2017-09-11 17:10:04 +00:00
# ACME (Let's Encrypt) configuration
See also [Let's Encrypt examples ](/user-guide/examples/#lets-encrypt-support ) and [Docker & Let's Encrypt user guide ](/user-guide/docker-and-lets-encrypt ).
## Configuration
2017-08-25 19:32:33 +00:00
```toml
2017-09-11 17:10:04 +00:00
# Sample entrypoint configuration when using ACME.
2017-08-25 19:32:33 +00:00
[entryPoints]
2018-01-15 15:04:05 +00:00
[entryPoints.http]
address = ":80"
2017-08-25 19:32:33 +00:00
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
2018-01-15 15:04:05 +00:00
```
2017-08-25 19:32:33 +00:00
2018-01-15 15:04:05 +00:00
```toml
2017-09-11 17:10:04 +00:00
# Enable ACME (Let's Encrypt): automatic SSL.
2017-08-25 19:32:33 +00:00
[acme]
2017-09-11 17:10:04 +00:00
# Email address used for registration.
2017-08-25 19:32:33 +00:00
#
# Required
#
email = "test@traefik.io"
2017-12-20 13:40:07 +00:00
# File used for certificates storage.
#
# Optional (Deprecated)
#
#storageFile = "acme.json"
2017-08-25 19:32:33 +00:00
# File or key used for certificates storage.
#
# Required
#
2017-09-11 17:10:04 +00:00
storage = "acme.json"
# or `storage = "traefik/acme/account"` if using KV store.
2017-08-25 19:32:33 +00:00
2018-01-15 15:04:05 +00:00
# Entrypoint to proxy acme apply certificates to.
# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
2017-08-25 19:32:33 +00:00
#
# Required
#
entryPoint = "https"
