Traefik with SSL: understanding ACME

Traefik with SSL: understanding ACME

Enabling SSL certificates with automated renewals for Traefik in my Homelab setup turned out to be quite straightforward. All I had to do was configure Let’s Encrypt as the Certificate Authority (CA) with Cloudflare as the DNS provider in Traefik’s config files, and then activate it for services in the Docker Compose file. Once all the configurations were in place, Let’s Encrypt promptly issued certificates for the specified subdomains as outlined in the Traefik config. It left me in a bit of a ‘what just happened’ state.

While the Traefik container logs include info on some key events, it was not sufficient to understand the ACME protocol flow. I wanted to see API interactions between Traefik, the Let’s Encrypt server, and Cloudflare in order to understand the complete ACME flow. To gain a better understanding, I redirected the Traefik container’s traffic via BurpSuite proxy. This captured a comprehensive list of the APIs involved, aligning perfectly with the ACME flow specified in RFC 8555.

In this post, I’m sharing the configurations used and a rundown of the captured APIs in the ACME flow, giving you a peek into the process of generating a new Let’s Encrypt SSL certificate.

Traefik setup without SSL

Let’s assume the Traefik VM has the IP 192.168.0.123. There are four URLs representing different services (arbitrarily chosen for this post) that need to be routed through Traefik:

  • Traefik Dashboard: An internal service of Traefik running on port 8080.
  • whoami: A Docker container residing in the same VM.
  • Dozzle: Service in another VM within the same network.
  • example.com: Represents an external URL.
Service Before After
Traefik dashboard http://192.168.0.123:8080 http://192.168.0.123:8080
whoami http://192.168.0.123/whoami http://192.168.0.123/whoami
Dozzle https://192.168.0.124:2443/dozzle http://192.168.0.123/dozzle
example.com https://example.com http://192.168.0.123/example

As you can see, we are unifying all services to be accessible via the Trafik VM IP with HTTP. Services except Traefik dashboard are now available on the specified paths.

Docker DNS issue in air-gapped network
fig 1: Traefik HTTP Setup

Here are the docker compose file and Traefik static & dynamic configuration files for the HTTP setup:

Docker Compose file:
traefik/docker-compose.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

services:
  traefik:
    image: "traefik:v2.11"
    container_name: "traefik"
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/ubuntu/traefik/etc/traefik:/etc/traefik"
  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=PathPrefix(`/whoami`)"
      - "traefik.http.routers.whoami.entrypoints=web"

Traefik Static Configuration file:
traefik/etc/traefik/traefik.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

log:
  level: DEBUG
api:
  insecure: true
accessLog: false
providers:
  docker:
    exposedByDefault: false
  file:
    directory: "/etc/traefik/sites"
entryPoints:
  web:
    address: ":80"

Traefik Dynamic Configuration files:
traefik/etc/traefik/sites/dozzle.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

http:
  routers:
    dozzle:
      rule: PathPrefix(`/dozzle`)
      entryPoints: web
      service: dozzle@file
  services:
    dozzle:
      loadBalancer:
        serversTransport: dozzle
        servers:
          - url: "https://192.168.0.124:2443/dozzle"
  serversTransports:
    dozzle:
      insecureSkipVerify: true

traefik/etc/traefik/sites/example.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

http:
  routers:
    example:
      rule: PathPrefix(`/example`)
      entryPoints: web
      service: example@file
  services:
    example:
      loadBalancer:
        passHostHeader: false
        servers:
          - url: "https://example.com"

Traefik setup with SSL

Our next goal is to establish SSL - all URLs will be directed to port 443.

We also need to setup automated certificate renewals using Let’s Encrypt certificates for mitigating the overhead of managing the SSL certificate manually.

Here is the plan:

Service Before After
Traefik dashboard http://192.168.0.123:8080 https://nas.mycustomservice.local/dashboard
whoami http://192.168.0.123/whoami https://nas.mycustomservice.local/whoami
Dozzle https://192.168.0.123/dozzle https://nas.mycustomservice.local/dozzle
example.com http://192.168.0.123/example https://nas.mycustomservice.local/example

Note that the Traefik dashboard is no longer bound to a port, but under a URL path.

Docker DNS issue in air-gapped network
fig 2: Traefik HTTPS Setup

We will attach the domain name nas.mycustomservice.local instead of the IP 192.168.0.123. Additionally, for demo purposes, I’m planning to add test1.test2.mycustomservice.local as an alias for this domain and also *.nas.mycustomservice.local to make the services available with subdomain access in case if required.

