2018-03-05 20:54:04 +01:00
package acme
import (
2018-11-14 10:18:03 +01:00
"context"
2018-03-05 20:54:04 +01:00
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
fmtlog "log"
2018-10-25 17:38:04 +02:00
"net"
2018-07-31 11:50:03 +02:00
"net/url"
2018-03-05 20:54:04 +01:00
"reflect"
"strings"
"sync"
"time"
2018-07-31 12:32:04 +02:00
"github.com/cenk/backoff"
2018-07-31 19:28:03 +02:00
"github.com/containous/flaeg/parse"
2018-11-14 10:18:03 +01:00
"github.com/containous/traefik/config"
2018-03-05 20:54:04 +01:00
"github.com/containous/traefik/log"
"github.com/containous/traefik/rules"
"github.com/containous/traefik/safe"
2018-04-24 22:40:04 +02:00
traefiktls "github.com/containous/traefik/tls"
2018-03-05 20:54:04 +01:00
"github.com/containous/traefik/types"
2018-06-05 09:54:03 +02:00
"github.com/containous/traefik/version"
2018-03-05 20:54:04 +01:00
"github.com/pkg/errors"
2018-06-15 16:08:03 +02:00
"github.com/sirupsen/logrus"
2018-05-31 09:30:04 +02:00
"github.com/xenolf/lego/acme"
legolog "github.com/xenolf/lego/log"
2018-03-05 20:54:04 +01:00
"github.com/xenolf/lego/providers/dns"
)
var (
2018-11-14 10:18:03 +01:00
// oscpMustStaple enables OSCP stapling as from https://github.com/xenolf/lego/issues/270
oscpMustStaple = false
2018-03-05 20:54:04 +01:00
)
// Configuration holds ACME configuration provided by users
type Configuration struct {
Email string ` description:"Email address used for registration" `
ACMELogging bool ` description:"Enable debug logging of ACME actions." `
CAServer string ` description:"CA server to use." `
Storage string ` description:"Storage to use." `
EntryPoint string ` description:"EntryPoint to use." `
2018-05-16 11:44:03 +02:00
KeyType string ` description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'" `
2018-03-05 20:54:04 +01:00
OnHostRule bool ` description:"Enable certificate generation on frontends Host rules." `
2018-04-16 19:34:04 +02:00
OnDemand bool ` description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate." ` // Deprecated
2018-04-11 17:16:07 +02:00
DNSChallenge * DNSChallenge ` description:"Activate DNS-01 Challenge" `
2018-03-05 20:54:04 +01:00
HTTPChallenge * HTTPChallenge ` description:"Activate HTTP-01 Challenge" `
2018-07-03 12:44:04 +02:00
TLSChallenge * TLSChallenge ` description:"Activate TLS-ALPN-01 Challenge" `
2018-03-26 14:12:03 +02:00
Domains [ ] types . Domain ` description:"CN and SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='*.main.net'. No SANs for wildcards domain. Wildcard domains only accepted with DNSChallenge" `
2018-03-05 20:54:04 +01:00
}
// Certificate is a struct which contains all data needed from an ACME certificate
type Certificate struct {
Domain types . Domain
Certificate [ ] byte
Key [ ] byte
}
// DNSChallenge contains DNS challenge Configuration
type DNSChallenge struct {
2018-10-25 17:38:04 +02:00
Provider string ` description:"Use a DNS-01 based challenge provider rather than HTTPS." `
2018-10-30 12:34:00 +01:00
DelayBeforeCheck parse . Duration ` description:"Assume DNS propagates after a delay in seconds rather than finding and querying nameservers." `
2018-10-25 17:38:04 +02:00
Resolvers types . DNSResolvers ` description:"Use following DNS servers to resolve the FQDN authority." `
DisablePropagationCheck bool ` description:"Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended]" `
2018-11-14 10:18:03 +01:00
preCheckTimeout time . Duration
preCheckInterval time . Duration
2018-03-05 20:54:04 +01:00
}
// HTTPChallenge contains HTTP challenge Configuration
type HTTPChallenge struct {
EntryPoint string ` description:"HTTP challenge EntryPoint" `
}
2018-07-03 12:44:04 +02:00
// TLSChallenge contains TLS challenge Configuration
type TLSChallenge struct { }
2018-11-14 10:18:03 +01:00
// Provider holds configurations of the provider.
