2019-06-19 19:00:06 +02:00
# Let's Encrypt
2019-02-26 05:50:07 -08:00
Automatic HTTPS
{: .subtitle }
2019-03-14 09:30:04 +01:00
You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
2019-02-26 05:50:07 -08:00
!!! warning "Let's Encrypt and Rate Limiting"
2019-03-14 09:30:04 +01:00
Note that Let's Encrypt API has [rate limiting ](https://letsencrypt.org/docs/rate-limits ).
2019-02-26 05:50:07 -08:00
2019-12-09 18:08:04 +01:00
Use Let's Encrypt staging server with the [`caServer` ](#caserver ) configuration option
when experimenting to avoid hitting this limit too fast.
## Certificate Resolvers
Traefik requires you to define "Certificate Resolvers" in the [static configuration ](../getting-started/configuration-overview.md#the-static-configuration ),
which are responsible for retrieving certificates from an ACME server.
Then, each ["router" ](../routing/routers/index.md ) is configured to enable TLS,
and is associated to a certificate resolver through the [`tls.certresolver` configuration option ](../routing/routers/index.md#certresolver ).
Certificates are requested for domain names retrieved from the router's [dynamic configuration ](../getting-started/configuration-overview.md#the-dynamic-configuration ).
You can read more about this retrieval mechanism in the following section: [ACME Domain Definition ](#domain-definition ).
## Domain Definition
Certificate resolvers request certificates for a set of the domain names
inferred from routers, with the following logic:
- If the router has a [`tls.domains` ](../routing/routers/index.md#domains ) option set,
then the certificate resolver uses the `main` (and optionally `sans` ) option of `tls.domains` to know the domain names for this router.
- If no [`tls.domains` ](../routing/routers/index.md#domains ) option is set,
then the certificate resolver uses the [router's rule ](../routing/routers/index.md#rule ),
by checking the `Host()` matchers.
Please note that [multiple `Host()` matchers can be used ](../routing/routers/index.md#certresolver )) for specifying multiple domain names for this router.
Please note that:
- When multiple domain names are inferred from a given router,
only **one** certificate is requested with the first domain name as the main domain,
and the other domains as ["SANs" (Subject Alternative Name) ](https://en.wikipedia.org/wiki/Subject_Alternative_Name ).
- As [ACME V2 supports "wildcard domains" ](#wildcard-domains ),
any router can provide a [wildcard domain ](https://en.wikipedia.org/wiki/Wildcard_certificate ) name, as "main" domain or as "SAN" domain.
Please check the [configuration examples below ](#configuration-examples ) for more details.
2019-02-26 05:50:07 -08:00
## Configuration Examples
2019-03-14 09:30:04 +01:00
??? example "Enabling ACME"
2019-07-19 11:52:04 +02:00
```toml tab="File (TOML)"
2019-04-15 11:14:05 +02:00
[entryPoints]
[entryPoints.web]
2019-07-01 11:30:05 +02:00
address = ":80"
2019-03-18 10:50:05 +01:00
2019-07-02 17:36:04 +02:00
[entryPoints.web-secure]
2019-07-01 11:30:05 +02:00
address = ":443"
2019-07-19 11:52:04 +02:00
[certificatesResolvers.sample.acme]
2019-07-01 11:30:05 +02:00
email = "your-email@your -domain.org"
storage = "acme.json"
2019-09-20 18:44:03 +02:00
[certificatesResolvers.sample.acme.httpChallenge]
2019-07-01 11:30:05 +02:00
# used during the challenge
entryPoint = "web"
```
2019-07-19 11:52:04 +02:00
```yaml tab="File (YAML)"
2019-07-01 11:30:05 +02:00
entryPoints:
web:
address: ":80"
2019-03-18 10:50:05 +01:00
2019-07-02 17:36:04 +02:00
web-secure:
2019-07-01 11:30:05 +02:00
address: ":443"
2019-07-19 11:52:04 +02:00
certificatesResolvers:
sample:
acme:
email: your-email@your -domain.org
storage: acme.json
httpChallenge:
# used during the challenge
entryPoint: web
2019-02-26 05:50:07 -08:00
```
2019-07-01 11:30:05 +02:00
2019-07-19 11:52:04 +02:00
```bash tab="CLI"