2018-01-15 15:04:05 +00:00
# Use a DNS-01 acme challenge rather than TLS-SNI-01 challenge
2017-09-11 17:10:04 +00:00
#
2018-01-15 15:04:05 +00:00
# Optional (Deprecated, replaced by [acme.dnsChallenge])
2017-08-25 19:32:33 +00:00
#
# dnsProvider = "digitalocean"
2017-09-11 17:10:04 +00:00
# By default, the dnsProvider will verify the TXT DNS challenge record before letting ACME verify.
2017-08-25 19:32:33 +00:00
# If delayDontCheckDNS is greater than zero, avoid this & instead just wait so many seconds.
2017-09-11 17:10:04 +00:00
# Useful if internal networks block external DNS queries.
2017-08-25 19:32:33 +00:00
#
2018-01-15 15:04:05 +00:00
# Optional (Deprecated, replaced by [acme.dnsChallenge])
# Default: 0
2017-08-25 19:32:33 +00:00
#
# delayDontCheckDNS = 0
2017-09-11 17:10:04 +00:00
# If true, display debug log messages from the acme client library.
2017-08-25 19:32:33 +00:00
#
# Optional
2018-01-15 15:04:05 +00:00
# Default: false
2017-08-25 19:32:33 +00:00
#
# acmeLogging = true
2018-01-15 15:04:05 +00:00
# Enable on demand certificate generation.
2017-08-25 19:32:33 +00:00
#
2018-01-15 15:04:05 +00:00
# Optional (Deprecated)
# Default: false
2017-08-25 19:32:33 +00:00
#
# onDemand = true
2017-09-11 17:10:04 +00:00
# Enable certificate generation on frontends Host rules.
2017-08-25 19:32:33 +00:00
#
# Optional
2018-01-15 15:04:05 +00:00
# Default: false
2017-08-25 19:32:33 +00:00
#
2017-09-11 17:10:04 +00:00
# onHostRule = true
2017-08-25 19:32:33 +00:00
2017-09-11 17:10:04 +00:00
# CA server to use.
# - Uncomment the line to run on the staging let's encrypt server.
# - Leave comment to go to prod.
2017-08-25 19:32:33 +00:00
#
# Optional
2018-01-15 15:04:05 +00:00
# Default: "https://acme-v01.api.letsencrypt.org/directory"
2017-08-25 19:32:33 +00:00
#
# caServer = "https://acme-staging.api.letsencrypt.org/directory"
2017-09-11 17:10:04 +00:00
# Domains list.
#
2017-08-25 19:32:33 +00:00
# [[acme.domains]]
2018-01-15 15:04:05 +00:00
# main = "local1.com"
# sans = ["test1.local1.com", "test2.local1.com"]
2017-08-25 19:32:33 +00:00
# [[acme.domains]]
2018-01-15 15:04:05 +00:00
# main = "local2.com"
# sans = ["test1.local2.com", "test2.local2.com"]
2017-08-25 19:32:33 +00:00
# [[acme.domains]]
2018-01-15 15:04:05 +00:00
# main = "local3.com"
2017-08-25 19:32:33 +00:00
# [[acme.domains]]
2018-01-15 15:04:05 +00:00
# main = "local4.com"
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
#
# Optional but recommend
#
[acme.httpChallenge]
# EntryPoint to use for the challenges.
#
# Required
#
entryPoint = "http"
2018-02-12 17:10:05 +00:00
2018-01-15 15:04:05 +00:00
# Use a DNS-01 acme challenge rather than TLS-SNI-01 challenge
#
# Optional
#
# [acme.dnsChallenge]
# Provider used.
#
# Required
#
# provider = "digitalocean"
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, avoid this & instead just wait so many seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
# delayBeforeCheck = 0
2017-08-25 19:32:33 +00:00
```
2018-02-16 09:32:03 +00:00
2018-01-15 15:04:05 +00:00
!!! note
Even if `TLS-SNI-01` challenge is [disabled ](https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 ) for the moment, it stays the _by default_ ACME Challenge in Træfik.
If `TLS-SNI-01` challenge is not re-enabled in the future, it we will be removed from Træfik.
2017-09-11 17:10:04 +00:00
2017-12-20 13:40:07 +00:00
!!! note
2018-01-15 15:04:05 +00:00
If `TLS-SNI-01` challenge is used, `acme.entryPoint` has to be reachable by Let's Encrypt through the port 443.
If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80.
These are Let's Encrypt limitations as described on the [community forum ](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72 ).
2017-12-20 13:40:07 +00:00
2018-02-05 17:20:04 +00:00
### Let's Encrypt downtime
Let's Encrypt functionality will be limited until Træfik is restarted.
If Let's Encrypt is not reachable, these certificates will be used :
2018-02-16 09:32:03 +00:00
2018-02-05 17:20:04 +00:00
- ACME certificates already generated before downtime
- Expired ACME certificates
- Provided certificates
!!! note
2018-02-16 09:32:03 +00:00
Default Træfik certificate will be used instead of ACME certificates for new (sub)domains (which need Let's Encrypt challenge).
2018-02-05 17:20:04 +00:00
2017-09-11 17:10:04 +00:00
### `storage`
```toml
[acme]
# ...
storage = "acme.json"
# ...
```
2018-02-09 09:38:03 +00:00
The `storage` option sets where are stored your ACME certificates.
2017-09-11 17:10:04 +00:00
2018-02-09 09:38:03 +00:00
There are two kind of `storage` :
2018-02-16 09:32:03 +00:00
2018-02-09 09:38:03 +00:00
- a JSON file,
- a KV store entry.
!!! danger "DEPRECATED"
`storage` replaces `storageFile` which is deprecated.
!!! note
During Træfik configuration migration from a configuration file to a KV store (thanks to `storeconfig` subcommand as described [here ](/user-guide/kv-config/#store-configuration-in-key-value-store )), if ACME certificates have to be migrated too, use both `storageFile` and `storage` .
- `storageFile` will contain the path to the `acme.json` file to migrate.
- `storage` will contain the key where the certificates will be stored.