type Provider struct {
* Configuration
Store Store
certificates [ ] * Certificate
account * Account
client * acme . Client
certsChan chan * Certificate
configurationChan chan <- config . Message
certificateStore * traefiktls . CertificateStore
clientMutex sync . Mutex
configFromListenerChan chan config . Configuration
pool * safe . Pool
resolvingDomains map [ string ] struct { }
resolvingDomainsMutex sync . RWMutex
}
2018-03-05 20:54:04 +01:00
// SetConfigListenerChan initializes the configFromListenerChan
2018-11-14 10:18:03 +01:00
func ( p * Provider ) SetConfigListenerChan ( configFromListenerChan chan config . Configuration ) {
2018-03-05 20:54:04 +01:00
p . configFromListenerChan = configFromListenerChan
}
2018-07-03 12:44:04 +02:00
// SetCertificateStore allow to initialize certificate store
func ( p * Provider ) SetCertificateStore ( certificateStore * traefiktls . CertificateStore ) {
p . certificateStore = certificateStore
}
// ListenConfiguration sets a new Configuration into the configFromListenerChan
2018-11-14 10:18:03 +01:00
func ( p * Provider ) ListenConfiguration ( config config . Configuration ) {
2018-07-03 12:44:04 +02:00
p . configFromListenerChan <- config
}
// ListenRequest resolves new certificates for a domain from an incoming request and return a valid Certificate to serve (onDemand option)
func ( p * Provider ) ListenRequest ( domain string ) ( * tls . Certificate , error ) {
2018-11-14 10:18:03 +01:00
ctx := log . With ( context . Background ( ) , log . Str ( log . ProviderName , "acme" ) )
acmeCert , err := p . resolveCertificate ( ctx , types . Domain { Main : domain } , false )
2018-07-03 12:44:04 +02:00
if acmeCert == nil || err != nil {
return nil , err
}
certificate , err := tls . X509KeyPair ( acmeCert . Certificate , acmeCert . PrivateKey )
return & certificate , err
}
2018-07-11 09:08:03 +02:00
// Init for compatibility reason the BaseProvider implements an empty Init
2018-11-27 17:42:04 +01:00
func ( p * Provider ) Init ( ) error {
2018-11-14 10:18:03 +01:00
ctx := log . With ( context . Background ( ) , log . Str ( log . ProviderName , "acme" ) )
logger := log . FromContext ( ctx )
2018-07-11 09:08:03 +02:00
acme . UserAgent = fmt . Sprintf ( "containous-traefik/%s" , version . Version )
2018-11-14 10:18:03 +01:00
2018-07-11 09:08:03 +02:00
if p . ACMELogging {
2018-11-14 10:18:03 +01:00
legolog . Logger = fmtlog . New ( logger . WriterLevel ( logrus . InfoLevel ) , "legolog: " , 0 )
2018-07-11 09:08:03 +02:00
} else {
legolog . Logger = fmtlog . New ( ioutil . Discard , "" , 0 )
}
if p . Store == nil {
return errors . New ( "no store found for the ACME provider" )
}
var err error
p . account , err = p . Store . GetAccount ( )
if err != nil {
return fmt . Errorf ( "unable to get ACME account : %v" , err )
}
// Reset Account if caServer changed, thus registration URI can be updated
2018-11-14 10:18:03 +01:00
if p . account != nil && p . account . Registration != nil && ! isAccountMatchingCaServer ( ctx , p . account . Registration . URI , p . CAServer ) {
logger . Info ( "Account URI does not match the current CAServer. The account will be reset." )
2018-07-11 09:08:03 +02:00
p . account = nil
}
p . certificates , err = p . Store . GetCertificates ( )
if err != nil {
return fmt . Errorf ( "unable to get ACME certificates : %v" , err )
}
2018-08-20 09:40:03 +02:00
// Init the currently resolved domain map
p . resolvingDomains = make ( map [ string ] struct { } )
2018-07-11 09:08:03 +02:00
return nil
}
2018-11-14 10:18:03 +01:00
func isAccountMatchingCaServer ( ctx context . Context , accountURI string , serverURI string ) bool {
logger := log . FromContext ( ctx )
2018-07-31 11:50:03 +02:00
aru , err := url . Parse ( accountURI )
if err != nil {
2018-11-14 10:18:03 +01:00
logger . Infof ( "Unable to parse account.Registration URL: %v" , err )
2018-07-31 11:50:03 +02:00
return false
}
2018-11-14 10:18:03 +01:00
2018-07-31 11:50:03 +02:00
cau , err := url . Parse ( serverURI )
if err != nil {
2018-11-14 10:18:03 +01:00
logger . Infof ( "Unable to parse CAServer URL: %v" , err )
2018-07-31 11:50:03 +02:00
return false
}
2018-11-14 10:18:03 +01:00
2018-07-31 11:50:03 +02:00
return cau . Hostname ( ) == aru . Hostname ( )
}
2018-07-03 12:44:04 +02:00
// Provide allows the file provider to provide configurations to traefik
// using the given Configuration channel.
2018-11-14 10:18:03 +01:00
func ( p * Provider ) Provide ( configurationChan chan <- config . Message , pool * safe . Pool ) error {
ctx := log . With ( context . Background ( ) , log . Str ( log . ProviderName , "acme" ) )
2018-07-03 12:44:04 +02:00
p . pool = pool
2018-07-11 09:08:03 +02:00
2018-11-14 10:18:03 +01:00
p . watchCertificate ( ctx )
p . watchNewDomains ( ctx )
2018-07-03 12:44:04 +02:00
p . configurationChan = configurationChan
p . refreshCertificates ( )
2018-11-14 10:18:03 +01:00
p . deleteUnnecessaryDomains ( ctx )
2018-07-03 12:44:04 +02:00
for i := 0 ; i < len ( p . Domains ) ; i ++ {
domain := p . Domains [ i ]
safe . Go ( func ( ) {
2018-11-14 10:18:03 +01:00
if _ , err := p . resolveCertificate ( ctx , domain , true ) ; err != nil {
log . WithoutContext ( ) . WithField ( log . ProviderName , "acme" ) .