2019-11-19 10:18:05 +01:00
--entryPoints.web.address=:80
--entryPoints.websecure.address=:443
2019-07-19 11:52:04 +02:00
# ...
2019-11-19 10:18:05 +01:00
--certificatesResolvers.sample.acme.email=your-email@your -domain.org
--certificatesResolvers.sample.acme.storage=acme.json
2019-07-19 11:52:04 +02:00
# used during the challenge
2019-09-16 16:36:03 +02:00
--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
2019-07-01 11:30:05 +02:00
```
2019-03-14 09:30:04 +01:00
2019-09-23 11:22:05 +02:00
!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference ](../routing/routers/index.md#certresolver ) it."
2019-04-05 11:32:04 +02:00
??? note "Configuration Reference"
2019-07-01 11:30:05 +02:00
There are many available options for ACME.
For a quick glance at what's possible, browse the configuration reference:
2019-04-05 11:32:04 +02:00
2019-07-19 11:52:04 +02:00
```toml tab="File (TOML)"
2019-06-19 19:00:06 +02:00
--8< -- " content / https / ref-acme . toml "
2019-04-05 11:32:04 +02:00
```
2019-07-01 11:30:05 +02:00
2019-07-19 11:52:04 +02:00
```yaml tab="File (YAML)"
2019-07-01 11:30:05 +02:00
--8< -- " content / https / ref-acme . yaml "
```
2019-07-19 11:52:04 +02:00
```bash tab="CLI"
--8< -- " content / https / ref-acme . txt "
```
2019-02-26 05:50:07 -08:00
2019-12-09 18:08:04 +01:00
??? example "Single Domain from Router's Rule Example"
* A certificate for the domain `company.com` is requested:
--8< -- " content / https / include-acme-single-domain-example . md "
??? example "Multiple Domains from Router's Rule Example"
* A certificate for the domains `company.com` (main) and `blog.company.org`
is requested:
--8< -- " content / https / include-acme-multiple-domains-from-rule-example . md "
??? example "Multiple Domains from Router's `tls.domain` Example"
* A certificate for the domains `company.com` (main) and `*.company.org` (SAN)
is requested:
--8< -- " content / https / include-acme-multiple-domains-example . md "
2019-05-09 07:22:05 -06:00
## Automatic Renewals
Traefik automatically tracks the expiry date of ACME certificates it generates.
2019-07-01 11:30:05 +02:00
If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
2019-05-09 07:22:05 -06:00
2019-09-23 14:32:04 +02:00
!!! info ""
2019-05-09 07:22:05 -06:00
Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
2019-12-09 03:16:05 -06:00
## Using LetsEncrypt with Kubernetes
When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress ](../providers/kubernetes-ingress.md ) and [crd ](../providers/kubernetes-crd.md ) providers.
!!! info ""
If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
2019-03-18 10:50:05 +01:00
## The Different ACME Challenges
2019-02-26 05:50:07 -08:00
2019-09-23 11:22:05 +02:00
!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference ](../routing/routers/index.md#certresolver ) it."
2019-03-18 10:50:05 +01:00
### `tlsChallenge`
2019-02-26 05:50:07 -08:00
Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
2019-03-18 10:50:05 +01:00
As described on the Let's Encrypt [community forum ](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72 ),
when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encrypt through port 443.