Here are the DNS records, local network IPs will make the services to be available within the Homelab network:

A       nas                    192.168.0.123
A       test.local             192.168.0.123
CNAME   *.nas                  nas.mycustomservice.local

Here are the docker compose file and Traefik static & dynamic configuration files for the HTTPS setup. Additional lines are highlighted:

Docker Compose file:
traefik/docker-compose.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

services:
  traefik:
    image: "traefik:v2.11"
    container_name: "traefik"
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/ubuntu/traefik/etc/traefik:/etc/traefik"
    environment:
      CLOUDFLARE_DNS_API_TOKEN: "<token>"
      CLOUDFLARE_ZONE_API_TOKEN: "<token>"
  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=PathPrefix(`/whoami`)"
      - "traefik.http.routers.whoami.entrypoints=web"
      - "traefik.http.routers.whoami.middlewares=http2https@file"
      - "traefik.http.routers.whoami-secure.rule=PathPrefix(`/whoami`)"
      - "traefik.http.routers.whoami-secure.entrypoints=websecure"
      - "traefik.http.routers.whoami-secure.tls=true"

To generate Cloudflare API tokens, refer to https://go-acme.github.io/lego/dns/cloudflare/#api-tokens

Traefik Static Configuration file:
traefik/etc/traefik/traefik.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

log:
  level: DEBUG

api:
  insecure: true

accessLog: false

providers:
  docker:
    exposedByDefault: false
  file:
    directory: "/etc/traefik/sites"

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

certificatesResolvers:
  letEncryptStagingResolver:
    acme:
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      email: [email protected]
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
  letEncryptProductionResolver:
    acme:
      email: [email protected]
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare

Traefik Dynamic Configuration files:

Note: Use letEncryptStagingResolver during testing, and switch to letEncryptProductionResolver once finalized.

traefik/etc/traefik/sites/letsencrypt.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: letEncryptProductionResolver
        domain:
          main: "nas.mycustomservice.local"
          sans:
            - "*.nas.mycustomservice.local"
            - "test1.test2.mycustomservice.local"

traefik/etc/traefik/sites/dozzle.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

http:
  routers:
    dozzle:
      rule: PathPrefix(`/dozzle`)
      entryPoints: web
      service: dozzle@file
      middlewares:
        - http2https
    dozzle-secure:
      rule: PathPrefix(`/dozzle`)
      entryPoints: websecure
      service: dozzle@file
      tls: {}
  services:
    dozzle:
      loadBalancer:
        serversTransport: dozzle
        servers:
          - url: "https://192.168.0.124:2443/dozzle"
  serversTransports:
    dozzle:
      insecureSkipVerify: true
  middlewares:
    http2https:
      redirectScheme:
        scheme: https

traefik/etc/traefik/sites/example.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

http:
  routers:
    example:
      rule: PathPrefix(`/example`)
      entryPoints: web
      service: example@file
      middlewares: 
        - http2https
    example-secure:
      rule: PathPrefix(`/example`)
      entryPoints: websecure
      service: example@file
      tls: {}
  services:
    example:
      loadBalancer:
        passHostHeader: false
        servers:
          - url: "https://example.com"

Once saved, Traefik would contact Let’s Encrypt server to issue SSL certificates. If you monitor DNS records, you could see temporary DNS records getting created in Cloudflare.

This completes the SSL certificate setup, https://nas.mycustomservice.local/<service_path> would give the service access.

The generated SSL certificate can be viewed at /etc/traefik/acme.json:

/etc/traefik/acme.json
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

{
    "letEncryptStagingResolver": {
        "Account": {
            "Email": "[email protected]",
            "Registration": {
                "body": {
                    "status": "valid",
                    "contact": [
                        "mailto:[email protected]"
                    ]
                },
                "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789"
            },
            "PrivateKey": "MIIJKQIB...F9t44KnJ",
            "KeyType": "4096"
        },
        "Certificates": [{
            "domain": {
                "main": "*.nas.mycustomservice.local",
                "sans": [
                    "nas.mycustomservice.local",
                    "test1.test2.mycustomservice.local"
                ]
            },
            "certificate": "LS0tLS1...LS0tLS0K",
            "key": "LS0tLS1...S0tLS0tCg==",
            "Store": "default"
        }]
    },
    "letEncryptProductionResolver": {
        "Account": null,
        "Certificates": null
    }
}

What’s happening internally?

The diagram below depicts the typical sequence of requests for SSL certificate issuance by Traefik using the ACME protocol (Let’s Encrypt as Certificate Authority) and with DNS challenge type (Cloudflare as DNS provider).

SSL issuance process
fig 3: SSL certificate issuance process with ACME

[Debugging] How to view API requests?