Errorf ( "Unable to obtain ACME certificate for domains %q : %v" , strings . Join ( domain . ToStrArray ( ) , "," ) , err )
2018-07-03 12:44:04 +02:00
}
} )
}
2018-11-14 10:18:03 +01:00
p . renewCertificates ( ctx )
2018-07-03 12:44:04 +02:00
ticker := time . NewTicker ( 24 * time . Hour )
pool . Go ( func ( stop chan bool ) {
for {
select {
case <- ticker . C :
2018-11-14 10:18:03 +01:00
p . renewCertificates ( ctx )
2018-07-03 12:44:04 +02:00
case <- stop :
ticker . Stop ( )
return
}
}
} )
return nil
}
func ( p * Provider ) getClient ( ) ( * acme . Client , error ) {
p . clientMutex . Lock ( )
defer p . clientMutex . Unlock ( )
2018-11-14 10:18:03 +01:00
ctx := log . With ( context . Background ( ) , log . Str ( log . ProviderName , "acme" ) )
logger := log . FromContext ( ctx )
2018-07-03 12:44:04 +02:00
if p . client != nil {
return p . client , nil
}
2018-11-14 10:18:03 +01:00
account , err := p . initAccount ( ctx )
2018-07-03 12:44:04 +02:00
if err != nil {
return nil , err
}
2018-11-14 10:18:03 +01:00
logger . Debug ( "Building ACME client..." )
2018-07-03 12:44:04 +02:00
caServer := "https://acme-v02.api.letsencrypt.org/directory"
if len ( p . CAServer ) > 0 {
caServer = p . CAServer
}
2018-11-14 10:18:03 +01:00
logger . Debug ( caServer )
2018-07-03 12:44:04 +02:00
client , err := acme . NewClient ( caServer , account , account . KeyType )
if err != nil {
return nil , err
}
// New users will need to register; be sure to save it
if account . GetRegistration ( ) == nil {
2018-11-14 10:18:03 +01:00
logger . Info ( "Register..." )
2018-07-03 12:44:04 +02:00
2018-11-14 10:18:03 +01:00
reg , errR := client . Register ( true )
if errR != nil {
return nil , errR
2018-03-05 20:54:04 +01:00
}
2018-07-03 12:44:04 +02:00
account . Registration = reg
}
2018-03-05 20:54:04 +01:00
2018-07-03 12:44:04 +02:00
// Save the account once before all the certificates generation/storing
// No certificate can be generated if account is not initialized
err = p . Store . SaveAccount ( account )
if err != nil {
2018-03-05 20:54:04 +01:00
return nil , err
}
2018-07-03 12:44:04 +02:00
if p . DNSChallenge != nil && len ( p . DNSChallenge . Provider ) > 0 {
2018-11-14 10:18:03 +01:00
logger . Debugf ( "Using DNS Challenge provider: %s" , p . DNSChallenge . Provider )
2018-03-05 20:54:04 +01:00
2018-10-25 17:38:04 +02:00
SetRecursiveNameServers ( p . DNSChallenge . Resolvers )
SetPropagationCheck ( p . DNSChallenge . DisablePropagationCheck )
2018-11-14 10:18:03 +01:00
err = dnsOverrideDelay ( ctx , p . DNSChallenge . DelayBeforeCheck )
2018-07-03 12:44:04 +02:00
if err != nil {
return nil , err
}
var provider acme . ChallengeProvider
provider , err = dns . NewDNSChallengeProviderByName ( p . DNSChallenge . Provider )
if err != nil {
return nil , err
}
client . ExcludeChallenges ( [ ] acme . Challenge { acme . HTTP01 , acme . TLSALPN01 } )
err = client . SetChallengeProvider ( acme . DNS01 , provider )
if err != nil {
return nil , err
}
2018-07-31 12:32:04 +02:00
// Same default values than LEGO
p . DNSChallenge . preCheckTimeout = 60 * time . Second
p . DNSChallenge . preCheckInterval = 2 * time . Second
// Set the precheck timeout into the DNSChallenge provider
if challengeProviderTimeout , ok := provider . ( acme . ChallengeProviderTimeout ) ; ok {
p . DNSChallenge . preCheckTimeout , p . DNSChallenge . preCheckInterval = challengeProviderTimeout . Timeout ( )
}
2018-07-03 12:44:04 +02:00
} else if p . HTTPChallenge != nil && len ( p . HTTPChallenge . EntryPoint ) > 0 {
2018-11-14 10:18:03 +01:00
logger . Debug ( "Using HTTP Challenge provider." )
2018-07-03 12:44:04 +02:00
client . ExcludeChallenges ( [ ] acme . Challenge { acme . DNS01 , acme . TLSALPN01 } )
err = client . SetChallengeProvider ( acme . HTTP01 , & challengeHTTP { Store : p . Store } )
if err != nil {
return nil , err
}
} else if p . TLSChallenge != nil {
2018-11-14 10:18:03 +01:00
logger . Debug ( "Using TLS Challenge provider." )
2018-07-03 12:44:04 +02:00
client . ExcludeChallenges ( [ ] acme . Challenge { acme . HTTP01 , acme . DNS01 } )
err = client . SetChallengeProvider ( acme . TLSALPN01 , & challengeTLSALPN { Store : p . Store } )
if err != nil {
return nil , err
}
} else {
return nil , errors . New ( "ACME challenge not specified, please select TLS or HTTP or DNS Challenge" )
}
p . client = client
return p . client , nil
}
2018-11-14 10:18:03 +01:00
func ( p * Provider ) initAccount ( ctx context . Context ) ( * Account , error ) {
2018-07-03 12:44:04 +02:00
if p . account == nil || len ( p . account . Email ) == 0 {
var err error
