baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Improve Let's Encrypt documentation

Browse source
This commit is contained in:
NicoMen 2017-08-25 21:10:03 +02:00 committed by Traefiker
parent b75fb23887
commit 89b0037ec1
3 changed files with 205 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

169
docs/user-guide/examples.md
View file

@ -44,25 +44,23 @@ defaultEntryPoints = ["http", "https"]
address = ":443" address = ":443"
[entryPoints.https.tls] [entryPoints.https.tls]
[[entryPoints.https.tls.certificates]] [[entryPoints.https.tls.certificates]]
certFile = "tests/traefik.crt" CertFile = "examples/traefik.crt"
keyFile = "tests/traefik.key" KeyFile = "examples/traefik.key"
``` ```
## Let's Encrypt support ## Let's Encrypt support
### Basic example
```toml ```toml
[entryPoints] [entryPoints]
[entryPoints.https] [entryPoints.https]
address = ":443" address = ":443"
[entryPoints.https.tls] [entryPoints.https.tls]
# certs used as default certs
[[entryPoints.https.tls.certificates]]
certFile = "tests/traefik.crt"
keyFile = "tests/traefik.key"
[acme] [acme]
email = "test@traefik.io" email = "test@traefik.io"
storageFile = "acme.json" storage = "acme.json"
onDemand = true
caServer = "http://172.18.0.1:4000/directory" caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https" entryPoint = "https"
@ -78,6 +76,161 @@ entryPoint = "https"
main = "local4.com" main = "local4.com"
``` ```
This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com` with described SANs.
Traefik generates these certificates when it starts and it needs to be restart if new domains are added.
### OnHostRule option
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
onHostRule = true
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
```
This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com`.
Traefik generates these certificates when it starts.
If a backend is added with a `onHost` rule, Traefik will automatically generate the Let's Encrypt certificate for the new domain.
### OnDemand option
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
OnDemand = true
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
```
This configuration allows generating a Let's Encrypt certificate during the first HTTPS request on a new domain.
**Note** : This option simplifies the configuration but :
* TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DDoS attacks.
* Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
That's why, it's better to use the `onHostRule` optin if possible.
### DNS challenge
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
dnsProvider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
delayDontCheckDNS = 0
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
```
DNS challenge needs environment variables to be executed. This variables have to be set on the machine/container which host Traefik.
These variables has described [in this section](toml/#acme-lets-encrypt-configuration).
### OnHostRule option and provided certificates
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "examples/traefik.crt"
KeyFile = "examples/traefik.key"
[acme]
email = "test@traefik.io"
storage = "acme.json"
onHostRule = true
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
```
Traefik will only try to generate a Let's encrypt certificate if the domain cannot be checked by the provided certificates.
### Cluster mode
#### Prerequisites
Before to use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely to [this section](/user-guide/kv-config/#store-configuration-in-key-value-store) in the way to know how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
#### Configuration
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "traefik/acme/account"
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
[consul]
endpoint = "127.0.0.1:8500"
watch = true
prefix = "traefik"
```
This configuration allows to use the key `traefik/acme/account` to get/set Let's Encrypt certificates content.
The `consul` provider contains the configuration.
**Note** : It's possible to use others key-value store providers as described [here](/user-guide/kv-config/#key-value-store-configuration).