Burp Suite proxy was utilized to capture these API requests. Initially, the proxy was enabled, and the CA certificate was exported in DER format. Subsequently, it was converted to PEM format using the following command:

openssl x509 -in /path/to/burp_ca.der -out /path/to/burp_ca.pem -outform pem

This file was then transferred to the VM hosting the Traefik container, and the docker-compose file was updated as shown below. This enabled to view all the APIs in BurpSuite’s Proxy > HTTP History.

traefik/docker-compose.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

services:
  traefik:
    image: "traefik:v2.11"
    container_name: "traefik"
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/ubuntu/traefik/etc/traefik:/etc/traefik"
      - "/home/ubuntu/traefik/burp_ca.pem:/etc/ssl/certs/burp_ca.pem"
    environment:
      CLOUDFLARE_DNS_API_TOKEN: "<token>"
      CLOUDFLARE_ZONE_API_TOKEN: "<token>"
      HTTP_PROXY: "<IP_of_the_machine_with_burpsuite_proxy>"
      HTTPS_PROXY: "<IP_of_the_machine_with_burpsuite_proxy>"
  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=PathPrefix(`/whoami`)"
      - "traefik.http.routers.whoami.entrypoints=web"
      - "traefik.http.routers.whoami.middlewares=http2https@file"
      - "traefik.http.routers.whoami-secure.rule=PathPrefix(`/whoami`)"
      - "traefik.http.routers.whoami-secure.entrypoints=websecure"
      - "traefik.http.routers.whoami-secure.tls=true"

Cloudflare ↔ Traefik ↔ Let’s Encrypt API Interaction

Here’s the expanded version with request and response details for each API call recorded in BurpSuite: (click on each request to expand details)

Cloudflare
Server (Traefik)
GET /directory
Request
1
2
3
4
5

GET /directory HTTP/1.1
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Accept-Encoding: gzip, deflate, br
Connection: close
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:23 GMT
Content-Type: application/json
Content-Length: 821
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
    "aXXX5so4OUM": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
    "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
    "meta": {
        "caaIdentities": [
            "letsencrypt.org"
        ],
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
        "website": "https://letsencrypt.org/docs/staging-environment/"
    },
    "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
    "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
    "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
    "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
    "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
HEAD /acme/new-nonce
Request
1
2
3

HEAD /acme/new-nonce HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Response
1
2
3
4
5
6
7
8

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:23 GMT
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_1>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
POST /acme/new-acct
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

POST /acme/new-acct HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1979
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload": {
    "contact": [
      "mailto:[email protected]"
    ],
    "termsOfServiceAgreed": true
  },
  "protected": {
    "alg": "RS256",
    "jwk": {
      "kty": "RSA",
      "n": "txHVs5DnkevYfwsxT...qJRoxmQYVNdo-Gp0G5MeIFaAk",
      "e": "AQAB"
    },
    "nonce": "<nonce_1>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct"
  },
  "signature": "PkiNgKlURafo...8V2yQRzibY"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

HTTP/2 201 Created
Server: nginx
Date: Mon, 15 Apr 2024 22:44:24 GMT
Content-Type: application/json
Content-Length: 907
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Link: <https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf>;rel="terms-of-service"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789
Replay-Nonce: <nonce_2>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "key": {
    "kty": "RSA",
    "n": "txHVs5DnkevYfwsxTSndw...Gp0G5MeIFaAk",
    "e": "AQAB"
  },
  "contact": [
    "mailto:[email protected]"
  ],
  "initialIp": "<server_ip>",
  "createdAt": "2024-04-15T22:44:24.238667243Z",
  "status": "valid"
}
POST /acme/new-order
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

POST /acme/new-order HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1210
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload": {
    "identifiers": [
      {
        "type": "dns",
        "value": "*.nas.mycustomservice.local"
      },
      {
        "type": "dns",
        "value": "nas.mycustomservice.local"
      },
      {
        "type": "dns",
        "value": "test1.test2.mycustomservice.local"
      }
    ]
  },
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_2>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order"
  },
  "signature":"iHW7BjmDfBxv6hO...m3B2BPtUxk_7Jzw"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