2018-11-14 10:18:03 +01:00
p . account , err = NewAccount ( ctx , p . Email , p . KeyType )
2018-07-03 12:44:04 +02:00
if err != nil {
return nil , err
}
}
2018-08-08 07:58:03 +02:00
// Set the KeyType if not already defined in the account
if len ( p . account . KeyType ) == 0 {
2018-11-14 10:18:03 +01:00
p . account . KeyType = GetKeyType ( ctx , p . KeyType )
2018-08-08 07:58:03 +02:00
}
2018-07-03 12:44:04 +02:00
return p . account , nil
2018-03-05 20:54:04 +01:00
}
2018-11-14 10:18:03 +01:00
func ( p * Provider ) watchNewDomains ( ctx context . Context ) {
2018-03-05 20:54:04 +01:00
p . pool . Go ( func ( stop chan bool ) {
for {
select {
case config := <- p . configFromListenerChan :
2018-11-14 10:18:03 +01:00
for routerName , route := range config . Routers {
logger := log . FromContext ( ctx ) . WithField ( log . RouterName , routerName )
// FIXME use new rule system
domainRules := rules . Rules { }
domains , err := domainRules . ParseDomains ( route . Rule )
if err != nil {
logger . Errorf ( "Error parsing domains in provider ACME: %v" , err )
2018-09-27 18:04:03 +02:00
continue
}
2018-03-05 20:54:04 +01:00
2018-11-14 10:18:03 +01:00
if len ( domains ) == 0 {
logger . Debugf ( "No domain parsed in rule %q in provider ACME" , route . Rule )
continue
}
2018-03-05 20:54:04 +01:00
2018-11-14 10:18:03 +01:00
logger . Debugf ( "Try to challenge certificate for domain %v founded in Host rule" , domains )
2018-03-05 20:54:04 +01:00
2018-11-14 10:18:03 +01:00
var domain types . Domain
if len ( domains ) > 0 {
domain = types . Domain { Main : domains [ 0 ] }
if len ( domains ) > 1 {
domain . SANs = domains [ 1 : ]
2018-03-05 20:54:04 +01:00
}
2018-11-14 10:18:03 +01:00
safe . Go ( func ( ) {
if _ , err := p . resolveCertificate ( ctx , domain , false ) ; err != nil {
logger . Errorf ( "Unable to obtain ACME certificate for domains %q detected thanks to rule %q : %v" , strings . Join ( domains , "," ) , route . Rule , err )
}
} )
2018-03-05 20:54:04 +01:00
}
2018-11-14 10:18:03 +01:00
2018-03-05 20:54:04 +01:00
}
case <- stop :
return
}
}
} )
}
2018-11-14 10:18:03 +01:00
func ( p * Provider ) resolveCertificate ( ctx context . Context , domain types . Domain , domainFromConfigurationFile bool ) ( * acme . CertificateResource , error ) {
domains , err := p . getValidDomains ( ctx , domain , domainFromConfigurationFile )
2018-03-26 14:12:03 +02:00
if err != nil {
return nil , err
2018-03-05 20:54:04 +01:00
}
2018-03-06 10:12:04 +01:00
// Check provided certificates
2018-11-14 10:18:03 +01:00
uncheckedDomains := p . getUncheckedDomains ( ctx , domains , ! domainFromConfigurationFile )
2018-03-06 10:12:04 +01:00
if len ( uncheckedDomains ) == 0 {
2018-03-05 20:54:04 +01:00
return nil , nil
}
2018-08-20 09:40:03 +02:00
p . addResolvingDomains ( uncheckedDomains )
defer p . removeResolvingDomains ( uncheckedDomains )
2018-11-14 10:18:03 +01:00
logger := log . FromContext ( ctx )
logger . Debugf ( "Loading ACME certificates %+v..." , uncheckedDomains )
2018-06-15 16:42:03 +02:00
2018-03-05 20:54:04 +01:00
client , err := p . getClient ( )
if err != nil {
return nil , fmt . Errorf ( "cannot get ACME client %v" , err )
}
2018-07-31 12:32:04 +02:00
var certificate * acme . CertificateResource
2018-03-05 20:54:04 +01:00
bundle := true
2018-07-31 12:32:04 +02:00
if p . useCertificateWithRetry ( uncheckedDomains ) {
2018-11-14 10:18:03 +01:00
certificate , err = obtainCertificateWithRetry ( ctx , domains , client , p . DNSChallenge . preCheckTimeout , p . DNSChallenge . preCheckInterval , bundle )
2018-07-31 12:32:04 +02:00
} else {
2018-11-14 10:18:03 +01:00
certificate , err = client . ObtainCertificate ( domains , bundle , nil , oscpMustStaple )
2018-07-31 12:32:04 +02:00
}
2018-04-16 19:34:04 +02:00
2018-05-15 17:28:02 +02:00
if err != nil {
2018-07-31 12:32:04 +02:00
return nil , fmt . Errorf ( "unable to generate a certificate for the domains %v: %v" , uncheckedDomains , err )
}
if certificate == nil {
return nil , fmt . Errorf ( "domains %v do not generate a certificate" , uncheckedDomains )
2018-03-05 20:54:04 +01:00
}
2018-04-16 19:34:04 +02:00
if len ( certificate . Certificate ) == 0 || len ( certificate . PrivateKey ) == 0 {
return nil , fmt . Errorf ( "domains %v generate certificate with no value: %v" , uncheckedDomains , certificate )
}
2018-06-15 16:42:03 +02:00
2018-11-14 10:18:03 +01:00
logger . Debugf ( "Certificates obtained for domains %+v" , uncheckedDomains )
2018-04-16 19:34:04 +02:00
2018-03-06 10:12:04 +01:00
if len ( uncheckedDomains ) > 1 {
domain = types . Domain { Main : uncheckedDomains [ 0 ] , SANs : uncheckedDomains [ 1 : ] }
