Setup a DNS challenge with Cloudflare

Setup a DNS challenge with Cloudflare


In this guide, we will show you how to set up your runtipi instance with a dns challenge and cloudflare. By default runtipi uses an http challenge to obtain ssl certificates requiring you to expose the dashboard to the internet which is a very bad security practice. With a DNS challenge you can get trusted ssl certificates without needing to expose anything to the internet.


  • A runtipi instace
  • A domain name connected to cloudflare

Setting up the DNS challenge

So lets get started setting up the DNS challenge.

Set up the DNS records

To begin with we need to set up two DNS records in our cloudflare dashboard, one should look like this:

And the other one should like this:

Make sure to replace with the ip adress of your runtipi server.

Obtain your API key

Now we need to get the api key that traefik is going to use to get the certificates. In order to do that go to this (opens in a new tab) page of the cloudflare dashboard and click Create token. Then select the Edit zone DNS template. The only thing you need to do is select your domain in the Zone Resources section. Finally click Continue to summary and then Create token, make sure to save that token since you can only view it once.

Create the custom compose file

We need to give the token to traefik in order to do that we need to create a custom compose with the following contents:

version: '3.9'
      - CF_DNS_API_TOKEN=yourtoken

Make sure to replace the yourtoken part with the actual token you got in the previous step.


If you don't know how to create a custom compose file you can check the guide here.

Edit the traefik config

Now it is time to edit the traefik config. You need to replace this part:

      storage: /shared/acme.json
        entryPoint: web

To this:

      storage: /shared/acme.json
        provider: cloudflare
        delayBeforeCheck: 0

Make sure to replace the with your actual email adress so Let's Encrypt can notify you if something is wrong.


Make sure that you have enabled the option to persist the traefik config. If you are not sure how to do it check the guide here.

Restart runtipi and test

Finally we need to restart runtipi with this command:

sudo ./runtipi-cli restart

After that you can go to your runtipi dashboard and try to expose an app, after you expose it traefik should automatically obtain an ssl certificate from Let's Encrypt, be patient though, it may take up to 2 minutes to complete.