2019-03-14 09:30:04 +01:00
??? example "Configuring the `tlsChallenge` "
2019-02-26 05:50:07 -08:00
2019-07-19 11:52:04 +02:00
```toml tab="File (TOML)"
[certificatesResolvers.sample.acme]
# ...
[certificatesResolvers.sample.acme.tlsChallenge]
2019-07-01 11:30:05 +02:00
```
2019-07-19 11:52:04 +02:00
```yaml tab="File (YAML)"
certificatesResolvers:
sample:
acme:
# ...
tlsChallenge: {}
2019-02-26 05:50:07 -08:00
```
2019-03-18 10:50:05 +01:00
2019-07-19 11:52:04 +02:00
```bash tab="CLI"
# ...
2019-07-22 09:58:04 +02:00
--certificatesResolvers.sample.acme.tlsChallenge=true
2019-07-19 11:52:04 +02:00
```
2019-03-18 10:50:05 +01:00
### `httpChallenge`
2019-02-26 05:50:07 -08:00
Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
2019-03-18 10:50:05 +01:00
As described on the Let's Encrypt [community forum ](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72 ),
2019-07-19 15:52:03 +02:00
when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
2019-03-18 10:50:05 +01:00
2019-03-14 09:30:04 +01:00
??? example "Using an EntryPoint Called http for the `httpChallenge` "
2019-02-26 05:50:07 -08:00
2019-07-19 11:52:04 +02:00
```toml tab="File (TOML)"
2019-07-02 17:36:04 +02:00
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web-secure]
address = ":443"
2019-07-19 11:52:04 +02:00
[certificatesResolvers.sample.acme]
2019-07-01 11:30:05 +02:00
# ...
2019-07-19 11:52:04 +02:00
[certificatesResolvers.sample.acme.httpChallenge]
2019-07-02 17:36:04 +02:00
entryPoint = "web"
2019-07-01 11:30:05 +02:00
```
2019-07-19 11:52:04 +02:00
```yaml tab="File (YAML)"
2019-07-02 17:36:04 +02:00
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
2019-07-19 11:52:04 +02:00
certificatesResolvers:
sample:
acme:
# ...
httpChallenge:
entryPoint: web
```
```bash tab="CLI"
2019-11-19 10:18:05 +01:00
--entryPoints.web.address=:80
--entryPoints.websecure.address=:443
2019-07-19 11:52:04 +02:00
# ...
--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
2019-02-26 05:50:07 -08:00
```
2019-03-14 09:30:04 +01:00
2019-09-23 14:32:04 +02:00
!!! info ""
2019-03-18 10:50:05 +01:00
Redirection is fully compatible with the `HTTP-01` challenge.
2019-02-26 05:50:07 -08:00
2019-03-18 10:50:05 +01:00
### `dnsChallenge`
2019-02-26 05:50:07 -08:00
Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
2019-03-18 10:50:05 +01:00
??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
2019-02-26 05:50:07 -08:00
2019-07-19 11:52:04 +02:00
```toml tab="File (TOML)"
[certificatesResolvers.sample.acme]
2019-07-01 11:30:05 +02:00
# ...
2019-07-19 11:52:04 +02:00
[certificatesResolvers.sample.acme.dnsChallenge]
2019-07-01 11:30:05 +02:00
provider = "digitalocean"
delayBeforeCheck = 0
# ...
```
2019-07-19 11:52:04 +02:00
```yaml tab="File (YAML)"
certificatesResolvers:
sample:
acme:
# ...
dnsChallenge:
provider: digitalocean
delayBeforeCheck: 0
# ...
```
```bash tab="CLI"
# ...
--certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
--certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
2019-02-26 05:50:07 -08:00
# ...
```
2019-03-14 09:30:04 +01:00
2019-02-26 05:50:07 -08:00
!!! important
A `provider` is mandatory.
2019-03-18 10:50:05 +01:00
#### `providers`
Here is a list of supported `providers` , that can automate the DNS verification,
along with the required environment variables and their [wildcard & root domain support ](#wildcard-domains ).
2019-03-27 10:50:03 +01:00
Do not hesitate to complete it.
Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email` .