} else {
domain = types . Domain { Main : uncheckedDomains [ 0 ] }
}
2018-03-05 20:54:04 +01:00
p . addCertificateForDomain ( domain , certificate . Certificate , certificate . PrivateKey )
2018-05-31 09:30:04 +02:00
return certificate , nil
2018-03-05 20:54:04 +01:00
}
2018-08-20 09:40:03 +02:00
func ( p * Provider ) removeResolvingDomains ( resolvingDomains [ ] string ) {
p . resolvingDomainsMutex . Lock ( )
defer p . resolvingDomainsMutex . Unlock ( )
for _ , domain := range resolvingDomains {
delete ( p . resolvingDomains , domain )
}
}
func ( p * Provider ) addResolvingDomains ( resolvingDomains [ ] string ) {
p . resolvingDomainsMutex . Lock ( )
defer p . resolvingDomainsMutex . Unlock ( )
for _ , domain := range resolvingDomains {
p . resolvingDomains [ domain ] = struct { } { }
}
}
2018-07-31 12:32:04 +02:00
func ( p * Provider ) useCertificateWithRetry ( domains [ ] string ) bool {
// Check if we can use the retry mechanism only if we use the DNS Challenge and if is there are at least 2 domains to check
if p . DNSChallenge != nil && len ( domains ) > 1 {
rootDomain := ""
for _ , searchWildcardDomain := range domains {
// Search a wildcard domain if not already found
if len ( rootDomain ) == 0 && strings . HasPrefix ( searchWildcardDomain , "*." ) {
rootDomain = strings . TrimPrefix ( searchWildcardDomain , "*." )
if len ( rootDomain ) > 0 {
// Look for a root domain which matches the wildcard domain
for _ , searchRootDomain := range domains {
if rootDomain == searchRootDomain {
// If the domains list contains a wildcard domain and its root domain, we can use the retry mechanism to obtain the certificate
return true
}
}
}
// There is only one wildcard domain in the slice, if its root domain has not been found, the retry mechanism does not have to be used
return false
}
}
}
return false
}
2018-11-14 10:18:03 +01:00
func obtainCertificateWithRetry ( ctx context . Context , domains [ ] string , client * acme . Client , timeout , interval time . Duration , bundle bool ) ( * acme . CertificateResource , error ) {
logger := log . FromContext ( ctx )
2018-07-31 12:32:04 +02:00
var certificate * acme . CertificateResource
var err error
operation := func ( ) error {
2018-11-14 10:18:03 +01:00
certificate , err = client . ObtainCertificate ( domains , bundle , nil , oscpMustStaple )
2018-07-31 12:32:04 +02:00
return err
}
notify := func ( err error , time time . Duration ) {
2018-11-14 10:18:03 +01:00
logger . Errorf ( "Error obtaining certificate retrying in %s" , time )
2018-07-31 12:32:04 +02:00
}
// Define a retry backOff to let LEGO tries twice to obtain a certificate for both wildcard and root domain
ebo := backoff . NewExponentialBackOff ( )
ebo . MaxElapsedTime = 2 * timeout
ebo . MaxInterval = interval
rbo := backoff . WithMaxRetries ( ebo , 2 )
err = backoff . RetryNotify ( safe . OperationWithRecover ( operation ) , rbo , notify )
if err != nil {
2018-11-14 10:18:03 +01:00
logger . Errorf ( "Error obtaining certificate: %v" , err )
2018-07-31 12:32:04 +02:00
return nil , err
}
return certificate , nil
}
2018-11-14 10:18:03 +01:00
func dnsOverrideDelay ( ctx context . Context , delay parse . Duration ) error {
2018-07-03 12:44:04 +02:00
if delay == 0 {
return nil
2018-06-15 16:42:03 +02:00
}
2018-07-03 12:44:04 +02:00
if delay > 0 {
2018-11-14 10:18:03 +01:00
log . FromContext ( ctx ) . Debugf ( "Delaying %d rather than validating DNS propagation now." , delay )
2018-03-05 20:54:04 +01:00
2018-07-03 12:44:04 +02:00
acme . PreCheckDNS = func ( _ , _ string ) ( bool , error ) {
time . Sleep ( time . Duration ( delay ) )
return true , nil
2018-03-05 20:54:04 +01:00
}
2018-06-15 16:42:03 +02:00
} else {
2018-07-03 12:44:04 +02:00
return fmt . Errorf ( "delayBeforeCheck: %d cannot be less than 0" , delay )
2018-03-05 20:54:04 +01:00
}
2018-07-03 12:44:04 +02:00
return nil
2018-03-05 20:54:04 +01:00
}
2018-07-03 12:44:04 +02:00
func ( p * Provider ) addCertificateForDomain ( domain types . Domain , certificate [ ] byte , key [ ] byte ) {
p . certsChan <- & Certificate { Certificate : certificate , Key : key , Domain : domain }
2018-03-05 20:54:04 +01:00
}
2018-07-03 12:44:04 +02:00
// deleteUnnecessaryDomains deletes from the configuration :
// - Duplicated domains
// - Domains which are checked by wildcard domain
2018-11-14 10:18:03 +01:00
func ( p * Provider ) deleteUnnecessaryDomains ( ctx context . Context ) {
2018-07-03 12:44:04 +02:00
var newDomains [ ] types . Domain
2018-03-05 20:54:04 +01:00
2018-11-14 10:18:03 +01:00
logger := log . FromContext ( ctx )
