First-class support for DNS Challenge (Cloudflare) in Proxy settings

[markdudov]

🚀 The Problem Statement

Currently, Coolify defaults to HTTP-01 validation for Let's Encrypt certificates. This method fails when:

• Cloudflare Proxy (CDN) is enabled before the certificate is issued.
• Users want to issue Wildcard Certificates (*.domain.com), which strictly require DNS-01.
• The server is behind a firewall/VPN where port 80 is not publicly accessible.

The current manual workaround (editing docker-compose.yml of the proxy) is fragile and gets overwritten or breaks easily during updates.

---

🛠 Proposed Implementation (The "How")

1. UI Changes (Server > Proxy > Configuration)

Add a new section called "SSL Validation Method":

Radio Buttons:

• HTTP-01 (Default)
• DNS-01

Conditional Fields (visible only if DNS-01 is selected):

• Provider Dropdown: (Cloudflare, DigitalOcean, AWS Route53, etc. - using Lego providers).
• API Credentials: Dynamic input fields based on the provider (e.g., for Cloudflare: API Token).
• Propagation Delay: A numeric input field (seconds) to wait before Traefik/Caddy attempts validation.

---

2. Backend Logic (Automation)

When the user clicks "Save", Coolify should automate the following:

Credential Management:
Save the API Token securely in the database (encrypted) and map it as an internal environment variable for the proxy container (e.g., CF_DNS_API_TOKEN).

Dynamic Compose Generation:
Automatically update the Proxy's docker-compose.yml:

• Inject the environment variables.
• Update the command arguments for Traefik (or Caddy labels) to point to the DNS provider.

Cleanup:
Automatically disable/remove the --certificatesresolvers.letsencrypt.acme.httpchallenge flags to prevent conflicts.

---

3. Execution Flow

1. User enters Cloudflare API Token in the UI.
2. Coolify validates the token format.
3. Coolify updates the Proxy configuration and triggers a
   docker-compose up -d --force-recreate for the proxy.
4. Traefik/Caddy communicates with the Cloudflare API to create a temporary _acme-challenge TXT record.
5. Certificate is issued, and the TXT record is deleted.

---

💎 User Benefits

• "Set and Forget" Experience: No more manual YAML hacking.
• Zero Downtime Migration: Users can migrate sites to Coolify with Cloudflare Proxy already turned ON.
• Wildcard Scalability: One DNS token allows infinite subdomains without individual HTTP challenges.

[Cinzya]

The Proxy configurations are editable. It is already possible to edit them to your liking such as changing to a DNS challange. There are users who have already done so.
Can it help if we include some information about that in the Docs?

[shadowshal]

yes please

[ThimoDEV]

That would be great!

[Cinzya]

It's now in the Docs, for both Caddy and Traefik.

• Traefik: https://coolify.io/docs/knowledge-base/proxy/traefik/dns-challenge
• Caddy: https://coolify.io/docs/knowledge-base/proxy/caddy/dns-challenge