## Override entrypoints in frontends ## Override entrypoints in frontends
```toml ```toml

36
examples/traefik.crt
View file

@ -1,21 +1,19 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAPPVb4fq4kkvMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV MIIDHDCCAgQCCQDODsC1A72mSDANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJG
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX UjELMAkGA1UECAwCTVAxDTALBgNVBAcMBFRsc2UxEzARBgNVBAoMCkNvbnRhaW5v
aWRnaXRzIFB0eSBMdGQwHhcNMTUxMDE5MTk0MTU4WhcNMTYxMDE4MTk0MTU4WjBF dXMxEDAOBgNVBAsMB1RyYWVmaWswHhcNMTcwODI1MTQxMzU3WhcNMjcwODIzMTQx
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 MzU3WjBQMQswCQYDVQQGEwJGUjELMAkGA1UECAwCTVAxDTALBgNVBAcMBFRsc2Ux
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB EzARBgNVBAoMCkNvbnRhaW5vdXMxEDAOBgNVBAsMB1RyYWVmaWswggEiMA0GCSqG
CgKCAQEAsPnpfnUPbQxSu3oq38OaX/Q6LKZ5gnS04F8kREF2RvCDMWiKOWru+hXb SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCacKEL5+AlaArZWyfysY1qbtOWdGj0xwq1
udkwU7Fx+7BcDBGsnJGFpY23dDcRurxF1DVs1jIFukH/vbYyHE8JQEgvOGSpDEiv tZ6GZ0fb+0uVeKzJxPBulpwhmXiofUncvFOpr1paaQQRRgE71A6PSIzc64a3NGmm
rfbcxqK8E/VMrI10eXYGxWzaTFWQOND2PAJ1b5JvZrrzc8rfJ7h5Q24GKnw1999t dbju3eOdFVm9za37asFTA2Y87v9HSYJyNSeQgdVCbykhHBrHPrP6kfPx8T7uiPRT
hwsZgpUOh9te7fz1M4XxxRRoliMg0oH9EV3P9Yqq635tjWOix8PcnpcqnRKXVDhk cYWhL9Ko1IuW2rTjMt2UUmk1IPk2WFMWKM1mopqzrxu/NB+O5wOs7MRO1Z8BtAak
TcNtE+45RsPoSgM6nkiXt8HP4afaVUAGAzF41kDm94SNexcyk7gyVsLs2cEI61Eu bclxCQaaE0TgjChlxVPP0us77rCq3///i9kf1x0PGt/LyseaxzAoKfZ6kM6Uq0yk
mhvpP3z91md+eAa3If7kU1w70WiY1wIDAQABo1AwTjAdBgNVHQ4EFgQUue6v2TkZ psWGSxu7sPXmERsN4tZLj7d/J5A2nvnO7h/bhl2FtBAauzsi3LIbAgMBAAEwDQYJ
1oR0ZzEnnxfKdsGuBPMwHwYDVR0jBBgwFoAUue6v2TkZ1oR0ZzEnnxfKdsGuBPMw KoZIhvcNAQELBQADggEBACQbp2gcCFbbQE47SwdI7rWDIITylHj0uCXHJfUggkUl
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAk+xxO8gC40R7+5WVtWvA F/WHIBUdpVaWVOLSysmG8n6fmWTDZOCVNA1+XMjRZUPwVvr//XHjcFpOKfHW47r2
+chNsOoxKyFBOPvGzrYGQbt4OBWKrwQmMXSY3VnjY4GzVaZpOCJOxnupKfZrK4AP VeMHQYQpZH7QmsjyvxXZOrz/Ft3uA9Dna1N5nHRYflpfasdRmXbNK81IykR93Dfn