2018-07-03 12:44:04 +02:00
for idxDomainToCheck , domainToCheck := range p . Domains {
keepDomain := true
2018-03-05 20:54:04 +01:00
2018-07-03 12:44:04 +02:00
for idxDomain , domain := range p . Domains {
if idxDomainToCheck == idxDomain {
continue
}
2018-03-05 20:54:04 +01:00
2018-07-03 12:44:04 +02:00
if reflect . DeepEqual ( domain , domainToCheck ) {
if idxDomainToCheck > idxDomain {
2018-11-14 10:18:03 +01:00
logger . Warnf ( "The domain %v is duplicated in the configuration but will be process by ACME provider only once." , domainToCheck )
2018-07-03 12:44:04 +02:00
keepDomain = false
}
break
2018-03-05 20:54:04 +01:00
}
2018-07-03 12:44:04 +02:00
// Check if CN or SANS to check already exists
// or can not be checked by a wildcard
var newDomainsToCheck [ ] string
for _ , domainProcessed := range domainToCheck . ToStrArray ( ) {
if idxDomain < idxDomainToCheck && isDomainAlreadyChecked ( domainProcessed , domain . ToStrArray ( ) ) {
// The domain is duplicated in a CN
2018-11-14 10:18:03 +01:00
logger . Warnf ( "Domain %q is duplicated in the configuration or validated by the domain %v. It will be processed once." , domainProcessed , domain )
2018-07-03 12:44:04 +02:00
continue
} else if domain . Main != domainProcessed && strings . HasPrefix ( domain . Main , "*" ) && isDomainAlreadyChecked ( domainProcessed , [ ] string { domain . Main } ) {
// Check if a wildcard can validate the domain
2018-11-14 10:18:03 +01:00
logger . Warnf ( "Domain %q will not be processed by ACME provider because it is validated by the wildcard %q" , domainProcessed , domain . Main )
2018-07-03 12:44:04 +02:00
continue
}
newDomainsToCheck = append ( newDomainsToCheck , domainProcessed )
}
2018-03-05 20:54:04 +01:00
2018-07-03 12:44:04 +02:00
// Delete the domain if both Main and SANs can be validated by the wildcard domain
// otherwise keep the unchecked values
if newDomainsToCheck == nil {
keepDomain = false
break
2018-03-05 20:54:04 +01:00
}
2018-07-03 12:44:04 +02:00
domainToCheck . Set ( newDomainsToCheck )
2018-03-05 20:54:04 +01:00
}
2018-07-03 12:44:04 +02:00
if keepDomain {
newDomains = append ( newDomains , domainToCheck )
}
}
2018-03-05 20:54:04 +01:00
2018-07-03 12:44:04 +02:00
p . Domains = newDomains
2018-03-05 20:54:04 +01:00
}
2018-11-14 10:18:03 +01:00
func ( p * Provider ) watchCertificate ( ctx context . Context ) {
2018-03-05 20:54:04 +01:00
p . certsChan = make ( chan * Certificate )
2018-11-14 10:18:03 +01:00
2018-03-05 20:54:04 +01:00
p . pool . Go ( func ( stop chan bool ) {
for {
select {
case cert := <- p . certsChan :
certUpdated := false
for _ , domainsCertificate := range p . certificates {
if reflect . DeepEqual ( cert . Domain , domainsCertificate . Domain ) {
domainsCertificate . Certificate = cert . Certificate
domainsCertificate . Key = cert . Key
certUpdated = true
break
}
}
if ! certUpdated {
p . certificates = append ( p . certificates , cert )
}
2018-07-03 12:44:04 +02:00
err := p . saveCertificates ( )
if err != nil {
2018-11-14 10:18:03 +01:00
log . FromContext ( ctx ) . Error ( err )
2018-07-03 12:44:04 +02:00
}
2018-03-05 20:54:04 +01:00
case <- stop :
return
}
}
} )
}
2018-07-03 12:44:04 +02:00
func ( p * Provider ) saveCertificates ( ) error {
2018-03-05 20:54:04 +01:00
err := p . Store . SaveCertificates ( p . certificates )
2018-07-03 12:44:04 +02:00
2018-03-05 20:54:04 +01:00
p . refreshCertificates ( )
2018-07-03 12:44:04 +02:00
return err
2018-03-05 20:54:04 +01:00
}
func ( p * Provider ) refreshCertificates ( ) {
2018-11-14 10:18:03 +01:00
conf := config . Message {
2018-03-05 20:54:04 +01:00
ProviderName : "ACME" ,
2018-11-14 10:18:03 +01:00
Configuration : & config . Configuration {
Routers : map [ string ] * config . Router { } ,
Middlewares : map [ string ] * config . Middleware { } ,
Services : map [ string ] * config . Service { } ,
TLS : [ ] * traefiktls . Configuration { } ,
2018-03-05 20:54:04 +01:00
} ,
}
for _ , cert := range p . certificates {
2018-04-24 22:40:04 +02:00
certificate := & traefiktls . Certificate { CertFile : traefiktls . FileOrContent ( cert . Certificate ) , KeyFile : traefiktls . FileOrContent ( cert . Key ) }
2018-11-14 10:18:03 +01:00
conf . Configuration . TLS = append ( conf . Configuration . TLS , & traefiktls . Configuration { Certificate : certificate , EntryPoints : [ ] string { p . EntryPoint } } )
2018-03-05 20:54:04 +01:00
}
2018-11-14 10:18:03 +01:00
p . configurationChan <- conf
2018-03-05 20:54:04 +01:00
}
2018-11-14 10:18:03 +01:00
func ( p * Provider ) renewCertificates ( ctx context . Context ) {