2019-03-18 10:50:05 +01:00
2019-05-10 09:58:05 +02:00
| Provider Name | Provider Code | Environment Variables | |
|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
| [ACME DNS ](https://github.com/joohoi/acme-dns ) | `acme-dns` | `ACME_DNS_API_BASE` , `ACME_DNS_STORAGE_PATH` | [Additional configuration ](https://go-acme.github.io/lego/dns/acme-dns ) |
2019-07-16 10:02:04 -04:00
| [Alibaba Cloud ](https://www.alibabacloud.com ) | `alidns` | `ALICLOUD_ACCESS_KEY` , `ALICLOUD_SECRET_KEY` , `ALICLOUD_REGION_ID` | [Additional configuration ](https://go-acme.github.io/lego/dns/alidns ) |
2019-05-10 09:58:05 +02:00
| [Auroradns ](https://www.pcextreme.com/aurora/dns ) | `auroradns` | `AURORA_USER_ID` , `AURORA_KEY` , `AURORA_ENDPOINT` | [Additional configuration ](https://go-acme.github.io/lego/dns/auroradns ) |
2019-11-15 12:06:05 +01:00
| [Autodns ](https://www.internetx.com/domains/autodns/ ) | `autodns` | `AUTODNS_API_USER` , `AUTODNS_API_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/autodns ) |
2019-05-10 09:58:05 +02:00
| [Azure ](https://azure.microsoft.com/services/dns/ ) | `azure` | `AZURE_CLIENT_ID` , `AZURE_CLIENT_SECRET` , `AZURE_SUBSCRIPTION_ID` , `AZURE_TENANT_ID` , `AZURE_RESOURCE_GROUP` , `[AZURE_METADATA_ENDPOINT]` | [Additional configuration ](https://go-acme.github.io/lego/dns/azure ) |
2019-08-11 18:45:53 +02:00
| [Bindman ](https://github.com/labbsr0x/bindman-dns-webhook ) | `bindman` | `BINDMAN_MANAGER_ADDRESS` | [Additional configuration ](https://go-acme.github.io/lego/dns/bindman ) |
2019-05-10 09:58:05 +02:00
| [Blue Cat ](https://www.bluecatnetworks.com/ ) | `bluecat` | `BLUECAT_SERVER_URL` , `BLUECAT_USER_NAME` , `BLUECAT_PASSWORD` , `BLUECAT_CONFIG_NAME` , `BLUECAT_DNS_VIEW` | [Additional configuration ](https://go-acme.github.io/lego/dns/bluecat ) |
| [ClouDNS ](https://www.cloudns.net/ ) | `cloudns` | `CLOUDNS_AUTH_ID` , `CLOUDNS_AUTH_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/cloudns ) |
2019-12-09 11:42:06 +01:00
| [Cloudflare ](https://www.cloudflare.com ) | `cloudflare` | `CF_API_EMAIL` , `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN` , `[CF_ZONE_API_TOKEN]` | [Additional configuration ](https://go-acme.github.io/lego/dns/cloudflare ) |
2019-05-10 09:58:05 +02:00
| [CloudXNS ](https://www.cloudxns.net ) | `cloudxns` | `CLOUDXNS_API_KEY` , `CLOUDXNS_SECRET_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/cloudxns ) |
| [ConoHa ](https://www.conoha.jp ) | `conoha` | `CONOHA_TENANT_ID` , `CONOHA_API_USERNAME` , `CONOHA_API_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/conoha ) |
| [DigitalOcean ](https://www.digitalocean.com ) | `digitalocean` | `DO_AUTH_TOKEN` | [Additional configuration ](https://go-acme.github.io/lego/dns/digitalocean ) |
| [DNSimple ](https://dnsimple.com ) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN` , `DNSIMPLE_BASE_URL` | [Additional configuration ](https://go-acme.github.io/lego/dns/dnsimple ) |
| [DNS Made Easy ](https://dnsmadeeasy.com ) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY` , `DNSMADEEASY_API_SECRET` , `DNSMADEEASY_SANDBOX` | [Additional configuration ](https://go-acme.github.io/lego/dns/dnsmadeeasy ) |
