Serve TLS-Challenge certificate in first
This commit is contained in:
NicoMen
Traefiker Bot
parent
3ef6bf2118
commit
14b7152bf0
5 changed files with 42 additions and 20 deletions
|
|
@ -234,15 +234,15 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
|
||||||
domain := types.CanonicalDomain(clientHello.ServerName)
|
domain := types.CanonicalDomain(clientHello.ServerName)
|
||||||
account := a.store.Get().(*Account)
|
account := a.store.Get().(*Account)
|
||||||
|
|
||||||
if providedCertificate := a.getProvidedCertificate(domain); providedCertificate != nil {
|
|
||||||
return providedCertificate, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if challengeCert, ok := a.challengeTLSProvider.getCertificate(domain); ok {
|
if challengeCert, ok := a.challengeTLSProvider.getCertificate(domain); ok {
|
||||||
log.Debugf("ACME got challenge %s", domain)
|
log.Debugf("ACME got challenge %s", domain)
|
||||||
return challengeCert, nil
|
return challengeCert, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if providedCertificate := a.getProvidedCertificate(domain); providedCertificate != nil {
|
||||||
|
return providedCertificate, nil
|
||||||
|
}
|
||||||
|
|
||||||
if domainCert, ok := account.DomainsCertificate.getCertificateForDomain(domain); ok {
|
if domainCert, ok := account.DomainsCertificate.getCertificateForDomain(domain); ok {
|
||||||
log.Debugf("ACME got domain cert %s", domain)
|
log.Debugf("ACME got domain cert %s", domain)
|
||||||
return domainCert.tlsCert, nil
|
return domainCert.tlsCert, nil
|
||||||
|
|
|
||||||
|
|
@ -122,7 +122,7 @@ func (s *AcmeSuite) TearDownSuite(c *check.C) {
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01DomainsAtStart(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01DomainsAtStart(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
||||||
|
|
@ -140,7 +140,7 @@ func (s *AcmeSuite) TestHTTP01DomainsAtStart(c *check.C) {
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01DomainsInSANAtStart(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01DomainsInSANAtStart(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
||||||
|
|
@ -159,7 +159,7 @@ func (s *AcmeSuite) TestHTTP01DomainsInSANAtStart(c *check.C) {
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
||||||
|
|
@ -175,7 +175,7 @@ func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
||||||
|
|
@ -192,7 +192,7 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
||||||
|
|
@ -257,7 +257,7 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard(c *check
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01OnDemand(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnDemand(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
||||||
|
|
@ -305,7 +305,7 @@ func (s *AcmeSuite) TestHTTP01OnDemandDynamicCertificatesWithWildcard(c *check.C
|
||||||
|
|
||||||
func (s *AcmeSuite) TestTLSALPN01OnHostRule(c *check.C) {
|
func (s *AcmeSuite) TestTLSALPN01OnHostRule(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
TLSChallenge: &acme.TLSChallenge{},
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
|
|
@ -321,7 +321,7 @@ func (s *AcmeSuite) TestTLSALPN01OnHostRule(c *check.C) {
|
||||||
|
|
||||||
func (s *AcmeSuite) TestTLSALPN01OnDemand(c *check.C) {
|
func (s *AcmeSuite) TestTLSALPN01OnDemand(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
TLSChallenge: &acme.TLSChallenge{},
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
|
|
@ -337,7 +337,7 @@ func (s *AcmeSuite) TestTLSALPN01OnDemand(c *check.C) {
|
||||||
|
|
||||||
func (s *AcmeSuite) TestTLSALPN01DomainsAtStart(c *check.C) {
|
func (s *AcmeSuite) TestTLSALPN01DomainsAtStart(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
TLSChallenge: &acme.TLSChallenge{},
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
|
|
@ -355,7 +355,7 @@ func (s *AcmeSuite) TestTLSALPN01DomainsAtStart(c *check.C) {
|
||||||
|
|
||||||
func (s *AcmeSuite) TestTLSALPN01DomainsInSANAtStart(c *check.C) {
|
func (s *AcmeSuite) TestTLSALPN01DomainsInSANAtStart(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme-base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
TLSChallenge: &acme.TLSChallenge{},
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
|
|
@ -372,9 +372,27 @@ func (s *AcmeSuite) TestTLSALPN01DomainsInSANAtStart(c *check.C) {
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *AcmeSuite) TestTLSALPN01DomainsWithProvidedWildcardDomainAtStart(c *check.C) {
|
||||||
|
testCase := acmeTestCase{
|
||||||
|
traefikConfFilePath: "fixtures/acme/acme_tls.toml",
|
||||||
|
template: templateModel{
|
||||||
|
Acme: acme.Configuration{
|
||||||
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
|
Domains: types.Domains{types.Domain{
|
||||||
|
Main: "traefik.acme.wtf",
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectedCommonName: "traefik.acme.wtf",
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}
|
||||||
|
|
||||||
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
}
|
||||||
|
|
||||||
// Test Let's encrypt down
|
// Test Let's encrypt down
|
||||||
func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
|
func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
|
||||||
file := s.adaptFile(c, "fixtures/acme/acme-base.toml", templateModel{
|
file := s.adaptFile(c, "fixtures/acme/acme_base.toml", templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: acme.Configuration{
|
||||||
CAServer: "http://wrongurl:4001/directory",
|
CAServer: "http://wrongurl:4001/directory",
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,10 @@ defaultEntryPoints = ["http", "https"]
|
||||||
entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
|
entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
|
{{if .Acme.TLSChallenge }}
|
||||||
|
[acme.tlsChallenge]
|
||||||
|
{{end}}
|
||||||
|
|
||||||
{{range .Acme.Domains}}
|
{{range .Acme.Domains}}
|
||||||
[[acme.domains]]
|
[[acme.domains]]
|
||||||
main = "{{ .Main }}"
|
main = "{{ .Main }}"
|
||||||
|
|
|
||||||
|
|
@ -274,11 +274,6 @@ func (s *Server) AddListener(listener func(types.Configuration)) {
|
||||||
|
|
||||||
// getCertificate allows to customize tlsConfig.GetCertificate behaviour to get the certificates inserted dynamically
|
// getCertificate allows to customize tlsConfig.GetCertificate behaviour to get the certificates inserted dynamically
|
||||||
func (s *serverEntryPoint) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
func (s *serverEntryPoint) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
bestCertificate := s.certs.GetBestCertificate(clientHello)
|
|
||||||
if bestCertificate != nil {
|
|
||||||
return bestCertificate, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
domainToCheck := types.CanonicalDomain(clientHello.ServerName)
|
domainToCheck := types.CanonicalDomain(clientHello.ServerName)
|
||||||
|
|
||||||
if s.tlsALPNGetter != nil {
|
if s.tlsALPNGetter != nil {
|
||||||
|
|
@ -292,6 +287,11 @@ func (s *serverEntryPoint) getCertificate(clientHello *tls.ClientHelloInfo) (*tl
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bestCertificate := s.certs.GetBestCertificate(clientHello)
|
||||||
|
if bestCertificate != nil {
|
||||||
|
return bestCertificate, nil
|
||||||
|
}
|
||||||
|
|
||||||
if s.onDemandListener != nil && len(domainToCheck) > 0 {
|
if s.onDemandListener != nil && len(domainToCheck) > 0 {
|
||||||
// Only check for an onDemandCert if there is a domain name
|
// Only check for an onDemandCert if there is a domain name
|
||||||
return s.onDemandListener(domainToCheck)
|
return s.onDemandListener(domainToCheck)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue