Certificate resolvers.
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>
This commit is contained in:
parent
e3627e9cba
commit
f75f73f3d2
47 changed files with 1573 additions and 1249 deletions
|
@ -20,6 +20,7 @@ import (
|
||||||
"github.com/containous/traefik/pkg/config/dynamic"
|
"github.com/containous/traefik/pkg/config/dynamic"
|
||||||
"github.com/containous/traefik/pkg/config/static"
|
"github.com/containous/traefik/pkg/config/static"
|
||||||
"github.com/containous/traefik/pkg/log"
|
"github.com/containous/traefik/pkg/log"
|
||||||
|
"github.com/containous/traefik/pkg/provider/acme"
|
||||||
"github.com/containous/traefik/pkg/provider/aggregator"
|
"github.com/containous/traefik/pkg/provider/aggregator"
|
||||||
"github.com/containous/traefik/pkg/safe"
|
"github.com/containous/traefik/pkg/safe"
|
||||||
"github.com/containous/traefik/pkg/server"
|
"github.com/containous/traefik/pkg/server"
|
||||||
|
@ -88,7 +89,9 @@ func runCmd(staticConfiguration *static.Configuration) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
staticConfiguration.SetEffectiveConfiguration()
|
staticConfiguration.SetEffectiveConfiguration()
|
||||||
staticConfiguration.ValidateConfiguration()
|
if err := staticConfiguration.ValidateConfiguration(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
|
log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
|
||||||
|
|
||||||
|
@ -112,15 +115,9 @@ func runCmd(staticConfiguration *static.Configuration) error {
|
||||||
|
|
||||||
providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
|
providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
|
||||||
|
|
||||||
acmeProvider, err := staticConfiguration.InitACMEProvider()
|
tlsManager := traefiktls.NewManager()
|
||||||
if err != nil {
|
|
||||||
log.WithoutContext().Errorf("Unable to initialize ACME provider: %v", err)
|
acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
|
||||||
} else if acmeProvider != nil {
|
|
||||||
if err := providerAggregator.AddProvider(acmeProvider); err != nil {
|
|
||||||
log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
|
|
||||||
acmeProvider = nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
serverEntryPointsTCP := make(server.TCPEntryPoints)
|
serverEntryPointsTCP := make(server.TCPEntryPoints)
|
||||||
for entryPointName, config := range staticConfiguration.EntryPoints {
|
for entryPointName, config := range staticConfiguration.EntryPoints {
|
||||||
|
@ -129,27 +126,31 @@ func runCmd(staticConfiguration *static.Configuration) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
|
return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
|
||||||
}
|
}
|
||||||
serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProvider)
|
serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProviders)
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsManager := traefiktls.NewManager()
|
|
||||||
|
|
||||||
if acmeProvider != nil {
|
|
||||||
acmeProvider.SetTLSManager(tlsManager)
|
|
||||||
if acmeProvider.TLSChallenge != nil &&
|
|
||||||
acmeProvider.HTTPChallenge == nil &&
|
|
||||||
acmeProvider.DNSChallenge == nil {
|
|
||||||
tlsManager.TLSAlpnGetter = acmeProvider.GetTLSALPNCertificate
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)
|
svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)
|
||||||
|
|
||||||
if acmeProvider != nil && acmeProvider.OnHostRule {
|
resolverNames := map[string]struct{}{}
|
||||||
acmeProvider.SetConfigListenerChan(make(chan dynamic.Configuration))
|
|
||||||
svr.AddListener(acmeProvider.ListenConfiguration)
|
for _, p := range acmeProviders {
|
||||||
|
resolverNames[p.ResolverName] = struct{}{}
|
||||||
|
svr.AddListener(p.ListenConfiguration)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
svr.AddListener(func(config dynamic.Configuration) {
|
||||||
|
for rtName, rt := range config.HTTP.Routers {
|
||||||
|
if rt.TLS == nil || rt.TLS.CertResolver == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
|
||||||
|
log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
ctx := cmd.ContextWithSignal(context.Background())
|
ctx := cmd.ContextWithSignal(context.Background())
