Fix TLS challenge timeout and validation error

Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
This commit is contained in:
Ludovic Fernandez 2021-02-11 16:32:03 +01:00 committed by GitHub
parent 502c88ee3f
commit 5597d7633d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 3 deletions

View file

@ -186,7 +186,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
tlsManager := traefiktls.NewManager() tlsManager := traefiktls.NewManager()
httpChallengeProvider := acme.NewChallengeHTTP() httpChallengeProvider := acme.NewChallengeHTTP()
tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
err = providerAggregator.AddProvider(tlsChallengeProvider) err = providerAggregator.AddProvider(tlsChallengeProvider)
if err != nil { if err != nil {
return nil, err return nil, err

View file

@ -39,8 +39,8 @@ func NewChallengeTLSALPN(timeout time.Duration) *ChallengeTLSALPN {
// Present presents a challenge to obtain new ACME certificate. // Present presents a challenge to obtain new ACME certificate.
func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error { func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
log.WithoutContext().WithField(log.ProviderName, providerNameALPN). logger := log.WithoutContext().WithField(log.ProviderName, providerNameALPN)
Debugf("TLS Challenge Present temp certificate for %s", domain) logger.Debugf("TLS Challenge Present temp certificate for %s", domain)
certPEMBlock, keyPEMBlock, err := tlsalpn01.ChallengeBlocks(domain, keyAuth) certPEMBlock, keyPEMBlock, err := tlsalpn01.ChallengeBlocks(domain, keyAuth)
if err != nil { if err != nil {
@ -68,6 +68,12 @@ func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
case t := <-timer.C: case t := <-timer.C:
timer.Stop() timer.Stop()
close(c.chans[string(certPEMBlock)]) close(c.chans[string(certPEMBlock)])
err = c.CleanUp(domain, "", keyAuth)
if err != nil {
logger.Errorf("Failed to clean up TLS challenge: %v", err)
}
errC = fmt.Errorf("timeout %s", t) errC = fmt.Errorf("timeout %s", t)
case <-ch: case <-ch:
// noop // noop

View file

@ -421,6 +421,7 @@ func (p *Provider) watchNewDomains(ctx context.Context) {
if route.TLS == nil || route.TLS.CertResolver != p.ResolverName { if route.TLS == nil || route.TLS.CertResolver != p.ResolverName {
continue continue
} }
ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule)) ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
tlsStore := "default" tlsStore := "default"
@ -462,6 +463,7 @@ func (p *Provider) resolveCertificate(ctx context.Context, domain types.Domain,
if len(uncheckedDomains) == 0 { if len(uncheckedDomains) == 0 {
return nil, nil return nil, nil
} }
defer p.removeResolvingDomains(uncheckedDomains) defer p.removeResolvingDomains(uncheckedDomains)
logger := log.FromContext(ctx) logger := log.FromContext(ctx)