When making applications available to the open internet, the order of operations matters between (1) configuring your DNS settings, and (2) deploying a service in MedStack Control.
The following order of operations will serve requests to the application as it will allow for MedStack's managed load balancer (traefik) to issue a certificate for the domain. The managed load balancer automatically handles certificate renewal (60 days) and expiry (90 days).
Order of operations
Step 1 – Apply DNS settings
Map an A record in your DNS settings to the manager node host IP address of the production cluster. The load balancer is pinned to the manager node, as such it is the IP address where traffic will ingress. This means that the DNS provider must have the domain or the subdomain (app.domain.com) propagated to point to the IP address of the manager node.
Step 2 – Add domain mapping to service
Once the DNS configurations have been propagated, proceed with adding domain mappings to a service on MedStack Control. Upon service deployment, Docker requests that traefik issues a certificate for the mapped domain(s).
Common problems
Service with domain mapping was created before DNS settings created/propagated
When this happens, traefik challenges Let's Encrypt for a certificate for the domain. However, the domain has no host associated with it in its DNS records. Traefik will attempt to challenge for a certificate 10 times within a matter of minutes before timing out.
The certificate challenge timeout can elapse up to one hour before trying again.
To address this issue, ensure the DNS settings have been applied, then:
- Wait for the timeout to elapse, whereby the certificate will later be issued, or;
- Destroy the load balancer, then create the load balancer. This removes the timeout by creating a new instance of traefik.