TLS and SSL Certificates
All services should be served over HTTPS. This page covers how to obtain and renew TLS certificates automatically.
What this page covers
- Let's Encrypt via Traefik's built-in ACME support (Docker track)
- Let's Encrypt via cert-manager on K3s (K3s track)
- Cloudflare DNS challenge for wildcard certificates
- Manual certificate management with OpenSSL (for internal/private services)
Let's Encrypt with Traefik (Docker-only track)
Traefik can request and renew Let's Encrypt certificates automatically using the HTTP-01 or DNS-01 challenge. Configuration details will be documented here.
cert-manager on K3s (K3s track)
cert-manager is a Kubernetes-native certificate controller. It integrates with Let's Encrypt and supports the DNS-01 challenge via Cloudflare for wildcard certificates. Installation via Helm and ClusterIssuer setup will be documented here.
Cloudflare DNS challenge
Using the Cloudflare DNS challenge lets you obtain wildcard certificates (e.g., *.example.com) without exposing port 80. Requires a Cloudflare API token with Zone:DNS:Edit permissions.