#### Store data in a file
2018-02-16 09:32:03 +00:00
ACME certificates can be stored in a JSON file which with the `600` right mode.
2018-02-09 09:38:03 +00:00
There are two ways to store ACME certificates in a file from Docker:
2017-09-11 17:10:04 +00:00
- create a file on your host and mount it as a volume:
```toml
storage = "acme.json"
```
```bash
docker run -v "/my/host/acme.json:acme.json" traefik
```
- mount the folder containing the file as a volume
```toml
storage = "/etc/traefik/acme/acme.json"
```
```bash
docker run -v "/my/host/acme:/etc/traefik/acme" traefik
```
2018-02-09 09:38:03 +00:00
!!! warning
This file cannot be shared per many instances of Træfik at the same time.
If you have to use Træfik cluster mode, please use [a KV Store entry ](/configuration/acme/#storage-kv-entry ).
2017-12-20 13:40:07 +00:00
2018-02-09 09:38:03 +00:00
#### Store data in a KV store entry
2017-12-20 13:40:07 +00:00
2018-02-09 09:38:03 +00:00
ACME certificates can be stored in a KV Store entry.
```toml
storage = "traefik/acme/account"
```
**This kind of storage is mandatory in cluster mode.**
Because KV stores (like Consul) have limited entries size, the certificates list is compressed before to be set in a KV store entry.
!!! note
It's possible to store up to approximately 100 ACME certificates in Consul.
2018-01-15 15:04:05 +00:00
### `acme.httpChallenge`
Use `HTTP-01` challenge to generate/renew ACME certificates.
2018-01-29 13:36:03 +00:00
The redirection is fully compatible with the HTTP-01 challenge.
You can use redirection with HTTP-01 challenge without problem.
2018-01-15 15:04:05 +00:00
```toml
[acme]
# ...
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
```
#### `entryPoint`
Specify the entryPoint to use during the challenges.
```toml
2018-02-16 09:32:03 +00:00
defaultEntryPoints = ["http", "http"]
2018-01-15 15:04:05 +00:00
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# ...
[acme]
# ...
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
```
!!! note
`acme.httpChallenge.entryPoint` has to be reachable by Let's Encrypt through the port 80.
It's a Let's Encrypt limitation as described on the [community forum ](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72 ).
### `acme.dnsChallenge`
Use `DNS-01` challenge to generate/renew ACME certificates.
2017-09-11 17:10:04 +00:00
```toml
[acme]
# ...
2018-01-15 15:04:05 +00:00
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
2017-09-11 17:10:04 +00:00
# ...
```
2018-02-12 17:10:05 +00:00
#### `provider`
2017-09-11 17:10:04 +00:00
2017-10-31 11:52:52 +00:00
Select the provider that matches the DNS domain that will host the challenge TXT record, and provide environment variables to enable setting it:
| Provider Name | Provider code | Configuration |
|--------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------|
| [Auroradns ](https://www.pcextreme.com/aurora/dns ) | `auroradns` | `AURORA_USER_ID` , `AURORA_KEY` , `AURORA_ENDPOINT` |
| [Azure ](https://azure.microsoft.com/services/dns/ ) | `azure` | `AZURE_CLIENT_ID` , `AZURE_CLIENT_SECRET` , `AZURE_SUBSCRIPTION_ID` , `AZURE_TENANT_ID` , `AZURE_RESOURCE_GROUP` |
