Trying to use the default files and add in 'sections' to allow DNS Challenge (Namecheap Provider)

[robclay]

Hello all! I am looking for assistance in modifying the default files, and using the INTENT of the files from opencloud to add in the option of a DNS Challenge. (I do NOT have port 80 available. I did have nextcloud running using nginx and caddy, but am now trying to switch to opencloud. Note that I DO have an unsecure server running now, and on the few test runs, I have to agree that it is what people that have reviewed said... very responsive! Thanks you all!)

I have looked at some pages and videos online that show how to do it... but their examples do not seem to match the intent of the 'stackable and integrative' docker compose and environment files like opencloud has.

So with that being said, I then started back here:
Traefik Documentation: https://doc.traefik.io/traefik/reference/install-configuration/tls/certificate-resolvers/acme/#dnschallenge

I see that traefik uses LEGO and they publish the needed Environmental Variables Here:
https://go-acme.github.io/lego/dns/namecheap/index.html

So here are the updates I THINK I need to make:
.env file:

# Enable the Traefik ACME (Automatic Certificate Management Environment) for automatic SSL certificate management.
# TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
# NEW Enable the Traefik ACME (Automatic Certificate Management Environment) for automatic SSL certificate management via DNS Challenge.
TRAEFIK_SERVICES_TLS_CONFIG="DNS_Challenge=true"
# Enable Traefik to use local certificates.

and also

# NEW Added to try and use DNS Challenge
NAMECHEAP_API_KEY=REDACTED
NAMECHEAP_API_USER=REDACTED

docker-compose.yml
No changes

Then in traefik\opencloud.yml:
Note that I feel like I am commenting out the https and adding websecure in the file which is NOT in the spirit of the opencloud team's setup... I also added the api key info here:

services:
  opencloud:
    labels:
      - "traefik.enable=true"
      #
      #2025-11-04 I am commenting out https and adding websecure
      #
      #- "traefik.http.routers.opencloud.entrypoints=https"
      - "traefik.http.routers.opencloud.entrypoints=websecure"
      - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
      - "traefik.http.routers.opencloud.service=opencloud"
      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
      - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
  traefik:
    image: traefik:v3
    # release notes: https://github.com/traefik/traefik/releases
    networks:
      opencloud-net:
        aliases:
          - ${OC_DOMAIN:-cloud.opencloud.test}
    entrypoint: [ "/bin/sh", "/opt/traefik/bin/docker-entrypoint-override.sh"]
    environment:
      - "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
      - "TRAEFIK_ACME_MAIL=${TRAEFIK_ACME_MAIL:[email protected]}"
      - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
      - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
      - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
      # Adding the LEGO DNS Provider Variable https://go-acme.github.io/lego/dns/namecheap/index.html
      - "NAMECHEAP_API_KEY=${NAMECHEAP_API_KEY}"
      - "NAMECHEAP_API_USER=${NAMECHEAP_API_USER}"
            
    ports:

Then in \config\traefik\docker-entrypoint-override.sh

# Add local certificate configuration if enabled
if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls=true" ]; then
    echo "Configuring Traefik with local certificates..."
    add_arg "--providers.file.directory=/etc/traefik/dynamic"
    add_arg "--providers.file.watch=true"
fi

# This was added 2025-10-04 to try and use DNS Challenge
if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "DNS_Challenge=true" ]; then
    echo "Configuring Traefik with DNS challenge..."
    add_arg "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_MAIL:[email protected]}"
    add_arg "--certificatesResolvers.letsencrypt.acme.storage=/certs/acme.json"
    add_arg "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
    add_arg "--certificatesResolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
fi

# Warning if none of the certificate methods are enabled
if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls=true" ] && [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls.certresolver=letsencrypt" ] && [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "DNS_Challenge=true" ]; then
    echo "WARNING: Neither Let's Encrypt nor local certificates are enabled."
    echo "HTTPS will not work properly without certificate configuration."
fi

Can someone much more wise in these things let me know if I am close?

I have not yet tried this for the following reasons:

1. I do not know what I am doing
2. With just 1 file to edit, I only halfway get it correct - now we are doing multiple
3. I feel that I am not fully grasping how to change from dnsChallenge, tlsChallenge, or httpChallenge in general, and with the additional challenge of trying to mimic opencloud's docker compose architecture.
4. I am scared! See Item 1

Thank you in advance for any and all help and guidance.