Ensure only certificates from ACME enabled entrypoint are used

This commit is contained in:
Daniel Tomcej 2018-09-18 01:22:03 -05:00 committed by Traefiker Bot
parent 0ae8cd9a9d
commit ab2c98d931
4 changed files with 99 additions and 22 deletions

View file

@ -200,22 +200,24 @@ func runCmd(globalConfiguration *configuration.GlobalConfiguration, configFile s
internalRouter := router.NewInternalRouterAggregator(*globalConfiguration, entryPointName) internalRouter := router.NewInternalRouterAggregator(*globalConfiguration, entryPointName)
if acmeprovider != nil { if acmeprovider != nil {
if acmeprovider.HTTPChallenge != nil && acmeprovider.HTTPChallenge.EntryPoint == entryPointName { if acmeprovider.HTTPChallenge != nil && entryPointName == acmeprovider.HTTPChallenge.EntryPoint {
internalRouter.AddRouter(acmeprovider) internalRouter.AddRouter(acmeprovider)
} }
// TLS ALPN 01 // TLS ALPN 01
if acmeprovider.HTTPChallenge == nil && acmeprovider.DNSChallenge == nil && acmeprovider.TLSChallenge != nil { if acmeprovider.TLSChallenge != nil && acmeprovider.HTTPChallenge == nil && acmeprovider.DNSChallenge == nil {
entryPoint.TLSALPNGetter = acmeprovider.GetTLSALPNCertificate entryPoint.TLSALPNGetter = acmeprovider.GetTLSALPNCertificate
} }
if acmeprovider.EntryPoint == entryPointName && acmeprovider.OnDemand { if acmeprovider.OnDemand && entryPointName == acmeprovider.EntryPoint {
entryPoint.OnDemandListener = acmeprovider.ListenRequest entryPoint.OnDemandListener = acmeprovider.ListenRequest
} }
entryPoint.CertificateStore = traefiktls.NewCertificateStore() if entryPointName == acmeprovider.EntryPoint {
acmeprovider.SetCertificateStore(entryPoint.CertificateStore) entryPoint.CertificateStore = traefiktls.NewCertificateStore()
acmeprovider.SetCertificateStore(entryPoint.CertificateStore)
log.Debugf("Setting Acme Certificate store from Entrypoint: %s", entryPointName)
}
} }
entryPoint.InternalRouter = internalRouter entryPoint.InternalRouter = internalRouter

View file

@ -287,6 +287,22 @@ func (s *AcmeSuite) TestHTTP01OnDemandStaticCertificatesWithWildcard(c *check.C)
s.retrieveAcmeCertificate(c, testCase) s.retrieveAcmeCertificate(c, testCase)
} }
func (s *AcmeSuite) TestHTTP01OnDemandStaticCertificatesWithWildcardMultipleEntrypoints(c *check.C) {
testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_tls_multiple_entrypoints.toml",
template: templateModel{
Acme: acme.Configuration{
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
OnDemand: true,
},
},
expectedCommonName: acmeDomain,
expectedAlgorithm: x509.RSA,
}
s.retrieveAcmeCertificate(c, testCase)
}
func (s *AcmeSuite) TestHTTP01OnDemandDynamicCertificatesWithWildcard(c *check.C) { func (s *AcmeSuite) TestHTTP01OnDemandDynamicCertificatesWithWildcard(c *check.C) {
testCase := acmeTestCase{ testCase := acmeTestCase{
traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml", traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
@ -379,11 +395,11 @@ func (s *AcmeSuite) TestTLSALPN01DomainsWithProvidedWildcardDomainAtStart(c *che
Acme: acme.Configuration{ Acme: acme.Configuration{
TLSChallenge: &acme.TLSChallenge{}, TLSChallenge: &acme.TLSChallenge{},
Domains: types.Domains{types.Domain{ Domains: types.Domains{types.Domain{
Main: "traefik.acme.wtf", Main: acmeDomain,
}}, }},
}, },
}, },
expectedCommonName: "traefik.acme.wtf", expectedCommonName: wildcardDomain,
expectedAlgorithm: x509.RSA, expectedAlgorithm: x509.RSA,
} }