2017-12-11 12:56:46 +00:00
| [Cloudflare ](https://www.cloudflare.com ) | `cloudflare` | `CLOUDFLARE_EMAIL` , `CLOUDFLARE_API_KEY` - The Cloudflare `Global API Key` needs to be used and not the `Origin CA Key` |
2018-02-12 17:10:05 +00:00
| [CloudXNS ](https://www.cloudxns.net ) | `cloudxns` | `CLOUDXNS_API_KEY` , `CLOUDXNS_SECRET_KEY` |
2017-10-31 11:52:52 +00:00
| [DigitalOcean ](https://www.digitalocean.com ) | `digitalocean` | `DO_AUTH_TOKEN` |
| [DNSimple ](https://dnsimple.com ) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN` , `DNSIMPLE_BASE_URL` |
| [DNS Made Easy ](https://dnsmadeeasy.com ) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY` , `DNSMADEEASY_API_SECRET` , `DNSMADEEASY_SANDBOX` |
| [DNSPod ](http://www.dnspod.net/ ) | `dnspod` | `DNSPOD_API_KEY` |
| [Dyn ](https://dyn.com ) | `dyn` | `DYN_CUSTOMER_NAME` , `DYN_USER_NAME` , `DYN_PASSWORD` |
| [Exoscale ](https://www.exoscale.ch ) | `exoscale` | `EXOSCALE_API_KEY` , `EXOSCALE_API_SECRET` , `EXOSCALE_ENDPOINT` |
| [Gandi ](https://www.gandi.net ) | `gandi` | `GANDI_API_KEY` |
2018-02-12 17:10:05 +00:00
| [Gandi V5 ](http://doc.livedns.gandi.net ) | `gandiv5` | `GANDIV5_API_KEY` |
2017-10-31 11:52:52 +00:00
| [GoDaddy ](https://godaddy.com/domains ) | `godaddy` | `GODADDY_API_KEY` , `GODADDY_API_SECRET` |
| [Google Cloud DNS ](https://cloud.google.com/dns/docs/ ) | `gcloud` | `GCE_PROJECT` , `GCE_SERVICE_ACCOUNT_FILE` |
| [Linode ](https://www.linode.com ) | `linode` | `LINODE_API_KEY` |
2018-01-15 15:04:05 +00:00
| manual | - | none, but run Træfik interactively & turn on `acmeLogging` to see instructions & press < kbd > Enter</ kbd > . |
2017-10-31 11:52:52 +00:00
| [Namecheap ](https://www.namecheap.com ) | `namecheap` | `NAMECHEAP_API_USER` , `NAMECHEAP_API_KEY` |
| [Ns1 ](https://ns1.com/ ) | `ns1` | `NS1_API_KEY` |
| [Open Telekom Cloud ](https://cloud.telekom.de/en/ ) | `otc` | `OTC_DOMAIN_NAME` , `OTC_USER_NAME` , `OTC_PASSWORD` , `OTC_PROJECT_NAME` , `OTC_IDENTITY_ENDPOINT` |
| [OVH ](https://www.ovh.com ) | `ovh` | `OVH_ENDPOINT` , `OVH_APPLICATION_KEY` , `OVH_APPLICATION_SECRET` , `OVH_CONSUMER_KEY` |
| [PowerDNS ](https://www.powerdns.com ) | `pdns` | `PDNS_API_KEY` , `PDNS_API_URL` |
| [Rackspace ](https://www.rackspace.com/cloud/dns ) | `rackspace` | `RACKSPACE_USER` , `RACKSPACE_API_KEY` |
| [RFC2136 ](https://tools.ietf.org/html/rfc2136 ) | `rfc2136` | `RFC2136_TSIG_KEY` , `RFC2136_TSIG_SECRET` , `RFC2136_TSIG_ALGORITHM` , `RFC2136_NAMESERVER` |
| [Route 53 ](https://aws.amazon.com/route53/ ) | `route53` | `AWS_ACCESS_KEY_ID` , `AWS_SECRET_ACCESS_KEY` , `AWS_REGION` , `AWS_HOSTED_ZONE_ID` or configured user/instance IAM profile. |
| [VULTR ](https://www.vultr.com ) | `vultr` | `VULTR_API_KEY` |
2017-09-11 17:10:04 +00:00
2018-01-15 15:04:05 +00:00
#### `delayBeforeCheck`
2017-09-11 17:10:04 +00:00
2018-01-15 15:04:05 +00:00
By default, the `provider` will verify the TXT DNS challenge record before letting ACME verify.
If `delayBeforeCheck` is greater than zero, avoid this & instead just wait so many seconds.
2017-09-11 17:10:04 +00:00
Useful if internal networks block external DNS queries.
2018-01-15 15:04:05 +00:00
!!! note
This field has no sense if a `provider` is not defined.
2017-12-20 13:40:07 +00:00
### `onDemand` (Deprecated)
2017-09-11 17:10:04 +00:00
2018-02-09 09:38:03 +00:00
!!! danger "DEPRECATED"
2018-01-15 15:04:05 +00:00
This option is deprecated.
2017-09-11 17:10:04 +00:00
```toml
[acme]
# ...
onDemand = true
# ...
```
Enable on demand certificate.
2018-02-16 09:32:03 +00:00
This will request a certificate from Let's Encrypt during the first TLS handshake for a host name that does not yet have a certificate.
2017-09-11 17:10:04 +00:00
!!! warning
2018-02-16 09:32:03 +00:00
TLS handshakes will be slow when requesting a host name certificate for the first time, this can lead to DoS attacks.
2018-02-12 17:10:05 +00:00
2017-09-11 17:10:04 +00:00
!!! warning
2017-12-20 13:40:07 +00:00
Take note that Let's Encrypt have [rate limiting ](https://letsencrypt.org/docs/rate-limits ).
2017-09-11 17:10:04 +00:00
### `onHostRule`
```toml
[acme]
# ...
onHostRule = true
# ...
```
2018-02-16 09:32:03 +00:00
Enable certificate generation on frontends `Host` rules (for frontends wired on the `acme.entryPoint` ).
2017-09-11 17:10:04 +00:00
This will request a certificate from Let's Encrypt for each frontend with a Host rule.
For example, a rule `Host:test1.traefik.io,test2.traefik.io` will request a certificate with main domain `test1.traefik.io` and SAN `test2.traefik.io` .
### `caServer`
```toml
[acme]
# ...
caServer = "https://acme-staging.api.letsencrypt.org/directory"
# ...
```
CA server to use.
- Uncomment the line to run on the staging Let's Encrypt server.
- Leave comment to go to prod.
2018-01-15 15:04:05 +00:00
### `acme.domains`
2017-09-11 17:10:04 +00:00
```toml
[acme]
# ...
[[acme.domains]]
2018-01-15 15:04:05 +00:00
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
2017-09-11 17:10:04 +00:00
[[acme.domains]]
2018-01-15 15:04:05 +00:00
main = "local2.com"
sans = ["test1.local2.com", "test2.local2.com"]
2017-09-11 17:10:04 +00:00
[[acme.domains]]
2018-01-15 15:04:05 +00:00
main = "local3.com"
2017-09-11 17:10:04 +00:00
[[acme.domains]]
2018-01-15 15:04:05 +00:00
main = "local4.com"
2017-09-11 17:10:04 +00:00
# ...
```
You can provide SANs (alternative domains) to each main domain.
2017-12-20 13:40:07 +00:00
All domains must have A/AAAA records pointing to Træfik.
2017-09-11 17:10:04 +00:00
!!! warning
Take note that Let's Encrypt have [rate limiting ](https://letsencrypt.org/docs/rate-limits ).
Each domain & SANs will lead to a certificate request.
2018-01-15 15:04:05 +00:00
### `dnsProvider` (Deprecated)
2018-02-09 09:38:03 +00:00
!!! danger "DEPRECATED"
2018-01-15 15:04:05 +00:00
This option is deprecated.
Please refer to [DNS challenge provider section ](/configuration/acme/#provider )
### `delayDontCheckDNS` (Deprecated)
2018-02-09 09:38:03 +00:00
!!! danger "DEPRECATED"
2018-01-15 15:04:05 +00:00
This option is deprecated.
Please refer to [DNS challenge delayBeforeCheck section ](/configuration/acme/#delaybeforecheck )