified_on":"0001-01-01T00:00:00Z","type":"TXT","name":"_acme-challenge.test1.test2.mycustomservice.local","content":"g4K...Prg","ttl":120}
Response
 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536
HTTP/2 200 OKDate:Mon, 15 Apr 2024 22:44:29 GMTContent-Type:application/jsonCf-Ray:874f75dfcc0a3c12-SFOCf-Cache-Status:DYNAMICSet-Cookie:__cflb=0...m; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:14:30 GMT; HttpOnlyVary:Accept-EncodingSet-Cookie:__cfruid=1...9; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer:cloudflare{"result":{"id":"cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC","zone_id":"zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ","zone_name":"example.com","name":"_acme-challenge.test1.test2.mycustomservice.local","type":"TXT","content":"g4K...Prg","proxiable":false,"proxied":false,"ttl":120,"locked":false,"meta":{"auto_added":false,"managed_by_apps":false,"managed_by_argo_tunnel":false},"comment":null,"tags":[],"created_on":"2024-04-15T22:44:29.294042Z","modified_on":"2024-04-15T22:44:29.294042Z"},"success":true,"errors":[],"messages":[]}
Server (Traefik)
Let's Encrypt Server
Cloudflare
Server (Traefik)
POST /acme/chall-v3/11111111111/aaaAAA
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/chall-v3/11111111111/aaaAAA HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1045Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"e30","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_8>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA"},"signature":"YpujTx3RiJszf3D...wfdef6KmEFfFrrQ"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:31 GMTContent-Type:application/jsonContent-Length:193Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Link:<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111>;rel="up"Location:https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAAReplay-Nonce:<nonce_9>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA","token":"<token_1>"}
POST /acme/authz-v3/11111111111
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/11111111111 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_9>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"},"signature":"nJBPLq2Lds321...oGvkZANUXIm284"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:32 GMTContent-Type:application/jsonContent-Length:392Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_10>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA","token":"<token_1>"}],"wildcard":true}
POST /acme/authz-v3/11111111111
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/11111111111 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_10>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"},"signature":"r-N9y58zlB9i2r...CIW-Y8w8qwo1_ws"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:35 GMTContent-Type:application/jsonContent-Length:392Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_11>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA","token":"<token_1>"}],"wildcard":true}
POST /acme/authz-v3/11111111111
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/11111111111 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_11>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"},"signature":"sKKxfXxd8eVYmvLf...KSO9jzvdLA0VRk"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:45 GMTContent-Type:application/jsonContent-Length:392Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_12>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA","token":"<token_1>"}],"wildcard":true}
POST /acme/authz-v3/11111111111
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/11111111111 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_12>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"},"signature":"m8VMj7Mdv8jI3...GbLqTZJEuqKYYE"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829303132333435363738
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:56 GMTContent-Type:application/jsonContent-Length:597Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_13>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"valid","expires":"2024-05-15T22:44:51Z","challenges":[{"type":"dns-01","status":"valid","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA","token":"<token_1>","validationRecord":[{"hostname":"nas.mycustomservice.local","resolverAddrs":["10.0.32.85:28460"]}],"validated":"2024-04-15T22:44:31Z"}],"wildcard":true}
POST /acme/chall-v3/22222222222/bbbBBB
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/chall-v3/22222222222/bbbBBB HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1045Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"e30","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_13>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB"},"signature":"KoR8Npq7IbAosgLUX...Ua9S_ai78uno4"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:59 GMTContent-Type:application/jsonContent-Length:193Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Link:<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222>;rel="up"Location:https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBBReplay-Nonce:<nonce_14>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB","token":"<token_2>"}
POST /acme/authz-v3/22222222222
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/22222222222 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_14>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222"},"signature":"W8SCrjEIrr6o...fAr4Bs0kiU1uIaw"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637383940
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:44:59 GMTContent-Type:application/jsonContent-Length:816Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_15>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/eeeEEE","token":"<token_2>"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB","token":"<token_2>"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/dddDDD","token":"<token_2>"}]}
POST /acme/authz-v3/22222222222
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/22222222222 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_15>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222"},"signature":"NH-TaMdUBCoG9N...IMeHGs8LxRnSj-4s"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637383940
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:07 GMTContent-Type:application/jsonContent-Length:816Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_16>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/eeeEEE","token":"<token_2>"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB","token":"<token_2>"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/dddDDD","token":"<token_2>"}]}
POST /acme/authz-v3/22222222222
