Traefik still start when Let's encrypt is down
This commit is contained in:
parent
ce3a0fdd46
commit
afe4c307f9
4 changed files with 63 additions and 2 deletions
|
@ -295,6 +295,7 @@ func (a *ACME) leadershipListener(elected bool) error {
|
||||||
|
|
||||||
// CreateLocalConfig creates a tls.config using local ACME configuration
|
// CreateLocalConfig creates a tls.config using local ACME configuration
|
||||||
func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkOnDemandDomain func(domain string) bool) error {
|
func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkOnDemandDomain func(domain string) bool) error {
|
||||||
|
defer a.runJobs()
|
||||||
err := a.init()
|
err := a.init()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -333,7 +334,9 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkO
|
||||||
|
|
||||||
a.client, err = a.buildACMEClient(account)
|
a.client, err = a.buildACMEClient(account)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
log.Errorf(`Failed to build ACME client: %s
|
||||||
|
Let's Encrypt functionality will be limited until traefik is restarted.`, err)
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if needRegister {
|
if needRegister {
|
||||||
|
@ -374,7 +377,6 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkO
|
||||||
|
|
||||||
a.retrieveCertificates()
|
a.retrieveCertificates()
|
||||||
a.renewCertificates()
|
a.renewCertificates()
|
||||||
a.runJobs()
|
|
||||||
|
|
||||||
ticker := time.NewTicker(24 * time.Hour)
|
ticker := time.NewTicker(24 * time.Hour)
|
||||||
safe.Go(func() {
|
safe.Go(func() {
|
||||||
|
|
|
@ -144,6 +144,18 @@ entryPoint = "https"
|
||||||
If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80.
|
If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80.
|
||||||
These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
|
These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
|
||||||
|
|
||||||
|
### Let's Encrypt downtime
|
||||||
|
|
||||||
|
Let's Encrypt functionality will be limited until Træfik is restarted.
|
||||||
|
|
||||||
|
If Let's Encrypt is not reachable, these certificates will be used :
|
||||||
|
- ACME certificates already generated before downtime
|
||||||
|
- Expired ACME certificates
|
||||||
|
- Provided certificates
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
Default Træfik certificate will be used instead of ACME certificates for new (sub)domains (which need Let's Encrypt challenge).
|
||||||
|
|
||||||
### `storage`
|
### `storage`
|
||||||
|
|
||||||
```toml
|
```toml
|
||||||
|
|
|
@ -142,6 +142,19 @@ func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithDynamicWildcard(c *
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Test Let's encrypt down
|
||||||
|
func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
|
||||||
|
cmd, display := s.traefikCmd(withConfigFile("fixtures/acme/wrong_acme.toml"))
|
||||||
|
defer display(c)
|
||||||
|
err := cmd.Start()
|
||||||
|
c.Assert(err, checker.IsNil)
|
||||||
|
defer cmd.Process.Kill()
|
||||||
|
|
||||||
|
// Expected traefik works
|
||||||
|
err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.StatusCodeIs(http.StatusOK))
|
||||||
|
c.Assert(err, checker.IsNil)
|
||||||
|
}
|
||||||
|
|
||||||
// Doing an HTTPS request and test the response certificate
|
// Doing an HTTPS request and test the response certificate
|
||||||
func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
|
func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
|
||||||
file := s.adaptFile(c, testCase.traefikConfFilePath, struct {
|
file := s.adaptFile(c, testCase.traefikConfFilePath, struct {
|
||||||
|
|
34
integration/fixtures/acme/wrong_acme.toml
Normal file
34
integration/fixtures/acme/wrong_acme.toml
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
logLevel = "DEBUG"
|
||||||
|
|
||||||
|
defaultEntryPoints = ["http", "https"]
|
||||||
|
|
||||||
|
[api]
|
||||||
|
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.http]
|
||||||
|
address = ":8081"
|
||||||
|
[entryPoints.https]
|
||||||
|
address = ":5001"
|
||||||
|
[entryPoints.https.tls]
|
||||||
|
|
||||||
|
|
||||||
|
[acme]
|
||||||
|
email = "test@traefik.io"
|
||||||
|
storage = "/dev/null"
|
||||||
|
entryPoint = "https"
|
||||||
|
OnHostRule = true
|
||||||
|
caServer = "http://wrongurl:4000/directory"
|
||||||
|
|
||||||
|
[file]
|
||||||
|
|
||||||
|
[backends]
|
||||||
|
[backends.backend]
|
||||||
|
[backends.backend.servers.server1]
|
||||||
|
url = "http://127.0.0.1:9010"
|
||||||
|
|
||||||
|
|
||||||
|
[frontends]
|
||||||
|
[frontends.frontend]
|
||||||
|
backend = "backend"
|
||||||
|
[frontends.frontend.routes.test]
|
||||||
|
rule = "Host:traefik.acme.wtf"
|
Loading…
Reference in a new issue