Setting up DNS Challenge for Traefik

Last night I set up Traefik Forward Auth in my homelab to restrict access to my services using an Identity Provider (such as Google, or locally run KeyCloak instance). I'd been having issues with getting wildcard certificates working when I realised that I was still using the httpchallenge method of getting certificates - this does not allow for wildcard certificates, so we need to change it out for a dnsChallenge. To do this is as simple as pie - first modify your traefik config (mine's in yaml, your's could be in toml):

certificatesResolvers:
  myhttpchallenge:
    acme:
<<<   httpChallenge:
<<<     # used during the challenge
<<<     entryPoint: http
>>>   dnsChallenge:
>>>     provider: gcloud
>>>     resolvers: ['8.8.8.8', '8.8.4.4']
      email: <example@example.com>
      storage: acme.json
      # Use Let's Encrypt Staging CA when testing!
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory

We then need to provide a method for traefik to configure the DNS records for the challenge - as we're using google we need to provide a service account, but your provider may be different - check the Traefik Docs for more details. Getting the service account set up and with correct permissions is an exercise left to the reader. Once we have the credentials available, we need to provide them to the traefik container, modifiying the docker-compose file we use to provision it:

volumes:
  - ./gcloud.json:/gcloud.json
environment:
  - "GCE_SERVICE_ACCOUNT_FILE=/gcloud.json"

Once saved, re-provision using docker-compose up -d, and you shouldn't see any errors in your traefik logs.