| [DNSPod ](https://www.dnspod.com/ ) | `dnspod` | `DNSPOD_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/dnspod ) |
| [Domain Offensive (do.de) ](https://www.do.de/ ) | `dode` | `DODE_TOKEN` | [Additional configuration ](https://go-acme.github.io/lego/dns/dode ) |
| [DreamHost ](https://www.dreamhost.com/ ) | `dreamhost` | `DREAMHOST_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/dreamhost ) |
| [Duck DNS ](https://www.duckdns.org/ ) | `duckdns` | `DUCKDNS_TOKEN` | [Additional configuration ](https://go-acme.github.io/lego/dns/duckdns ) |
| [Dyn ](https://dyn.com ) | `dyn` | `DYN_CUSTOMER_NAME` , `DYN_USER_NAME` , `DYN_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/dyn ) |
2019-08-11 18:45:53 +02:00
| [EasyDNS ](https://easydns.com/ ) | `easydns` | `EASYDNS_TOKEN` , `EASYDNS_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/easydns ) |
2019-05-10 09:58:05 +02:00
| External Program | `exec` | `EXEC_PATH` | [Additional configuration ](https://go-acme.github.io/lego/dns/exec ) |
| [Exoscale ](https://www.exoscale.com ) | `exoscale` | `EXOSCALE_API_KEY` , `EXOSCALE_API_SECRET` , `EXOSCALE_ENDPOINT` | [Additional configuration ](https://go-acme.github.io/lego/dns/exoscale ) |
| [Fast DNS ](https://www.akamai.com/ ) | `fastdns` | `AKAMAI_CLIENT_TOKEN` , `AKAMAI_CLIENT_SECRET` , `AKAMAI_ACCESS_TOKEN` | [Additional configuration ](https://go-acme.github.io/lego/dns/fastdns ) |
| [Gandi ](https://www.gandi.net ) | `gandi` | `GANDI_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/gandi ) |
| [Gandi v5 ](http://doc.livedns.gandi.net ) | `gandiv5` | `GANDIV5_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/gandiv5 ) |
| [Glesys ](https://glesys.com/ ) | `glesys` | `GLESYS_API_USER` , `GLESYS_API_KEY` , `GLESYS_DOMAIN` | [Additional configuration ](https://go-acme.github.io/lego/dns/glesys ) |
2019-06-11 20:42:04 +02:00
| [GoDaddy ](https://godaddy.com/ ) | `godaddy` | `GODADDY_API_KEY` , `GODADDY_API_SECRET` | [Additional configuration ](https://go-acme.github.io/lego/dns/godaddy ) |
2019-05-10 09:58:05 +02:00
| [Google Cloud DNS ](https://cloud.google.com/dns/docs/ ) | `gcloud` | `GCE_PROJECT` , Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE` ] | [Additional configuration ](https://go-acme.github.io/lego/dns/gcloud ) |
| [hosting.de ](https://www.hosting.de ) | `hostingde` | `HOSTINGDE_API_KEY` , `HOSTINGDE_ZONE_NAME` | [Additional configuration ](https://go-acme.github.io/lego/dns/hostingde ) |
| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT` , `HTTPREQ_MODE` , `HTTPREQ_USERNAME` , `HTTPREQ_PASSWORD` [^1] | [Additional configuration ](https://go-acme.github.io/lego/dns/httpreq ) |
| [IIJ ](https://www.iij.ad.jp/ ) | `iij` | `IIJ_API_ACCESS_KEY` , `IIJ_API_SECRET_KEY` , `IIJ_DO_SERVICE_CODE` | [Additional configuration ](https://go-acme.github.io/lego/dns/iij ) |
| [INWX ](https://www.inwx.de/en ) | `inwx` | `INWX_USERNAME` , `INWX_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/inwx ) |
2019-08-11 18:45:53 +02:00
| [Joker.com ](https://joker.com ) | `joker` | `JOKER_API_KEY` or `JOKER_USERNAME` , `JOKER_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/joker ) |
2019-05-10 09:58:05 +02:00