logger := log . FromContext ( ctx )
logger . Info ( "Testing certificate renew..." )
2018-03-05 20:54:04 +01:00
for _ , certificate := range p . certificates {
2018-11-14 10:18:03 +01:00
crt , err := getX509Certificate ( ctx , certificate )
2018-03-05 20:54:04 +01:00
// If there's an error, we assume the cert is broken, and needs update
// <= 30 days left, renew certificate
if err != nil || crt == nil || crt . NotAfter . Before ( time . Now ( ) . Add ( 24 * 30 * time . Hour ) ) {
client , err := p . getClient ( )
if err != nil {
2018-11-14 10:18:03 +01:00
logger . Infof ( "Error renewing certificate from LE : %+v, %v" , certificate . Domain , err )
2018-03-05 20:54:04 +01:00
continue
}
2018-04-16 19:34:04 +02:00
2018-11-14 10:18:03 +01:00
logger . Infof ( "Renewing certificate from LE : %+v" , certificate . Domain )
2018-04-16 19:34:04 +02:00
2018-03-05 20:54:04 +01:00
renewedCert , err := client . RenewCertificate ( acme . CertificateResource {
Domain : certificate . Domain . Main ,
PrivateKey : certificate . Key ,
Certificate : certificate . Certificate ,
2018-11-14 10:18:03 +01:00
} , true , oscpMustStaple )
2018-04-16 19:34:04 +02:00
2018-03-05 20:54:04 +01:00
if err != nil {
2018-11-14 10:18:03 +01:00
logger . Errorf ( "Error renewing certificate from LE: %v, %v" , certificate . Domain , err )
2018-03-05 20:54:04 +01:00
continue
}
2018-04-16 19:34:04 +02:00
if len ( renewedCert . Certificate ) == 0 || len ( renewedCert . PrivateKey ) == 0 {
2018-11-14 10:18:03 +01:00
logger . Errorf ( "domains %v renew certificate with no value: %v" , certificate . Domain . ToStrArray ( ) , certificate )
2018-04-16 19:34:04 +02:00
continue
}
2018-03-05 20:54:04 +01:00
p . addCertificateForDomain ( certificate . Domain , renewedCert . Certificate , renewedCert . PrivateKey )
}
}
}
2018-03-06 10:12:04 +01:00
// Get provided certificate which check a domains list (Main and SANs)
// from static and dynamic provided certificates
2018-11-14 10:18:03 +01:00
func ( p * Provider ) getUncheckedDomains ( ctx context . Context , domainsToCheck [ ] string , checkConfigurationDomains bool ) [ ] string {
2018-08-20 09:40:03 +02:00
p . resolvingDomainsMutex . RLock ( )
defer p . resolvingDomainsMutex . RUnlock ( )
2018-11-14 10:18:03 +01:00
log . FromContext ( ctx ) . Debugf ( "Looking for provided certificate(s) to validate %q..." , domainsToCheck )
2018-03-06 10:12:04 +01:00
2018-07-03 12:44:04 +02:00
allDomains := p . certificateStore . GetAllDomains ( )
2018-03-26 14:12:03 +02:00
// Get ACME certificates
for _ , certificate := range p . certificates {
2018-04-24 22:40:04 +02:00
allDomains = append ( allDomains , strings . Join ( certificate . Domain . ToStrArray ( ) , "," ) )
2018-03-26 14:12:03 +02:00
}
2018-08-20 09:40:03 +02:00
// Get currently resolved domains
for domain := range p . resolvingDomains {
2018-08-21 11:43:34 +02:00
allDomains = append ( allDomains , domain )
2018-08-20 09:40:03 +02:00
}
2018-03-26 14:12:03 +02:00
// Get Configuration Domains
if checkConfigurationDomains {
for i := 0 ; i < len ( p . Domains ) ; i ++ {
2018-04-24 22:40:04 +02:00
allDomains = append ( allDomains , strings . Join ( p . Domains [ i ] . ToStrArray ( ) , "," ) )
2018-03-06 10:12:04 +01:00
}
}
2018-11-14 10:18:03 +01:00
return searchUncheckedDomains ( ctx , domainsToCheck , allDomains )
2018-03-06 10:12:04 +01:00
}
2018-11-14 10:18:03 +01:00
func searchUncheckedDomains ( ctx context . Context , domainsToCheck [ ] string , existentDomains [ ] string ) [ ] string {
2018-03-27 10:18:03 -04:00
var uncheckedDomains [ ] string
2018-03-26 14:12:03 +02:00
for _ , domainToCheck := range domainsToCheck {
if ! isDomainAlreadyChecked ( domainToCheck , existentDomains ) {
2018-03-06 10:12:04 +01:00
uncheckedDomains = append ( uncheckedDomains , domainToCheck )
2018-03-05 20:54:04 +01:00
}
}
2018-07-03 12:44:04 +02:00
2018-11-14 10:18:03 +01:00
logger := log . FromContext ( ctx )
2018-03-06 10:12:04 +01:00
if len ( uncheckedDomains ) == 0 {
2018-11-14 10:18:03 +01:00
logger . Debugf ( "No ACME certificate generation required for domains %q." , domainsToCheck )
2018-03-06 10:12:04 +01:00
} else {
2018-11-14 10:18:03 +01:00
logger . Debugf ( "Domains %q need ACME certificates generation for domains %q." , domainsToCheck , strings . Join ( uncheckedDomains , "," ) )
2018-03-06 10:12:04 +01:00
}
return uncheckedDomains
2018-03-05 20:54:04 +01:00
}
2018-11-14 10:18:03 +01:00
func getX509Certificate ( ctx context . Context , certificate * Certificate ) ( * x509 . Certificate , error ) {
logger := log . FromContext ( ctx )
2018-03-05 20:54:04 +01:00