G+M+NI+J6fHJRCQdov7Xoje5M14FmgjRiLg+haDZhh//11C7P6MQPAzGNUTpUyqV jV9ecDAQl0ru/YcMmabYx3uoWyTvO57EnbXfiPcwIdKGpykXKTv64vAMtkrJicgX
Hsi/wwCYvre5bApb/4uDkDlZkLrgN4e1q8+gh6XLj8NPEOEBEI4VpMVoieC1PwnK jhh+p7ayKklfxinEL7/GCjfSBip7J4DszvLVoyIzmS7HjVdJkpu9agZLYsSl4tCJ
pRfNlTsEhyjeMmOllw9fBKMEvEf1BKsJGaKmQ7zCr1nWznCxyI1Fuf66TfmL8/up qnh7nkp/Fd0XdTV17FwL/veMlpq9AkillIKjHl6vFL0=
lK6sQysLEOIgn2gZEjQz4O/9Jj9v8+TvyP4GZIDsCiv33AaeKJVuSkoeCH0Ls2V8
aQ==
-----END CERTIFICATE----- -----END CERTIFICATE-----

55
examples/traefik.key
View file

@ -1,28 +1,27 @@
-----BEGIN PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCw+el+dQ9tDFK7 MIIEpAIBAAKCAQEAmnChC+fgJWgK2Vsn8rGNam7TlnRo9McKtbWehmdH2/tLlXis
eirfw5pf9DospnmCdLTgXyREQXZG8IMxaIo5au76Fdu52TBTsXH7sFwMEayckYWl ycTwbpacIZl4qH1J3LxTqa9aWmkEEUYBO9QOj0iM3OuGtzRppnW47t3jnRVZvc2t
jbd0NxG6vEXUNWzWMgW6Qf+9tjIcTwlASC84ZKkMSK+t9tzGorwT9UysjXR5dgbF +2rBUwNmPO7/R0mCcjUnkIHVQm8pIRwaxz6z+pHz8fE+7oj0U3GFoS/SqNSLltq0
bNpMVZA40PY8AnVvkm9muvNzyt8nuHlDbgYqfDX3322HCxmClQ6H217t/PUzhfHF 4zLdlFJpNSD5NlhTFijNZqKas68bvzQfjucDrOzETtWfAbQGpG3JcQkGmhNE4Iwo
FGiWIyDSgf0RXc/1iqrrfm2NY6LHw9yelyqdEpdUOGRNw20T7jlGw+hKAzqeSJe3 ZcVTz9LrO+6wqt///4vZH9cdDxrfy8rHmscwKCn2epDOlKtMpKbFhksbu7D15hEb
wc/hp9pVQAYDMXjWQOb3hI17FzKTuDJWwuzZwQjrUS6aG+k/fP3WZ354Brch/uRT DeLWS4+3fyeQNp75zu4f24ZdhbQQGrs7ItyyGwIDAQABAoIBAQCYFpBSJC/1Rmdg
XDvRaJjXAgMBAAECggEAHvnvO5ojtBOXG4d7n6TuDWODFzOgSwxAaJFemK/Ykvwg s0c81iMYjDlsMgll/FmMpmWNoEoA1ZESintGW94WWdU5tWRAMNm7Oe797ISDAmYS
CnLg1sH3yEAxMGtqgQurBsHMqrQhQVpbSSnv9WB6MvQnSMh9H1SsGfjZWYxdYwUW CKmQXH1WFzE5IexRoJjmZ4oOGY9cEzmEE/fg3rmxYWieWxIkBr0icTwcL+9u8/9B
enDoCvfbevHyBgISjJYJU3j5Da7It0XIU6AE6Z2EW91/a+uGQJwh8ZpBaIAW5S2j 7uZkDli5SmA8g8HgsBhD0Eizel/vB5DyUtm8VoVYvDkkljYO/PGT/ectclr6JK9g
B3k+bASANtwEcDdhGE7iLYeHiAttZo89oSSFZP/mwh84pIU29zUVUtsUaHXrob0p biP4jkA2a3CTb8KeyBTrYbULWCtwZ7H5fmySXIX4QpJmEcx5Af7nYITU0OEK63uV