View file

@ -0,0 +1,59 @@
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = "{{ .PortHTTP }}"
[entryPoints.https]
address = "{{ .PortHTTPS }}"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":9000"
[entryPoints.traefik.tls]
[[entryPoints.traefik.tls.certificates]]
certFile = "fixtures/acme/ssl/wildcard.crt"
keyFile = "fixtures/acme/ssl/wildcard.key"
[acme]
email = "test@traefik.io"
storage = "/tmp/acme.json"
entryPoint = "https"
acmeLogging = true
onDemand = {{ .Acme.OnDemand }}
onHostRule = {{ .Acme.OnHostRule }}
keyType = "{{ .Acme.KeyType }}"
caServer = "{{ .Acme.CAServer }}"
{{if .Acme.HTTPChallenge }}
[acme.httpChallenge]
entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
{{end}}
{{if .Acme.TLSChallenge }}
[acme.tlsChallenge]
{{end}}
{{range .Acme.Domains}}
[[acme.domains]]
main = "{{ .Main }}"
sans = [{{range .SANs }}
"{{.}}",
{{end}}]
{{end}}
[api]
[file]
[backends]
[backends.backend]
[backends.backend.servers.server1]
url = "http://127.0.0.1:9010"
weight = 1
[frontends]
[frontends.frontend]
backend = "backend"
[frontends.frontend.routes.test]
rule = "Host:traefik.acme.wtf"

View file

@ -704,31 +704,31 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion(c
// modifyCertificateConfFileContent replaces the content of a HTTPS configuration file. // modifyCertificateConfFileContent replaces the content of a HTTPS configuration file.
func modifyCertificateConfFileContent(c *check.C, certFileName, confFileName, entryPoint string) { func modifyCertificateConfFileContent(c *check.C, certFileName, confFileName, entryPoint string) {
f, err := os.OpenFile("./"+confFileName, os.O_WRONLY, os.ModeExclusive) file, err := os.OpenFile("./"+confFileName, os.O_WRONLY, os.ModeExclusive)
c.Assert(err, checker.IsNil) c.Assert(err, checker.IsNil)
defer func() { defer func() {
f.Close() file.Close()
}() }()
f.Truncate(0) err = file.Truncate(0)
c.Assert(err, checker.IsNil)
// If certificate file is not provided, just truncate the configuration file // If certificate file is not provided, just truncate the configuration file
if len(certFileName) > 0 { if len(certFileName) > 0 {
tlsConf := types.Configuration{ tlsConf := types.Configuration{
TLS: []*traefiktls.Configuration{ TLS: []*traefiktls.Configuration{{
{ Certificate: &traefiktls.Certificate{
Certificate: &traefiktls.Certificate{ CertFile: traefiktls.FileOrContent("fixtures/https/" + certFileName + ".cert"),
CertFile: traefiktls.FileOrContent("fixtures/https/" + certFileName + ".cert"), KeyFile: traefiktls.FileOrContent("fixtures/https/" + certFileName + ".key"),
KeyFile: traefiktls.FileOrContent("fixtures/https/" + certFileName + ".key"),
},
EntryPoints: []string{entryPoint},
}, },
}, EntryPoints: []string{entryPoint},
}},
} }
var confBuffer bytes.Buffer var confBuffer bytes.Buffer
e := toml.NewEncoder(&confBuffer) err := toml.NewEncoder(&confBuffer).Encode(tlsConf)
err := e.Encode(tlsConf)
c.Assert(err, checker.IsNil) c.Assert(err, checker.IsNil)
_, err = f.Write(confBuffer.Bytes()) _, err = file.Write(confBuffer.Bytes())
c.Assert(err, checker.IsNil) c.Assert(err, checker.IsNil)
} }
} }