Generate DigitalOcean API token for ACME challenge

---
title: ACME challenge response for requesting a TLS certificate
---
sequenceDiagram
    participant Traefik as Traefik (Docker)
    participant LE as Let's Encrypt (ACME)
    participant DO as DigitalOcean DNS

Traefik->>LE: Request / Renew TLS Certificate (ACME)
LE-->>Traefik: Issue DNS-01 Challenge
Traefik->>DO: Update DNS Records using API token (Add TXT Record)
DO-->>LE: DNS Challenge Resolved (TXT Record Found)
LE-->>Traefik: Issue TLS Certificate
Choose any supported DNS provider

All examples in this book use DigitalOcean as the DNS provider. You may choose any DNS service that provides a programmatic API supported by go-acme LEGO.

Sign up for a DigitalOcean account (using this referral link helps support this site), and follow along to create the required API token.

DNS is also a part of the TLS certificate request process with Let’s Encrypt (via ACME DNS-01 challenge). Traefik interacts with Let’s Encrypt on your behalf, automatically requesting TLS certificates to be created for your services. To allow this, you will need to procure a DigitalOcean Personal Access Token, which grants programatic control of your DigitalOcean account’s DNS settings:

  • Login to the DigitalOcean console.
  • Click on API in the left hand menu, near the bottom of the list.
  • On the Tokens tab, click Generate New Token.
  • Enter a descriptive name indicating the owner of the token (e.g., a subdomain), and its purpose (e.g., ACME): pi.example.com ACME.
  • Set the expiration period you want to use. Use No expire if you just want to set it and forget it, otherwise you will need to update the token periodically.
  • Select Custom Scopes so you can choose the fine-grained permissions.
  • The only permission that needs to be selected is domain.
  • Click Generate Token.
  • Copy the generated token to a temporary buffer/notepad. You will need to reference this token in the next section, when it asks for the DO_AUTH_TOKEN variable.

You will also need to generate an API token for the sentry droplet.

  • Create the second token named sentry.example.com ACME or similar.
  • Set a Custom scope = domain.
  • Copy this token to the same temporary buffer/notepad as before, you’ll need it when setting up the sentry droplet.
Tip

You could reuse the same API token on both Pi and sentry, but its reccomended to create a unique token for each host.

Next steps

  • Set up Rasbperry Pi.
  • Set up sentry Droplet.
  • Configure WireGuard VPN.
  • Set up public SSH.
  • Install core services
  • Install apps.