iyGXKPa8NqTvIsbX5Kh/lbbCO4KwsOqgs/eqL7cLSv2VfTmSQCJz+ikiVzcw/vJU NKCQLDpHyOrDIj+mwjxASBQdUDU7NApCR2MrzmGDRPPCGiEWYao5bCrsNRAoDFuy
PaT9H4SCBLP73/Gyjf5P14esWvprPQ3ZnWNNDDGWsQKBgQDoWqxQUy6PKY9or7QH Ux2H+jnRAoGBAM2nOcjJ7nKmOEUTyB0J9ElJRBoChBJAF3ak/aj4xDYAz/hadQL0
M985y52Y0QlWdmRaLc8gxfWLU4/3Wn0NH1flkFXJ5X9uZFNoGMQpidJBajepzkNO OuulOgmYwHjv7Y5Tx6P5ZQgyComa6rKfNZ/mzgm1wMPsKOi5q5T2Zj/0Pt6xih3x
/54V+1NCLUWl7SE5gMeFG8QtEE7ISyjut71CUDSn5mOp7EBARmqRpMZhmXT42RZi +PxonLiIS7221U5xlBZUyW1LLIM4gT7NS9n2pxBuNESotmSwFnPru4OzAoGBAMA/
1zVDkG08ArKdH0Jnvkq5lWHGbwKBgQDC/IYJXkd27XZO+Ti8TdzaU+SSJV26aY++ vyXAnOTRi1on8TDItdPDgq13s0I+q+Fj4+KVCEifRiT9P9NRKQNfvRZI39QGmJ+x
0N4pzq0cC6IWadHugH/XrgkfH+ImPzkf6XHrCSqSipJJLZMd473/8IjdOsf54wDP kGx6VY96SZo5ysm4ElkcKLJ7EcZ38XehG9rar6ZLEAgY4KnA4wDZWmJ1dUm4ZJZI
/yHKPXWhfC4W2L+6+l34Jo/ebnuDVvDme1nKLcdmxhwz4YZfg/TYbWaFzANrl3St Sj2EFmb30V1FP/qo9TFro5Je6P0m9TjFeLKwF4P5AoGAKIu0x9KQMYh2BaB9zsPc
beGg9ENIGQKBgBr6/GtPXWauUsK7NFJpyY/yfthR3Z22nayDCTwrAHovN9ZnIYI2 pupMA/jFAzghqCGlZUAOpzsHxcZH1ZpDV5xO0f+Myws6wdngvYJ5GeGL1E93wFnF
k4RKoEuTZJqy96Rsy8pvAIUsCk6jbtlrgTXYOzDCBQZhZKxCsehY8wywihVj9NrT X85Ihv+PjtEry553prnhtPA5yPwl5/uCBHm3lGZC0JeQfJPGB5UV1XeBwilMyg39
ZxyeJ58fd48xqbxM8O78jTSkFxsWSi0sBDlWOfjv70GjcZiOVir6l6HtAoGBAJeA y25mx8WChprgwv84ngg3AyMCgYEAlb2RPvCFw9xK9FAEFwFeTrELyd1gLIrwCcBq
MAENcQeV4AviltOwx/4Xmwx23gmeRaMklMn1HQoie9FgbU4cJ7kEL3AwjL3c99y0 MYPvTdFxK0JuQkQG8+/QMdlVLaptmoUNftDSb8zKI2w8PV44PFwofsxJDhNCavF7
vN+7Ion0A0+6iol5z8ISObVzG7gsShBSkwWZlVFgtErqJKb6K5NJGxXf0DYvkkPy 5r1K7vWsaQIni1EH/xNMyT+/uUn8XumzmbKWWGFSG5niuXR8dp/mag2u3+9GNY/p
6cQup7VSDs282HRUiiSzdCpXZvztFCpAq0QtJi3ZAoGACjtJ7zEVs0hB7+sCq/SI 8RQjXNECgYAnA7rQ7UVayRQUL8NKB0jhP/J0UomrJRXYx+J5UP7QIoObXlTbDVSi
UHjjv/fjGSm1TVDP46Joqbm62FRdYkEhd+pGMjtGs80OhM+psTZIqe/fgKdKl5yX VTAiSrhPQIFa1s8ghUgCghwq6KJsZoQzrp1fLLlV/HIN+4XXhYVAmOI/k41rCj/0
nS9m6f4ny6XCcilfI3+bxXtsmWnpQnybSU2goe2n+Eoi3RcEB68Hp8U0aPjgDULM eYTkXlXyFpcaW3h9vVjT1wN9FwbU1kNpFo/PvDLM/SQB7GhFRznDDw==
9YDU/ZMupHh/eT79n67QIXw= -----END RSA PRIVATE KEY-----
-----END PRIVATE KEY-----