From 57804f41bfc8e50ae1eb87b2528bbacfd5d91f54 Mon Sep 17 00:00:00 2001
From: primal <primal@primal.host>
Date: Mon, 26 Jan 2026 16:35:47 -0500
Subject: [PATCH] Use DNS challenge for wildcard cert

---
 docker-compose.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8d43d99..b145244 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,10 +15,12 @@ services:
       - "traefik.http.routers.pds-1440-news.rule=Host(`pds.1440.news`)"
       - "traefik.http.routers.pds-1440-news.entrypoints=https"
       - "traefik.http.routers.pds-1440-news.tls.certresolver=letsencrypt"
-      # Wildcard for account handles: *.1440.news
+      # Wildcard for account handles: *.1440.news (requires DNS challenge)
       - "traefik.http.routers.pds-1440-news-handles.rule=HostRegexp(`^.+\\.1440\\.news$$`)"
       - "traefik.http.routers.pds-1440-news-handles.entrypoints=https"
-      - "traefik.http.routers.pds-1440-news-handles.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.pds-1440-news-handles.tls.certresolver=letsencrypt-dns"
+      - "traefik.http.routers.pds-1440-news-handles.tls.domains[0].main=1440.news"
+      - "traefik.http.routers.pds-1440-news-handles.tls.domains[0].sans=*.1440.news"
       - "traefik.http.routers.pds-1440-news-handles.priority=1"
       # HTTP to HTTPS redirect
       - "traefik.http.routers.pds-1440-news-redirect.rule=Host(`pds.1440.news`)"