| [Lightsail ](https://aws.amazon.com/lightsail/ ) | `lightsail` | `AWS_ACCESS_KEY_ID` , `AWS_SECRET_ACCESS_KEY` , `DNS_ZONE` | [Additional configuration ](https://go-acme.github.io/lego/dns/lightsail ) |
| [Linode ](https://www.linode.com ) | `linode` | `LINODE_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/linode ) |
| [Linode v4 ](https://www.linode.com ) | `linodev4` | `LINODE_TOKEN` | [Additional configuration ](https://go-acme.github.io/lego/dns/linodev4 ) |
2019-10-09 14:48:04 +02:00
| [Liquid Web ](https://www.liquidweb.com/ ) | `liquidweb` | `LIQUID_WEB_PASSWORD` , `LIQUID_WEB_USERNAME` , `LIQUID_WEB_ZONE` | [Additional configuration ](https://go-acme.github.io/lego/dns/liquidweb ) |
2019-08-11 18:45:53 +02:00
| manual | - | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press < kbd > Enter< / kbd > . | |
2019-05-10 09:58:05 +02:00
| [MyDNS.jp ](https://www.mydns.jp/ ) | `mydnsjp` | `MYDNSJP_MASTER_ID` , `MYDNSJP_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/mydnsjp ) |
| [Namecheap ](https://www.namecheap.com ) | `namecheap` | `NAMECHEAP_API_USER` , `NAMECHEAP_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/namecheap ) |
| [name.com ](https://www.name.com/ ) | `namedotcom` | `NAMECOM_USERNAME` , `NAMECOM_API_TOKEN` , `NAMECOM_SERVER` | [Additional configuration ](https://go-acme.github.io/lego/dns/namedotcom ) |
2019-08-11 18:45:53 +02:00
| [Namesilo ](https://www.namesilo.com/ ) | `namesilo` | `NAMESILO_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/namesilo ) |
2019-05-10 09:58:05 +02:00
| [Netcup ](https://www.netcup.eu/ ) | `netcup` | `NETCUP_CUSTOMER_NUMBER` , `NETCUP_API_KEY` , `NETCUP_API_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/netcup ) |
| [NIFCloud ](https://cloud.nifty.com/service/dns.htm ) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID` , `NIFCLOUD_SECRET_ACCESS_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/nifcloud ) |
| [Ns1 ](https://ns1.com/ ) | `ns1` | `NS1_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/ns1 ) |
| [Open Telekom Cloud ](https://cloud.telekom.de ) | `otc` | `OTC_DOMAIN_NAME` , `OTC_USER_NAME` , `OTC_PASSWORD` , `OTC_PROJECT_NAME` , `OTC_IDENTITY_ENDPOINT` | [Additional configuration ](https://go-acme.github.io/lego/dns/otc ) |
| [OVH ](https://www.ovh.com ) | `ovh` | `OVH_ENDPOINT` , `OVH_APPLICATION_KEY` , `OVH_APPLICATION_SECRET` , `OVH_CONSUMER_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/ovh ) |
| [Openstack Designate ](https://docs.openstack.org/designate ) | `designate` | `OS_AUTH_URL` , `OS_USERNAME` , `OS_PASSWORD` , `OS_TENANT_NAME` , `OS_REGION_NAME` | [Additional configuration ](https://go-acme.github.io/lego/dns/designate ) |
| [Oracle Cloud ](https://cloud.oracle.com/home ) | `oraclecloud` | `OCI_COMPARTMENT_OCID` , `OCI_PRIVKEY_FILE` , `OCI_PRIVKEY_PASS` , `OCI_PUBKEY_FINGERPRINT` , `OCI_REGION` , `OCI_TENANCY_OCID` , `OCI_USER_OCID` | [Additional configuration ](https://go-acme.github.io/lego/dns/oraclecloud ) |
| [PowerDNS ](https://www.powerdns.com ) | `pdns` | `PDNS_API_KEY` , `PDNS_API_URL` | [Additional configuration ](https://go-acme.github.io/lego/dns/pdns ) |
| [Rackspace ](https://www.rackspace.com/cloud/dns ) | `rackspace` | `RACKSPACE_USER` , `RACKSPACE_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/rackspace ) |