|
||||||
|
|
||||||
if staticConfiguration.Ping != nil {
|
if staticConfiguration.Ping != nil {
|
||||||
|
@ -196,6 +197,40 @@ func runCmd(staticConfiguration *static.Configuration) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// initACMEProvider creates an acme provider from the ACME part of globalConfiguration
|
||||||
|
func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
|
||||||
|
challengeStore := acme.NewLocalChallengeStore()
|
||||||
|
localStores := map[string]*acme.LocalStore{}
|
||||||
|
|
||||||
|
var resolvers []*acme.Provider
|
||||||
|
for name, resolver := range c.CertificatesResolvers {
|
||||||
|
if resolver.ACME != nil {
|
||||||
|
if localStores[resolver.ACME.Storage] == nil {
|
||||||
|
localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
|
||||||
|
}
|
||||||
|
|
||||||
|
p := &acme.Provider{
|
||||||
|
Configuration: resolver.ACME,
|
||||||
|
Store: localStores[resolver.ACME.Storage],
|
||||||
|
ChallengeStore: challengeStore,
|
||||||
|
ResolverName: name,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := providerAggregator.AddProvider(p); err != nil {
|
||||||
|
log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
p.SetTLSManager(tlsManager)
|
||||||
|
if p.TLSChallenge != nil {
|
||||||
|
tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
|
||||||
|
}
|
||||||
|
p.SetConfigListenerChan(make(chan dynamic.Configuration))
|
||||||
|
resolvers = append(resolvers, p)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return resolvers
|
||||||
|
}
|
||||||
|
|
||||||
func configureLogging(staticConfiguration *static.Configuration) {
|
func configureLogging(staticConfiguration *static.Configuration) {
|
||||||
// configure default log flags
|
// configure default log flags
|
||||||
stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
|
stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
|
||||||
|
|
|
@ -12,7 +12,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
|
||||||
|
|
||||||
??? example "Enabling ACME"
|
??? example "Enabling ACME"
|
||||||
|
|
||||||
```toml tab="TOML"
|
```toml tab="File (TOML)"
|
||||||
[entryPoints]
|
[entryPoints]
|
||||||
[entryPoints.web]
|
[entryPoints.web]
|
||||||
address = ":80"
|
address = ":80"
|
||||||
|
@ -20,18 +20,15 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
|
||||||
[entryPoints.web-secure]
|
[entryPoints.web-secure]
|
||||||
address = ":443"
|
address = ":443"
|
||||||
|
|
||||||
# every router with TLS enabled will now be able to use ACME for its certificates
|
[certificatesResolvers.sample.acme]
|
||||||
[acme]
|
|
||||||
email = "your-email@your-domain.org"
|
email = "your-email@your-domain.org"
|
||||||
storage = "acme.json"
|
storage = "acme.json"
|
||||||
# dynamic generation based on the Host() & HostSNI() matchers
|
|
||||||
onHostRule = true
|
|
||||||
[acme.httpChallenge]
|
[acme.httpChallenge]
|
||||||
# used during the challenge
|
# used during the challenge
|
||||||
entryPoint = "web"
|
entryPoint = "web"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```yaml tab="File (YAML)"
|
||||||
entryPoints:
|
entryPoints:
|
||||||
web:
|
web:
|
||||||
address: ":80"
|
address: ":80"
|
||||||
|
@ -39,50 +36,24 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
|
||||||
web-secure:
|
web-secure:
|
||||||
address: ":443"
|
address: ":443"
|
||||||
|
|
||||||
# every router with TLS enabled will now be able to use ACME for its certificates
|
certificatesResolvers:
|
||||||
acme:
|
sample:
|
||||||
email: your-email@your-domain.org
|
acme:
|
||||||
storage: acme.json
|
email: your-email@your-domain.org
|
||||||
# dynamic generation based on the Host() & HostSNI() matchers
|
storage: acme.json
|
||||||
onHostRule: true
|
httpChallenge:
|
||||||
httpChallenge:
|
# used during the challenge
|
||||||
# used during the challenge
|
entryPoint: web
|
||||||
entryPoint: web
|
|
||||||
```
|
```
|
||||||
|
|
||||||
??? example "Configuring Wildcard Certificates"
|
```bash tab="CLI"
|
||||||
|
--entryPoints.web.address=":80"
|
||||||
```toml tab="TOML"
|
--entryPoints.websecure.address=":443"
|
||||||
[entryPoints]