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/22222222222 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_16>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222"},"signature":"Rrl0vQb083f3qY6mr...56fDga--8YhSpk"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:12 GMTContent-Type:application/jsonContent-Length:577Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_17>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"nas.mycustomservice.local"},"status":"valid","expires":"2024-05-15T22:45:09Z","challenges":[{"type":"dns-01","status":"valid","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB","token":"<token_2>","validationRecord":[{"hostname":"nas.mycustomservice.local","resolverAddrs":["10.0.32.82:23095"]}],"validated":"2024-04-15T22:44:59Z"}]}
POST /acme/chall-v3/33333333333/cccCCC
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/chall-v3/33333333333/cccCCC HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1045Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"e30","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_17>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC"},"signature":"pPaeqBiq4HqW5...QBSi3l87xrdUM"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:14 GMTContent-Type:application/jsonContent-Length:193Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Link:<https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333>;rel="up"Location:https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCCReplay-Nonce:<nonce_18>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC","token":"<token_3>"}
POST /acme/authz-v3/33333333333
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/33333333333 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_18>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"},"signature":"HiH3Yh5hdLdQhm...qgYF1AM_1AC3Qo"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637383940
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:15 GMTContent-Type:application/jsonContent-Length:830Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_18>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"test1.test2.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/fffFFF","token":"<token_3>"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC","token":"<token_3>"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/gggGGG","token":"<token_3>"}]}
POST /acme/authz-v3/33333333333
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/33333333333 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_18>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"},"signature":"SMKKc-Da_EE...nxmjwTgJiNYqQc"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637383940
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:22 GMTContent-Type:application/jsonContent-Length:830Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_19>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"test1.test2.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/fffFFF","token":"<token_3>"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC","token":"<token_3>"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/gggGGG","token":"<token_3>"}]}
POST /acme/authz-v3/33333333333
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/33333333333 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_19>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"},"signature":"fSjTHehqqfWz...bVvaG2uH4DXf7h74o"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637383940
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:30 GMTContent-Type:application/jsonContent-Length:830Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_20>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"test1.test2.mycustomservice.local"},"status":"pending","expires":"2024-04-22T22:44:24Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/fffFFF","token":"<token_3>"},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC","token":"<token_3>"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/gggGGG","token":"<token_3>"}]}
POST /acme/authz-v3/33333333333
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/authz-v3/33333333333 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1033Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_20>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"},"signature":"axHJF6HwVPlLDNDj...blbKDbI6BpV_Gz0"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:41 GMTContent-Type:application/jsonContent-Length:605Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_21>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"identifier":{"type":"dns","value":"test1.test2.mycustomservice.local"},"status":"valid","expires":"2024-05-15T22:45:34Z","challenges":[{"type":"dns-01","status":"valid","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC","token":"<token_3>","validationRecord":[{"hostname":"test1.test2.mycustomservice.local","resolverAddrs":["10.0.32.82:23095"]}],"validated":"2024-04-15T22:45:14Z"}]}
Let's Encrypt Server
Cloudflare
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA
Request
123456
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA HTTP/2Host:api.cloudflare.comAuthorization:Bearer <bearer_token_2>User-Agent:cloudflare-go/v4Content-Type:application/jsonAccept-Encoding:gzip, deflate, br
Response
 1 2 3 4 5 6 7 8 9101112131415161718
HTTP/2 200 OKDate:Mon, 15 Apr 2024 22:45:42 GMTContent-Type:application/jsonCf-Ray:874f77a6998e3c07-SFOCf-Cache-Status:DYNAMICSet-Cookie:__cflb=0...D; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:15:43 GMT; HttpOnlyVary:Accept-EncodingSet-Cookie:__cfruid=c...2; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer:cloudflare{"result":{"id":"aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA"},"success":true,"errors":[],"messages":[]}
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/bBbBbBbBbBbBbBbBbBbBbBbBbBbBbBbB
Request
123456
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/bBbBbBbBbBbBbBbBbBbBbBbBbBbBbBbB HTTP/2Host:api.cloudflare.comAuthorization:Bearer <bearer_token_2>User-Agent:cloudflare-go/v4Content-Type:application/jsonAccept-Encoding:gzip, deflate, br
Response
 1 2 3 4 5 6 7 8 9101112131415161718
HTTP/2 200 OKDate:Mon, 15 Apr 2024 22:45:43 GMTContent-Type:application/jsonCf-Ray:21d51a9896374f07-SFOCf-Cache-Status:DYNAMICSet-Cookie:__cflb=0...j; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:15:44 GMT; HttpOnlyVary:Accept-EncodingSet-Cookie:__cfruid=7...3; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer:cloudflare{"result":{"id":"bBbBbBbBbBbBbBbBbBbBbBbBbBbBbBbB"},"success":true,"errors":[],"messages":[]}
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC
Request
123456
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC HTTP/2Host:api.cloudflare.comAuthorization:Bearer <bearer_token_2>User-Agent:cloudflare-go/v4Content-Type:application/jsonAccept-Encoding:gzip, deflate, br
Response
 1 2 3 4 5 6 7 8 9101112131415161718
HTTP/2 200 OKDate:Mon, 15 Apr 2024 22:45:43 GMTContent-Type:application/jsonCf-Ray:35084b19144de3bf-SFOCf-Cache-Status:DYNAMICSet-Cookie:__cflb=0...F; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:15:44 GMT; HttpOnlyVary:Accept-EncodingSet-Cookie:__cfruid=7...3; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer:cloudflare{"result":{"id":"cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC"},"success":true,"errors":[],"messages":[]}
