DevOps

I have projects on my local machine that nobody else has seen. Not because the ideas were bad, but because getting from localhost to a real URL felt like too much work. Setting up a server takes time. So does DNS, SSL, and deployment scripts. By the time it’s all done, the motivation is usually gone.

Traefik uses HTTP-01 ACME challenge by default. The way it works is: Let’s Encrypt sends a request to http://yourdomain/.well-known/acme-challenge/<token> and checks that Traefik responds with the right token. If it does, cert issued. The problem is Cloudflare. When the orange cloud proxy is on, Let’s Encrypt’s request hits Cloudflare’s servers, not your origin. Traefik placed the challenge token on the origin. Cloudflare has no idea it’s there. It returns a 404. Let’s Encrypt fails the validation. No cert.

A walkthrough of migrating this blog off AWS (CodeCommit + CodeBuild + S3 + CloudFront) onto a self-hosted stack using Forgejo for git and CI/CD. Most of the config was written by Claude Code. The old AWS stack was four services doing what two containers now do. The migration was part of a consolidation onto Oracle Cloud free tier VMs. The target infrastructure was already there: a Forgejo instance on one VM and a Docker/Traefik apps server on another.