Traefik still start when Let's encrypt is down

2018-02-05 18:20:04 +01:00 · 2018-02-05 18:20:04 +01:00 · afe4c307f9
commit afe4c307f9
parent ce3a0fdd46
4 changed files with 63 additions and 2 deletions
--- a/acme/acme.go
+++ b/acme/acme.go
@ -295,6 +295,7 @@ func (a *ACME) leadershipListener(elected bool) error {

 // CreateLocalConfig creates a tls.config using local ACME configuration
 func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkOnDemandDomain func(domain string) bool) error {
+	defer a.runJobs()
 	err := a.init()
 	if err != nil {
 		return err
@ -333,7 +334,9 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkO

 	a.client, err = a.buildACMEClient(account)
 	if err != nil {
-		return err
+		log.Errorf(`Failed to build ACME client: %s
+Let's Encrypt functionality will be limited until traefik is restarted.`, err)
+		return nil
 	}

 	if needRegister {
@ -374,7 +377,6 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkO

 	a.retrieveCertificates()
 	a.renewCertificates()
-	a.runJobs()

 	ticker := time.NewTicker(24 * time.Hour)
 	safe.Go(func() {
--- a/docs/configuration/acme.md
+++ b/docs/configuration/acme.md
@ -144,6 +144,18 @@ entryPoint = "https"
    If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80.
    These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).

+### Let's Encrypt downtime
+
+Let's Encrypt functionality will be limited until Træfik is restarted.
+
+If Let's Encrypt is not reachable, these certificates will be used :
+  - ACME certificates already generated before downtime
+  - Expired ACME certificates
+  - Provided certificates
+
+!!! note
+ Default Træfik certificate will be used instead of ACME certificates for new (sub)domains (which need Let's Encrypt challenge).
+
 ### `storage`

 ```toml
--- a/integration/acme_test.go
+++ b/integration/acme_test.go
@ -142,6 +142,19 @@ func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithDynamicWildcard(c *
 	s.retrieveAcmeCertificate(c, testCase)
 }

+// Test Let's encrypt down
+func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
+	cmd, display := s.traefikCmd(withConfigFile("fixtures/acme/wrong_acme.toml"))
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	// Expected traefik works
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.StatusCodeIs(http.StatusOK))
+	c.Assert(err, checker.IsNil)
+}
+
 // Doing an HTTPS request and test the response certificate
 func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
 	file := s.adaptFile(c, testCase.traefikConfFilePath, struct {
--- a/integration/fixtures/acme/wrong_acme.toml
+++ b/integration/fixtures/acme/wrong_acme.toml
@ -0,0 +1,34 @@
+logLevel = "DEBUG"
+
+defaultEntryPoints = ["http", "https"]
+
+[api]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":8081"
+  [entryPoints.https]
+  address = ":5001"
+    [entryPoints.https.tls]
+
+
+[acme]
+email = "test@traefik.io"
+storage = "/dev/null"
+entryPoint = "https"
+OnHostRule = true
+caServer = "http://wrongurl:4000/directory"
+
+[file]
+
+[backends]
+  [backends.backend]
+    [backends.backend.servers.server1]
+    url = "http://127.0.0.1:9010"
+
+
+[frontends]
+  [frontends.frontend]
+  backend = "backend"
+    [frontends.frontend.routes.test]
+    rule = "Host:traefik.acme.wtf"