| [RFC2136 ](https://tools.ietf.org/html/rfc2136 ) | `rfc2136` | `RFC2136_TSIG_KEY` , `RFC2136_TSIG_SECRET` , `RFC2136_TSIG_ALGORITHM` , `RFC2136_NAMESERVER` | [Additional configuration ](https://go-acme.github.io/lego/dns/rfc2136 ) |
| [Route 53 ](https://aws.amazon.com/route53/ ) | `route53` | `AWS_ACCESS_KEY_ID` , `AWS_SECRET_ACCESS_KEY` , `[AWS_REGION]` , `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | [Additional configuration ](https://go-acme.github.io/lego/dns/route53 ) |
| [Sakura Cloud ](https://cloud.sakura.ad.jp/ ) | `sakuracloud` | `SAKURACLOUD_ACCESS_TOKEN` , `SAKURACLOUD_ACCESS_TOKEN_SECRET` | [Additional configuration ](https://go-acme.github.io/lego/dns/sakuracloud ) |
| [Selectel ](https://selectel.ru/en/ ) | `selectel` | `SELECTEL_API_TOKEN` | [Additional configuration ](https://go-acme.github.io/lego/dns/selectel ) |
| [Stackpath ](https://www.stackpath.com/ ) | `stackpath` | `STACKPATH_CLIENT_ID` , `STACKPATH_CLIENT_SECRET` , `STACKPATH_STACK_ID` | [Additional configuration ](https://go-acme.github.io/lego/dns/stackpath ) |
| [TransIP ](https://www.transip.nl/ ) | `transip` | `TRANSIP_ACCOUNT_NAME` , `TRANSIP_PRIVATE_KEY_PATH` | [Additional configuration ](https://go-acme.github.io/lego/dns/transip ) |
| [VegaDNS ](https://github.com/shupp/VegaDNS-API ) | `vegadns` | `SECRET_VEGADNS_KEY` , `SECRET_VEGADNS_SECRET` , `VEGADNS_URL` | [Additional configuration ](https://go-acme.github.io/lego/dns/vegadns ) |
2019-08-11 18:45:53 +02:00
| [Versio ](https://www.versio.nl/domeinnamen ) | `versio` | `VERSIO_USERNAME` , `VERSIO_PASSWORD` | [Additional configuration ](https://go-acme.github.io/lego/dns/versio ) |
2019-05-10 09:58:05 +02:00
| [Vscale ](https://vscale.io/ ) | `vscale` | `VSCALE_API_TOKEN` | [Additional configuration ](https://go-acme.github.io/lego/dns/vscale ) |
| [VULTR ](https://www.vultr.com ) | `vultr` | `VULTR_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/vultr ) |
| [Zone.ee ](https://www.zone.ee ) | `zoneee` | `ZONEEE_API_USER` , `ZONEEE_API_KEY` | [Additional configuration ](https://go-acme.github.io/lego/dns/zoneee ) |
2019-03-18 10:50:05 +01:00
[^1]: more information about the HTTP message format can be found [here ](https://go-acme.github.io/lego/dns/httpreq/ )
[^2]: [providing_credentials_to_your_application ](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application )
[^3]: [google/default.go ](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76 )
2019-03-27 14:08:04 +03:00
[^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack` , so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
2019-10-09 14:48:04 +02:00
[^5]: The `Global API Key` needs to be used, not the `Origin CA Key` .
2019-02-26 05:50:07 -08:00
2019-09-23 14:32:04 +02:00
!!! info "`delayBeforeCheck` "
2019-02-26 05:50:07 -08:00
By default, the `provider` verifies the TXT record _before_ letting ACME verify.
You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
This option is useful when internal networks block external DNS queries.
2019-03-18 10:50:05 +01:00
#### `resolvers`
2019-02-26 05:50:07 -08:00
2019-03-18 10:50:05 +01:00
Use custom DNS servers to resolve the FQDN authority.