Server (Traefik)
Let's Encrypt Server
Cloudflare
Server (Traefik)
POST /acme/finalize/123456789/11122233344
Request
 1 2 3 4 5 6 7 8 910111213141516171819
POST /acme/finalize/123456789/11122233344 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:3201Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":{"csr":"MIIEsDCCApgCAQAwGDE...fmxnNbbWYA"},"protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_21>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344"},"signature":"nqtwaW8gJo...KhY5w6SljCto"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829303132333435363738
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:47 GMTContent-Type:application/jsonContent-Length:651Boulder-Requester:123456789Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Location:https://acme-staging-v02.api.letsencrypt.org/acme/order/123456789/11122233344Replay-Nonce:<nonce_22>Retry-After:3X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"status":"processing","expires":"2024-04-22T22:44:24Z","identifiers":[{"type":"dns","value":"*.nas.mycustomservice.local"},{"type":"dns","value":"nas.mycustomservice.local"},{"type":"dns","value":"test1.test2.mycustomservice.local"}],"authorizations":["https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111","https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222","https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"],"finalize":"https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344"}
POST /acme/order/123456789/11122233344
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/order/123456789/11122233344 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1042Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_22>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/order/123456789/11122233344"},"signature":"K_ngn_c-LJUxr...bBE4wQHO0"}
Response
 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:47 GMTContent-Type:application/jsonContent-Length:651Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_23>Retry-After:3X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"status":"processing","expires":"2024-04-22T22:44:24Z","identifiers":[{"type":"dns","value":"*.nas.mycustomservice.local"},{"type":"dns","value":"nas.mycustomservice.local"},{"type":"dns","value":"test1.test2.mycustomservice.local"}],"authorizations":["https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111","https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222","https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"],"finalize":"https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344"}
POST /acme/order/123456789/11122233344
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/order/123456789/11122233344 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1042Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_23>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/order/123456789/11122233344"},"signature":"RhBRVl87HQ4...osLPyPjw"}
Response
 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:48 GMTContent-Type:application/jsonContent-Length:758Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Replay-Nonce:<nonce_24>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800{"status":"valid","expires":"2024-04-22T22:44:24Z","identifiers":[{"type":"dns","value":"*.nas.mycustomservice.local"},{"type":"dns","value":"nas.mycustomservice.local"},{"type":"dns","value":"test1.test2.mycustomservice.local"}],"authorizations":["https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111","https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222","https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"],"finalize":"https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344","certificate":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX"}
POST /acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1061Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_24>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX"},"signature":"bE2kWcDPuwJ...ZNGgjUDY"}
Response
 1 2 3 4 5 6 7 8 910111213141516171819
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:48 GMTContent-Type:application/pem-certificate-chainContent-Length:4144Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Link:<https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/1>;rel="alternate"Replay-Nonce:<nonce_25>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800-----BEGIN CERTIFICATE-----MIIGPjCC...gYPhj1xAP5jqa-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFWzCCA0...O1aw0PpQBPDQ==-----END CERTIFICATE-----
POST /acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/1
Request
 1 2 3 4 5 6 7 8 91011121314151617
POST /acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/1 HTTP/2Host:acme-staging-v02.api.letsencrypt.orgUser-Agent:containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)Content-Length:1063Content-Type:application/jose+jsonAccept-Encoding:gzip, deflate, br{"payload":"","protected":{"alg":"RS256","kid":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789","nonce":"<nonce_25>","url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/1"},"signature":"SWchkpGL7GUk...1zprNvJoVsAAIng"}
Response
 1 2 3 4 5 6 7 8 91011121314151617181920212223
HTTP/2 200 OKServer:nginxDate:Mon, 15 Apr 2024 22:45:49 GMTContent-Type:application/pem-certificate-chainContent-Length:6052Cache-Control:public, max-age=0, no-cacheLink:<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"Link:<https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/0>;rel="alternate"Replay-Nonce:<nonce_26>X-Frame-Options:DENYStrict-Transport-Security:max-age=604800-----BEGIN CERTIFICATE-----MIIGPj...BgYPhj1xAP5jqa-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFWz...O1aw0PpQBPDQ==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIFVD...0BPHtenfhKj5-----END CERTIFICATE-----
To view the certificate content, store the above response in a PEM file and run command:
while openssl x509 -noout -text;do :;done < cert.pem

Output:

 1 2 3 4 5 6 7 8 910111213141516
Certificate:Data:Subject:CN=*.nas.mycustomservice.local.InfoX509v3 extensions:X509v3 Subject Alternative Name:DNS:*.nas.mycustomservice.local, DNS:nas.mycustomservice.local, DNS:test1.test2.mycustomservice.local......Certificate:Data:Subject:C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3...Certificate:Data:Subject:C=US, O=(STAGING) Internet Security Research Group, CN=(STAGING) Pretend Pear X1...
Let's Encrypt Server

Now check outRFC 8555, you would be able to map these APIs and understand it very easily!

References

  1. RFC 8555: Automatic Certificate Management Environment (ACME)
  2. LEGO DNS Providers > Cloudflare (or,Github link)
  3. Cloudflare API
homelabdevops
Tweet
blog comments powered byDisqus