HTTP/2 201 Created
Server: nginx
Date: Mon, 15 Apr 2024 22:44:24 GMT
Content-Type: application/json
Content-Length: 648
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/123456789/11122233344
Replay-Nonce: <nonce_3>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.nas.mycustomservice.local"
    },
    {
      "type": "dns",
      "value": "nas.mycustomservice.local"
    },
    {
      "type": "dns",
      "value": "test1.test2.mycustomservice.local"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344"
}
POST /acme/authz-v3/11111111111
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/11111111111 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_3>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"
  },
  "signature":"pYj8p8yW2FCFJrr...fLpx4jtFAHjFFM2-SA"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:25 GMT
Content-Type: application/json
Content-Length: 392
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_4>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA",
      "token": "<token_1>"
    }
  ],
  "wildcard": true
}
HEAD /acme/new-nonce
Request
1
2
3

HEAD /acme/new-nonce HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Response
1
2
3
4
5
6
7
8

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:25 GMT
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_5>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
HEAD /acme/new-nonce
Request
1
2
3

HEAD /acme/new-nonce HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Response
1
2
3
4
5
6
7
8

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:25 GMT
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_6>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
POST /acme/authz-v3/22222222222
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/22222222222 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_5>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222"
  },
  "signature":"Hh2nnXUaDQe...Kqvz5Tliq19FRNpg5Q"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:25 GMT
Content-Type: application/json
Content-Length: 816
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_7>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/eeeEEE",
      "token": "<token_2>"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB",
      "token": "<token_2>"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/dddDDD",
      "token": "<token_2>"
    }
  ]
}
POST /acme/authz-v3/33333333333
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/33333333333 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_6>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  },
  "signature":"O3i3GhFrvTjBsWp...iWgkXuJJ1u7TR8g4"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:25 GMT
Content-Type: application/json
Content-Length: 830
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_8>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test1.test2.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/fffFFF",
      "token": "<token_3>"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC",
      "token": "<token_3>"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/gggGGG",
      "token": "<token_3>"
    }
  ]
}
Let's Encrypt Server
Cloudflare
GET /client/v4/zones?name=example.com&per_page=50
Request
1
2
3
4
5
6
7

GET /client/v4/zones?name=example.com&per_page=50 HTTP/1.1
Host: api.cloudflare.com
Authorization: Bearer <bearer_token_1>
User-Agent: cloudflare-go/v4
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Connection: close
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

HTTP/2 200 OK
Date: Mon, 15 Apr 2024 22:44:26 GMT
Content-Type: application/json
Cf-Ray: 4ba0722d24fb3b1b-SFO
Cf-Cache-Status: DYNAMIC
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 25 Jan 1981 05:00:00 GMT
Set-Cookie: __cflb=0...D; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:14:27 GMT; HttpOnly
Strict-Transport-Security: max-age=31536000
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Set-Cookie: __cfruid=f...6; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Server: cloudflare

{
    "result": [
        {
            "id": "zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ",
            "name": "example.com",
            "status": "active",
            "paused": false,
            "type": "full",
            "development_mode": 0,
            "name_servers": [
                "dina.ns.cloudflare.com",
                "phil.ns.cloudflare.com"
            ],
            "original_name_servers": null,
            "original_registrar": null,
            "original_dnshost": null,
            "modified_on": "2024-04-02T19:46:42.072328Z",
            "created_on": "2022-12-19T05:26:53.707734Z",
            "activated_on": "2022-12-19T05:38:03.856067Z",
            "meta": {
                "step": 2,
                "custom_certificate_quota": 0,
                "page_rule_quota": 3,
                "phishing_detected": false,
                "multiple_railguns_allowed": false
            },
            "owner": {
                "id": null,
                "type": "user",
                "email": null
            },
            "account": {
                "id": "<acc_id>",
                "name": "<acc_name>"
            },
            "tenant": {
                "id": null,
                "name": null
            },
            "tenant_unit": {
                "id": null
            },
            "permissions": [
                "#zone:read",
                "#zone_settings:read"
            ],
            "plan": {
                "id": "0feeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
                "name": "Free Website",
                "price": 0,
                "currency": "USD",
                "frequency": "",
                "is_subscribed": false,
                "can_subscribe": false,
                "legacy_id": "free",
                "legacy_discount": false,
                "externally_managed": false
            }
        }
    ],
    "result_info": {
        "page": 1,
        "per_page": 50,
        "total_pages": 1,
        "count": 1,
        "total_count": 1
    },
    "success": true,
    "errors": [],
    "messages": []
}
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records HTTP/2
Host: api.cloudflare.com
Authorization: Bearer <bearer_token_2>
User-Agent: cloudflare-go/v4
Content-Type: application/json
Content-Length: 174
Accept-Encoding: gzip, deflate, br

{
    "created_on": "0001-01-01T00:00:00Z",
    "modified_on": "0001-01-01T00:00:00Z",
    "type": "TXT",
    "name": "nas.mycustomservice.local",
    "content": "BbR...E1I",
    "ttl": 120
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

