Lets Encrypt DNS Challenge with Traefik and AWS Route 53

Kasun de Silva Posted on May 25 Lets Encrypt DNS Challenge with Traefik and AWS Route 53 # route53 # dns01 # letsencrypt # dns So, you're self-hosting awesome apps like Jellyfin, Home Assistant, or your personal blog with Docker. You want that sweet, sweet HTTPS padlock for secure connections, and Let's Encrypt is the obvious choice for free SSL certs. Awesome! You set up your reverse proxy (maybe Traefik, because it's slick!), point it to your app, and tell it to get a certificate... only to hit a wall. Why? Meet the home networker's nemesis: ISPs blocking incoming port 80. The Standard Way (and the Wall) Let's Encrypt's default validation method, HTTP-01 , is simple: their servers try to access a special file on your server over standard HTTP (port 80 ) to prove you control the domain. Let's Encrypt -> Your Public IP:80 -> Does challenge file exist? -> OK! Cert Issued! Enter fullscreen mode Exit fullscreen mode But if your ISP blocks incoming connections on port 80 (super common on residential plans!), Let's Encrypt's request never reaches your server. Let's Encrypt -> Your Public IP:80 -> [ISP BLOCK] -> Challenge Failed! No Cert! :( Enter fullscreen mode Exit fullscreen mode Frustrating, right? Your quest for HTTPS seems doomed... or is it? The DNS-01 Challenge: A Different Kind of Proof Enter the DNS-01 challenge – Let's Encrypt's clever workaround. Instead of checking a file via HTTP, it asks you to prove domain ownership by creating a specific DNS TXT record with a unique value. Let's Encrypt -> Checks Your Domain's DNS Records -> Does specific TXT record exist? -> OK! Cert Issued! Enter fullscreen mode Exit fullscreen mode Since this validation happens entirely via DNS lookups (usually port 53 , which is almost never blocked inbound for lookups), it completely bypasses the port 80 problem! The Magic Combo: Traefik + AWS Route 53 Okay, manually creating DNS records every ~90 days sounds tedious. This is where the dynamic duo comes in