2019-02-26 05:50:07 -08:00
2019-07-19 11:52:04 +02:00
```toml tab="File (TOML)"
[certificatesResolvers.sample.acme]
2019-07-01 11:30:05 +02:00
# ...
2019-07-19 11:52:04 +02:00
[certificatesResolvers.sample.acme.dnsChallenge]
2019-07-01 11:30:05 +02:00
# ...
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
```
2019-07-19 11:52:04 +02:00
```yaml tab="File (YAML)"
certificatesResolvers:
sample:
acme:
# ...
dnsChallenge:
# ...
resolvers:
2019-09-23 17:00:06 +02:00
- "1.1.1.1:53"
- "8.8.8.8:53"
2019-07-01 11:30:05 +02:00
```
2019-07-19 11:52:04 +02:00
```bash tab="CLI"
2019-03-18 10:50:05 +01:00
# ...
2019-11-19 10:18:05 +01:00
--certificatesResolvers.sample.acme.dnsChallenge.resolvers:=1.1.1.1:53,8.8.8.8:53
2019-03-18 10:50:05 +01:00
```
2019-07-19 11:52:04 +02:00
#### Wildcard Domains
2019-03-18 10:50:05 +01:00
2019-07-19 11:52:04 +02:00
[ACME V2 ](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579 ) supports wildcard certificates.
As described in [Let's Encrypt's post ](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605 ) wildcard certificates can only be generated through a [`DNS-01` challenge ](#dnschallenge ).
2019-02-26 05:50:07 -08:00
2019-12-09 18:08:04 +01:00
## More Configuration
### `caServer`
2019-02-26 05:50:07 -08:00
??? example "Using the Let's Encrypt staging server"
2019-07-19 11:52:04 +02:00
```toml tab="File (TOML)"
[certificatesResolvers.sample.acme]
2019-07-01 11:30:05 +02:00
# ...
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# ...
```
2019-07-19 11:52:04 +02:00
```yaml tab="File (YAML)"
certificatesResolvers:
sample:
acme:
# ...
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
# ...
2019-02-26 05:50:07 -08:00
```
2019-03-14 09:30:04 +01:00
2019-07-19 11:52:04 +02:00
```bash tab="CLI"
# ...
2019-11-19 10:18:05 +01:00
--certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
2019-07-19 11:52:04 +02:00
# ...
```
2019-02-26 05:50:07 -08:00
2019-12-09 18:08:04 +01:00
### `storage`
2019-02-26 05:50:07 -08:00
The `storage` option sets the location where your ACME certificates are saved to.
2019-07-19 11:52:04 +02:00
```toml tab="File (TOML)"
[certificatesResolvers.sample.acme]
2019-07-01 11:30:05 +02:00
# ...
storage = "acme.json"
# ...
2019-02-26 05:50:07 -08:00
```
2019-07-19 18:06:03 +02:00
```yaml tab="File (YAML)"
2019-07-19 11:52:04 +02:00
certificatesResolvers:
sample:
acme:
# ...
storage: acme.json
# ...
```
```bash tab="CLI"
# ...
--certificatesResolvers.sample.acme.storage=acme.json
# ...
2019-07-01 11:30:05 +02:00
```
The value can refer to some kinds of storage:
2019-02-26 05:50:07 -08:00
- a JSON file
2019-12-09 18:08:04 +01:00
#### In a File
2019-02-26 05:50:07 -08:00
ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
In Docker you can mount either the JSON file, or the folder containing it:
```bash
2019-10-11 14:34:06 +02:00
docker run -v "/my/host/acme.json:/acme.json" traefik
2019-02-26 05:50:07 -08:00
```
```bash
docker run -v "/my/host/acme:/etc/traefik/acme" traefik
```
!!! warning
2019-11-14 00:22:04 -07:00
For concurrency reason, this file cannot be shared across multiple instances of Traefik.
2019-02-26 05:50:07 -08:00
2019-04-08 17:14:08 +02:00
## Fallback
2019-02-26 05:50:07 -08:00
If Let's Encrypt is not reachable, the following certificates will apply:
1. Previously generated ACME certificates (before downtime)
1. Expired ACME certificates
1. Provided certificates
2019-09-23 14:32:04 +02:00
!!! important
2019-03-18 10:50:05 +01:00
For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.