HTTP/2 200 OK
Date: Mon, 15 Apr 2024 22:44:27 GMT
Content-Type: application/json
Cf-Ray: 874f75d4c9b73c12-SFO
Cf-Cache-Status: DYNAMIC
Set-Cookie: __cflb=0...F; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:14:28 GMT; HttpOnly
Vary: Accept-Encoding
Set-Cookie: __cfruid=7...7; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Server: cloudflare

{
    "result": {
        "id": "aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA",
        "zone_id": "zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ",
        "zone_name": "example.com",
        "name": "nas.mycustomservice.local",
        "type": "TXT",
        "content": "BbR...E1I",
        "proxiable": false,
        "proxied": false,
        "ttl": 120,
        "locked": false,
        "meta": {
            "auto_added": false,
            "managed_by_apps": false,
            "managed_by_argo_tunnel": false
        },
        "comment": null,
        "tags": [],
        "created_on": "2024-04-15T22:44:27.736818Z",
        "modified_on": "2024-04-15T22:44:27.736818Z"
    },
    "success": true,
    "errors": [],
    "messages": []
}
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records HTTP/2
Host: api.cloudflare.com
Authorization: Bearer <bearer_token_2>
User-Agent: cloudflare-go/v4
Content-Type: application/json
Content-Length: 174
Accept-Encoding: gzip, deflate, br

{
    "created_on": "0001-01-01T00:00:00Z",
    "modified_on": "0001-01-01T00:00:00Z",
    "type": "TXT",
    "name": "nas.mycustomservice.local",
    "content": "_SN...xi0",
    "ttl": 120
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

HTTP/2 200 OK
Date: Mon, 15 Apr 2024 22:44:28 GMT
Content-Type: application/json
Cf-Ray: 874f75dabaee3c12-SFO
Cf-Cache-Status: DYNAMIC
Set-Cookie: __cflb=0...F; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:14:29 GMT; HttpOnly
Vary: Accept-Encoding
Set-Cookie: __cfruid=1...; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Server: cloudflare

{
    "result": {
        "id": "bBbBbBbBbBbBbBbBbBbBbBbBbBbBbBbB",
        "zone_id": "zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ",
        "zone_name": "example.com",
        "name": "nas.mycustomservice.local",
        "type": "TXT",
        "content": "_SN...xi0",
        "proxiable": false,
        "proxied": false,
        "ttl": 120,
        "locked": false,
        "meta": {
            "auto_added": false,
            "managed_by_apps": false,
            "managed_by_argo_tunnel": false,
        },
        "comment": null,
        "tags": [],
        "created_on": "2024-04-15T22:44:28.444277Z",
        "modified_on": "2024-04-15T22:44:28.444277Z",
    },
    "success": true,
    "errors": [],
    "messages": [],
}
POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

POST /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records HTTP/2
Host: api.cloudflare.com
Authorization: Bearer <bearer_token_2>
User-Agent: cloudflare-go/v4
Content-Type: application/json
Content-Length: 204
Accept-Encoding: gzip, deflate, br

{
    "created_on": "0001-01-01T00:00:00Z",
    "modified_on": "0001-01-01T00:00:00Z",
    "type": "TXT",
    "name": "_acme-challenge.test1.test2.mycustomservice.local",
    "content": "g4K...Prg",
    "ttl": 120
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

HTTP/2 200 OK
Date: Mon, 15 Apr 2024 22:44:29 GMT
Content-Type: application/json
Cf-Ray: 874f75dfcc0a3c12-SFO
Cf-Cache-Status: DYNAMIC
Set-Cookie: __cflb=0...m; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:14:30 GMT; HttpOnly
Vary: Accept-Encoding
Set-Cookie: __cfruid=1...9; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Server: cloudflare