tlsCert , err := tls . X509KeyPair ( certificate . Certificate , certificate . Key )
if err != nil {
2018-11-14 10:18:03 +01:00
logger . Errorf ( "Failed to load TLS key pair from ACME certificate for domain %q (SAN : %q), certificate will be renewed : %v" , certificate . Domain . Main , strings . Join ( certificate . Domain . SANs , "," ) , err )
2018-03-05 20:54:04 +01:00
return nil , err
}
2018-07-03 12:44:04 +02:00
crt := tlsCert . Leaf
2018-03-05 20:54:04 +01:00
if crt == nil {
crt , err = x509 . ParseCertificate ( tlsCert . Certificate [ 0 ] )
if err != nil {
2018-11-14 10:18:03 +01:00
logger . Errorf ( "Failed to parse TLS key pair from ACME certificate for domain %q (SAN : %q), certificate will be renewed : %v" , certificate . Domain . Main , strings . Join ( certificate . Domain . SANs , "," ) , err )
2018-03-05 20:54:04 +01:00
}
}
2018-07-03 12:44:04 +02:00
2018-03-05 20:54:04 +01:00
return crt , err
}
2018-03-26 14:12:03 +02:00
// getValidDomains checks if given domain is allowed to generate a ACME certificate and return it
2018-11-14 10:18:03 +01:00
func ( p * Provider ) getValidDomains ( ctx context . Context , domain types . Domain , wildcardAllowed bool ) ( [ ] string , error ) {
2018-03-26 14:12:03 +02:00
domains := domain . ToStrArray ( )
if len ( domains ) == 0 {
return nil , errors . New ( "unable to generate a certificate in ACME provider when no domain is given" )
}
2018-07-03 12:44:04 +02:00
2018-03-26 14:12:03 +02:00
if strings . HasPrefix ( domain . Main , "*" ) {
if ! wildcardAllowed {
return nil , fmt . Errorf ( "unable to generate a wildcard certificate in ACME provider for domain %q from a 'Host' rule" , strings . Join ( domains , "," ) )
}
2018-07-03 12:44:04 +02:00
2018-03-26 14:12:03 +02:00
if p . DNSChallenge == nil {
return nil , fmt . Errorf ( "unable to generate a wildcard certificate in ACME provider for domain %q : ACME needs a DNSChallenge" , strings . Join ( domains , "," ) )
}
2018-07-03 12:44:04 +02:00
2018-04-11 17:16:07 +02:00
if strings . HasPrefix ( domain . Main , "*.*" ) {
return nil , fmt . Errorf ( "unable to generate a wildcard certificate in ACME provider for domain %q : ACME does not allow '*.*' wildcard domain" , strings . Join ( domains , "," ) )
2018-03-26 14:12:03 +02:00
}
2018-04-11 17:16:07 +02:00
}
2018-07-03 12:44:04 +02:00
2018-04-11 17:16:07 +02:00
for _ , san := range domain . SANs {
if strings . HasPrefix ( san , "*" ) {
return nil , fmt . Errorf ( "unable to generate a certificate in ACME provider for domains %q: SAN %q can not be a wildcard domain" , strings . Join ( domains , "," ) , san )
2018-03-26 14:12:03 +02:00
}
}
2018-04-11 17:16:07 +02:00
2018-10-11 10:50:03 +02:00
var cleanDomains [ ] string
for _ , domain := range domains {
canonicalDomain := types . CanonicalDomain ( domain )
cleanDomain := acme . UnFqdn ( canonicalDomain )
if canonicalDomain != cleanDomain {
2018-11-14 10:18:03 +01:00
log . FromContext ( ctx ) . Warnf ( "FQDN detected, please remove the trailing dot: %s" , canonicalDomain )
2018-10-11 10:50:03 +02:00
}
cleanDomains = append ( cleanDomains , cleanDomain )
}
return cleanDomains , nil
2018-03-26 14:12:03 +02:00
}
func isDomainAlreadyChecked ( domainToCheck string , existentDomains [ ] string ) bool {
for _ , certDomains := range existentDomains {
for _ , certDomain := range strings . Split ( certDomains , "," ) {
2018-03-27 10:18:03 -04:00
if types . MatchDomain ( domainToCheck , certDomain ) {
2018-03-26 14:12:03 +02:00
return true
}
}
}
return false
}
2018-10-25 17:38:04 +02:00
// SetPropagationCheck to disable the Lego PreCheck.
func SetPropagationCheck ( disable bool ) {
if disable {
acme . PreCheckDNS = func ( _ , _ string ) ( bool , error ) {
return true , nil
}
}
}
// SetRecursiveNameServers to provide a custom DNS resolver.
func SetRecursiveNameServers ( dnsResolvers [ ] string ) {
resolvers := normaliseDNSResolvers ( dnsResolvers )
if len ( resolvers ) > 0 {
acme . RecursiveNameservers = resolvers
log . Infof ( "Validating FQDN authority with DNS using %+v" , resolvers )
}
}
// ensure all servers have a port number
func normaliseDNSResolvers ( dnsResolvers [ ] string ) [ ] string {
var normalisedResolvers [ ] string
for _ , server := range dnsResolvers {
srv := strings . TrimSpace ( server )
if len ( srv ) > 0 {
if host , port , err := net . SplitHostPort ( srv ) ; err != nil {
normalisedResolvers = append ( normalisedResolvers , net . JoinHostPort ( srv , "53" ) )
} else {
normalisedResolvers = append ( normalisedResolvers , net . JoinHostPort ( host , port ) )
}
}
}
return normalisedResolvers
}