Locked 2026-05-02. Both EDGE-VMs (RZ + Home) use HTTP-01 challenge via port 80, NOT DNS-01.
.env (mode 0600, host)GET /.well-known/acme-challenge/<token>).HTTP-01 cannot issue wildcard certificates. We're OK with this because:
blackreset.com, but that's a single multi-SAN cert built out of explicit hostnames, not a *. wildcard.# /opt/traefik/traefik.yml
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
email: server@blackreset.com
storage: /letsencrypt/acme.json
httpChallenge:
entryPoint: web # << HTTP-01, NOT dnsChallenge
Traefik's ACME plugin handles the redirect-vs-challenge dispatch internally — /.well-known/acme-challenge/* is served on :80 even though all other :80 traffic gets 301-redirected to :443.
<host>.blackreset.com resolves to the EDGE public IP (RZ: 46.4.105.246, Home: dynamic via DDNS to be set up).tls.certResolver: letsencrypt for that hostname.If all 3 are set, the cert issues automatically on first request.
traefik.yml rewritten, container restarted.