{
    "result": {
        "id": "cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC",
        "zone_id": "zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ",
        "zone_name": "example.com",
        "name": "_acme-challenge.test1.test2.mycustomservice.local",
        "type": "TXT",
        "content": "g4K...Prg",
        "proxiable": false,
        "proxied": false,
        "ttl": 120,
        "locked": false,
        "meta": {
            "auto_added": false,
            "managed_by_apps": false,
            "managed_by_argo_tunnel": false
        },
        "comment": null,
        "tags": [],
        "created_on": "2024-04-15T22:44:29.294042Z",
        "modified_on": "2024-04-15T22:44:29.294042Z"
    },
    "success": true,
    "errors": [],
    "messages": []
}
Server (Traefik)
Let's Encrypt Server
Cloudflare
Server (Traefik)
POST /acme/chall-v3/11111111111/aaaAAA
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/chall-v3/11111111111/aaaAAA HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1045
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"e30",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_8>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA"
  },
  "signature": "YpujTx3RiJszf3D...wfdef6KmEFfFrrQ"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:31 GMT
Content-Type: application/json
Content-Length: 193
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA
Replay-Nonce: <nonce_9>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA",
  "token": "<token_1>"
}
POST /acme/authz-v3/11111111111
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/11111111111 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_9>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"
  },
  "signature": "nJBPLq2Lds321...oGvkZANUXIm284"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:32 GMT
Content-Type: application/json
Content-Length: 392
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_10>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA",
      "token": "<token_1>"
    }
  ],
  "wildcard": true
}
POST /acme/authz-v3/11111111111
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/11111111111 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_10>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"
  },
  "signature": "r-N9y58zlB9i2r...CIW-Y8w8qwo1_ws"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:35 GMT
Content-Type: application/json
Content-Length: 392
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_11>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA",
      "token": "<token_1>"
    }
  ],
  "wildcard": true
}
POST /acme/authz-v3/11111111111
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/11111111111 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_11>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"
  },
  "signature": "sKKxfXxd8eVYmvLf...KSO9jzvdLA0VRk"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:45 GMT
Content-Type: application/json
Content-Length: 392
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_12>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA",
      "token": "<token_1>"
    }
  ],
  "wildcard": true
}
POST /acme/authz-v3/11111111111
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/11111111111 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_12>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111"
  },
  "signature": "m8VMj7Mdv8jI3...GbLqTZJEuqKYYE"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:56 GMT
Content-Type: application/json
Content-Length: 597
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_13>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "valid",
  "expires": "2024-05-15T22:44:51Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11111111111/aaaAAA",
      "token": "<token_1>",
      "validationRecord": [
        {
          "hostname": "nas.mycustomservice.local",
          "resolverAddrs": [
            "10.0.32.85:28460"
          ]
        }
      ],
      "validated": "2024-04-15T22:44:31Z"
    }
  ],
  "wildcard": true
}
POST /acme/chall-v3/22222222222/bbbBBB
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/chall-v3/22222222222/bbbBBB HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1045
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"e30",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_13>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB"
  },
  "signature": "KoR8Npq7IbAosgLUX...Ua9S_ai78uno4"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:59 GMT
Content-Type: application/json
Content-Length: 193
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB
Replay-Nonce: <nonce_14>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB",
  "token": "<token_2>"
}
POST /acme/authz-v3/22222222222
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/22222222222 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_14>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222"
  },
  "signature":"W8SCrjEIrr6o...fAr4Bs0kiU1uIaw"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:44:59 GMT
Content-Type: application/json
Content-Length: 816
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_15>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/eeeEEE",
      "token": "<token_2>"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB",
      "token": "<token_2>"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/dddDDD",
      "token": "<token_2>"
    }
  ]
}
POST /acme/authz-v3/22222222222
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/22222222222 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_15>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222"
  },
  "signature":"NH-TaMdUBCoG9N...IMeHGs8LxRnSj-4s"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:07 GMT
Content-Type: application/json
Content-Length: 816
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_16>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/eeeEEE",
      "token": "<token_2>"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB",
      "token": "<token_2>"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/dddDDD",
      "token": "<token_2>"
    }
  ]
}
POST /acme/authz-v3/22222222222
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/22222222222 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload": "",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_16>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222"
  },
  "signature": "Rrl0vQb083f3qY6mr...56fDga--8YhSpk"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:12 GMT
Content-Type: application/json
Content-Length: 577
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_17>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mycustomservice.local"
  },
  "status": "valid",
  "expires": "2024-05-15T22:45:09Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/22222222222/bbbBBB",
      "token": "<token_2>",
      "validationRecord": [
        {
          "hostname": "nas.mycustomservice.local",
          "resolverAddrs": [
            "10.0.32.82:23095"
          ]
        }
      ],
      "validated": "2024-04-15T22:44:59Z"
    }
  ]
}
POST /acme/chall-v3/33333333333/cccCCC
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/chall-v3/33333333333/cccCCC HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1045
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"e30",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_17>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC"
  },
  "signature":"pPaeqBiq4HqW5...QBSi3l87xrdUM"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:14 GMT
Content-Type: application/json
Content-Length: 193
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC
Replay-Nonce: <nonce_18>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC",
  "token": "<token_3>"
}
POST /acme/authz-v3/33333333333
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/33333333333 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_18>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  },
  "signature":"HiH3Yh5hdLdQhm...qgYF1AM_1AC3Qo"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:15 GMT
Content-Type: application/json
Content-Length: 830
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_18>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test1.test2.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/fffFFF",
      "token": "<token_3>"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC",
      "token": "<token_3>"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/gggGGG",
      "token": "<token_3>"
    }
  ]
}
POST /acme/authz-v3/33333333333
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/33333333333 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
    "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_18>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  },
  "signature":"SMKKc-Da_EE...nxmjwTgJiNYqQc"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:22 GMT
Content-Type: application/json
Content-Length: 830
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_19>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test1.test2.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/fffFFF",
      "token": "<token_3>"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC",
      "token": "<token_3>"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/gggGGG",
      "token": "<token_3>"
    }
  ]
}
POST /acme/authz-v3/33333333333
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/33333333333 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_19>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  },
  "signature":"fSjTHehqqfWz...bVvaG2uH4DXf7h74o"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:30 GMT
Content-Type: application/json
Content-Length: 830
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_20>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test1.test2.mycustomservice.local"
  },
  "status": "pending",
  "expires": "2024-04-22T22:44:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/fffFFF",
      "token": "<token_3>"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC",
      "token": "<token_3>"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/gggGGG",
      "token": "<token_3>"
    }
  ]
}
POST /acme/authz-v3/33333333333
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/authz-v3/33333333333 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1033
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_20>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  },
  "signature":"axHJF6HwVPlLDNDj...blbKDbI6BpV_Gz0"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:41 GMT
Content-Type: application/json
Content-Length: 605
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_21>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test1.test2.mycustomservice.local"
  },
  "status": "valid",
  "expires": "2024-05-15T22:45:34Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/33333333333/cccCCC",
      "token": "<token_3>",
      "validationRecord": [
        {
          "hostname": "test1.test2.mycustomservice.local",
          "resolverAddrs": [
            "10.0.32.82:23095"
          ]
        }
      ],
      "validated": "2024-04-15T22:45:14Z"
    }
  ]
}
Let's Encrypt Server
Cloudflare
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA
Request
1
2
3
4
5
6

DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA HTTP/2
Host: api.cloudflare.com
Authorization: Bearer <bearer_token_2>
User-Agent: cloudflare-go/v4
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

HTTP/2 200 OK
Date: Mon, 15 Apr 2024 22:45:42 GMT
Content-Type: application/json
Cf-Ray: 874f77a6998e3c07-SFO
Cf-Cache-Status: DYNAMIC
Set-Cookie: __cflb=0...D; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:15:43 GMT; HttpOnly
Vary: Accept-Encoding
Set-Cookie: __cfruid=c...2; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Server: cloudflare

{
    "result": {
        "id": "aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA"
    },
    "success": true,
    "errors": [],
    "messages": []
}
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/bBbBbBbBbBbBbBbBbBbBbBbBbBbBbBbB
Request
1
2
3
4
5
6

DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/bBbBbBbBbBbBbBbBbBbBbBbBbBbBbBbB HTTP/2
Host: api.cloudflare.com
Authorization: Bearer <bearer_token_2>
User-Agent: cloudflare-go/v4
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

HTTP/2 200 OK
Date: Mon, 15 Apr 2024 22:45:43 GMT
Content-Type: application/json
Cf-Ray: 21d51a9896374f07-SFO
Cf-Cache-Status: DYNAMIC
Set-Cookie: __cflb=0...j; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:15:44 GMT; HttpOnly
Vary: Accept-Encoding
Set-Cookie: __cfruid=7...3; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Server: cloudflare

{
    "result": {
        "id": "bBbBbBbBbBbBbBbBbBbBbBbBbBbBbBbB"
    },
    "success": true,
    "errors": [],
    "messages": []
}
DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC
Request
1
2
3
4
5
6

DELETE /client/v4/zones/zzzzzzzzzzzzzzzzZZZZZZZZZZZZZZZZ/dns_records/cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC HTTP/2
Host: api.cloudflare.com
Authorization: Bearer <bearer_token_2>
User-Agent: cloudflare-go/v4
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

HTTP/2 200 OK
Date: Mon, 15 Apr 2024 22:45:43 GMT
Content-Type: application/json
Cf-Ray: 35084b19144de3bf-SFO
Cf-Cache-Status: DYNAMIC
Set-Cookie: __cflb=0...F; SameSite=Lax; path=/; expires=Tue, 16-Apr-24 01:15:44 GMT; HttpOnly
Vary: Accept-Encoding
Set-Cookie: __cfruid=7...3; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Server: cloudflare

{
    "result": {
        "id": "cCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcC"
    },
    "success": true,
    "errors": [],
    "messages": []
}
Server (Traefik)
Let's Encrypt Server
Cloudflare
Server (Traefik)
POST /acme/finalize/123456789/11122233344
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

POST /acme/finalize/123456789/11122233344 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 3201
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload": {
    "csr": "MIIEsDCCApgCAQAwGDE...fmxnNbbWYA"
  },
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_21>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344"
  },
  "signature":"nqtwaW8gJo...KhY5w6SljCto"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:47 GMT
Content-Type: application/json
Content-Length: 651
Boulder-Requester: 123456789
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/123456789/11122233344
Replay-Nonce: <nonce_22>
Retry-After: 3
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "processing",
  "expires": "2024-04-22T22:44:24Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.nas.mycustomservice.local"
    },
    {
      "type": "dns",
      "value": "nas.mycustomservice.local"
    },
    {
      "type": "dns",
      "value": "test1.test2.mycustomservice.local"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344"
}
POST /acme/order/123456789/11122233344
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/order/123456789/11122233344 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1042
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_22>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/order/123456789/11122233344"
  },
  "signature":"K_ngn_c-LJUxr...bBE4wQHO0"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:47 GMT
Content-Type: application/json
Content-Length: 651
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_23>
Retry-After: 3
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "processing",
  "expires": "2024-04-22T22:44:24Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.nas.mycustomservice.local"
    },
    {
      "type": "dns",
      "value": "nas.mycustomservice.local"
    },
    {
      "type": "dns",
      "value": "test1.test2.mycustomservice.local"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344"
}
POST /acme/order/123456789/11122233344
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/order/123456789/11122233344 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1042
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_23>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/order/123456789/11122233344"
  },
  "signature":"RhBRVl87HQ4...osLPyPjw"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:48 GMT
Content-Type: application/json
Content-Length: 758
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <nonce_24>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "valid",
  "expires": "2024-04-22T22:44:24Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.nas.mycustomservice.local"
    },
    {
      "type": "dns",
      "value": "nas.mycustomservice.local"
    },
    {
      "type": "dns",
      "value": "test1.test2.mycustomservice.local"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11111111111",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/22222222222",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/33333333333"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/123456789/11122233344",
  "certificate": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX"
}
POST /acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1061
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_24>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX"
  },
  "signature":"bE2kWcDPuwJ...ZNGgjUDY"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:48 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 4144
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/1>;rel="alternate"
Replay-Nonce: <nonce_25>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

-----BEGIN CERTIFICATE-----
MIIGPjCC...gYPhj1xAP5jqa
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFWzCCA0...O1aw0PpQBPDQ==
-----END CERTIFICATE-----
POST /acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/1
Request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

POST /acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/1 HTTP/2
Host: acme-staging-v02.api.letsencrypt.org
User-Agent: containous-traefik/2.11.0 xenolf-acme/4.15.0 (release; linux; amd64)
Content-Length: 1063
Content-Type: application/jose+json
Accept-Encoding: gzip, deflate, br

{
  "payload":"",
  "protected": {
    "alg": "RS256",
    "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/123456789",
    "nonce": "<nonce_25>",
    "url": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/1"
  },
  "signature":"SWchkpGL7GUk...1zprNvJoVsAAIng"
}
Response
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

HTTP/2 200 OK
Server: nginx
Date: Mon, 15 Apr 2024 22:45:49 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 6052
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/cert/xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX/0>;rel="alternate"
Replay-Nonce: <nonce_26>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

-----BEGIN CERTIFICATE-----
MIIGPj...BgYPhj1xAP5jqa
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFWz...O1aw0PpQBPDQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFVD...0BPHtenfhKj5
-----END CERTIFICATE-----
To view the certificate content, store the above response in a PEM file and run command: 
while openssl x509 -noout -text; do :; done < cert.pem

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

Certificate:
    Data:
        Subject: CN=*.nas.mycustomservice.local.Info
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:*.nas.mycustomservice.local, DNS:nas.mycustomservice.local, DNS:test1.test2.mycustomservice.local
            ...
        ...
Certificate:
    Data:
        Subject: C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3
        ...
Certificate:
    Data:
        Subject: C=US, O=(STAGING) Internet Security Research Group, CN=(STAGING) Pretend Pear X1
    ...
Let's Encrypt Server

Now check out RFC 8555, you would be able to map these APIs and understand it very easily!

References

  1. RFC 8555: Automatic Certificate Management Environment (ACME)
  2. LEGO DNS Providers > Cloudflare (or, Github link)
  3. Cloudflare API
homelab devops