|
# ...
|
||||||
[entryPoints.web-secure]
|
--certificatesResolvers.sample.acme.email: your-email@your-domain.org
|
||||||
address = ":443"
|
--certificatesResolvers.sample.acme.storage: acme.json
|
||||||
|
# used during the challenge
|
||||||
[acme]
|
--certificatesResolvers.sample.acme.httpChallenge.entryPoint: web
|
||||||
email = "your-email@your-domain.org"
|
|
||||||
storage = "acme.json"
|
|
||||||
[acme.dnsChallenge]
|
|
||||||
provider = "xxx"
|
|
||||||
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "*.mydomain.com"
|
|
||||||
sans = ["mydomain.com"]
|
|
||||||
```
|
|
||||||
|
|
||||||
```yaml tab="YAML"
|
|
||||||
entryPoints:
|
|
||||||
web-secure:
|
|
||||||
address: ":443"
|
|
||||||
|
|
||||||
acme:
|
|
||||||
email: your-email@your-domain.org
|
|
||||||
storage: acme.json
|
|
||||||
dnsChallenge:
|
|
||||||
provide: xxx
|
|
||||||
|
|
||||||
domains:
|
|
||||||
- main: "*.mydomain.com"
|
|
||||||
sans:
|
|
||||||
- mydomain.com
|
|
||||||
```
|
```
|
||||||
|
|
||||||
??? note "Configuration Reference"
|
??? note "Configuration Reference"
|
||||||
|
@ -90,14 +61,18 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
|
||||||
There are many available options for ACME.
|
There are many available options for ACME.
|
||||||
For a quick glance at what's possible, browse the configuration reference:
|
For a quick glance at what's possible, browse the configuration reference:
|
||||||
|
|
||||||
```toml tab="TOML"
|
```toml tab="File (TOML)"
|
||||||
--8<-- "content/https/ref-acme.toml"
|
--8<-- "content/https/ref-acme.toml"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```yaml tab="File (YAML)"
|
||||||
--8<-- "content/https/ref-acme.yaml"
|
--8<-- "content/https/ref-acme.yaml"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```bash tab="CLI"
|
||||||
|
--8<-- "content/https/ref-acme.txt"
|
||||||
|
```
|
||||||
|
|
||||||
## Automatic Renewals
|
## Automatic Renewals
|
||||||
|
|
||||||
Traefik automatically tracks the expiry date of ACME certificates it generates.
|
Traefik automatically tracks the expiry date of ACME certificates it generates.
|
||||||
|
@ -118,14 +93,23 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
|
||||||
|
|
||||||
??? example "Configuring the `tlsChallenge`"
|
??? example "Configuring the `tlsChallenge`"
|
||||||
|
|
||||||
```toml tab="TOML"
|
```toml tab="File (TOML)"
|
||||||
[acme]
|
[certificatesResolvers.sample.acme]
|
||||||
[acme.tlsChallenge]
|
# ...
|
||||||
|
[certificatesResolvers.sample.acme.tlsChallenge]
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```yaml tab="File (YAML)"
|
||||||
acme:
|
certificatesResolvers:
|
||||||
tlsChallenge: {}
|
sample:
|
||||||
|
acme:
|
||||||
|
# ...
|
||||||
|
tlsChallenge: {}
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash tab="CLI"
|
||||||
|
# ...
|
||||||
|
--certificatesResolvers.sample.acme.tlsChallenge
|
||||||
```
|
```
|
||||||
|
|
||||||
### `httpChallenge`
|
### `httpChallenge`
|
||||||
|
@ -137,7 +121,7 @@ when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reac
|
||||||
|
|
||||||
??? example "Using an EntryPoint Called http for the `httpChallenge`"
|
??? example "Using an EntryPoint Called http for the `httpChallenge`"
|
||||||
|
|
||||||
```toml tab="TOML"
|
```toml tab="File (TOML)"
|
||||||
[entryPoints]
|
[entryPoints]
|
||||||
[entryPoints.web]
|
[entryPoints.web]
|
||||||
address = ":80"
|
address = ":80"
|
||||||
|
@ -145,13 +129,13 @@ when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reac
|
||||||
[entryPoints.web-secure]
|
[entryPoints.web-secure]
|
||||||
address = ":443"
|
address = ":443"
|
||||||
|
|
||||||
[acme]
|
[certificatesResolvers.sample.acme]
|
||||||
# ...
|
# ...
|
||||||
[acme.httpChallenge]
|
[certificatesResolvers.sample.acme.httpChallenge]
|
||||||
entryPoint = "web"
|
entryPoint = "web"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```yaml tab="File (YAML)"
|
||||||
entryPoints:
|
entryPoints:
|
||||||
web:
|
web:
|
||||||
address: ":80"
|
address: ":80"
|
||||||
|
@ -159,10 +143,19 @@ when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reac
|
||||||
web-secure:
|
web-secure:
|
||||||
address: ":443"
|
address: ":443"
|
||||||
|
|
||||||
acme:
|
certificatesResolvers:
|
||||||
# ...
|
sample:
|
||||||
httpChallenge:
|
acme:
|
||||||
entryPoint: web
|
# ...
|
||||||
|
httpChallenge:
|
||||||
|
entryPoint: web
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash tab="CLI"
|
||||||
|
--entryPoints.web.address=":80"
|
||||||
|
--entryPoints.websecure.address=":443"
|
||||||
|
# ...
|
||||||
|
--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
|
||||||
```
|
```
|
||||||
|
|
||||||
!!! note
|
!!! note
|
||||||
|
@ -174,21 +167,30 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
|
||||||
|
|
||||||
??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
|
??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
|
||||||
|
|
||||||
```toml tab="TOML"
|
```toml tab="File (TOML)"
|
||||||
[acme]
|
[certificatesResolvers.sample.acme]
|
||||||
# ...
|
# ...
|
||||||
[acme.dnsChallenge]
|
[certificatesResolvers.sample.acme.dnsChallenge]
|
||||||
provider = "digitalocean"
|
provider = "digitalocean"
|
||||||
delayBeforeCheck = 0
|
delayBeforeCheck = 0
|
||||||
# ...
|
# ...
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```yaml tab="File (YAML)"
|
||||||
acme:
|
certificatesResolvers:
|
||||||
# ...
|
sample:
|
||||||
dnsChallenge:
|
acme:
|
||||||
provider: digitalocean
|
# ...
|
||||||
delayBeforeCheck: 0
|
dnsChallenge:
|
||||||
|
provider: digitalocean
|
||||||
|
delayBeforeCheck: 0
|
||||||
|
# ...
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash tab="CLI"
|
||||||
|
# ...
|
||||||
|
--certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
|
||||||
|
--certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
|
||||||
# ...
|
# ...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -238,7 +240,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
|
||||||
| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail) |
|
| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail) |
|
||||||
| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/linode) |
|
| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/linode) |
|
||||||
| [Linode v4](https://www.linode.com) | `linodev4` | `LINODE_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4) |
|
| [Linode v4](https://www.linode.com) | `linodev4` | `LINODE_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4) |
|
||||||
| manual | - | none, but you need to run Traefik interactively [^4], turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>. | |
|
| manual | - | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>. | |
|
||||||
| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp) |
|
| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp) |
|
||||||
| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap) |
|
| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap) |
|
||||||
| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom) |
|
| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom) |
|
||||||
|
@ -276,22 +278,29 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
|
||||||
|
|
||||||
Use custom DNS servers to resolve the FQDN authority.
|
Use custom DNS servers to resolve the FQDN authority.
|
||||||
|
|
||||||
```toml tab="TOML"
|
```toml tab="File (TOML)"
|
||||||
[acme]
|
[certificatesResolvers.sample.acme]
|
||||||
# ...
|
# ...
|
||||||
[acme.dnsChallenge]
|
[certificatesResolvers.sample.acme.dnsChallenge]
|
||||||
# ...
|
# ...
|
||||||
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
|
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```yaml tab="File (YAML)"
|
||||||
acme:
|
certificatesResolvers:
|
||||||
# ...
|
sample:
|
||||||
dnsChallenge:
|
acme:
|
||||||
# ...
|
# ...
|
||||||
resolvers:
|
dnsChallenge:
|
||||||
- "1.1.1.1:53"
|
# ...
|
||||||
- "8.8.8.8:53"
|
resolvers:
|
||||||
|
- "1.1.1.1:53"
|
||||||
|
- "8.8.8.8:53"
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash tab="CLI"
|
||||||
|
# ...
|
||||||
|
--certificatesResolvers.sample.acme.dnsChallenge.resolvers:="1.1.1.1:53,8.8.8.8:53"
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Wildcard Domains
|
#### Wildcard Domains
|
||||||
|
@ -299,140 +308,56 @@ acme:
|
||||||
[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
|
[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
|
||||||
As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
|
As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
|
||||||
|
|
||||||
```toml tab="TOML"
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "*.local1.com"
|
|
||||||
sans = ["local1.com"]
|
|
||||||
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
```yaml tab="YAML"
|
|
||||||
acme:
|
|
||||||
# ...
|
|
||||||
domains:
|
|
||||||
- main: "*.local1.com"
|
|
||||||
sans:
|
|
||||||
- local1.com
|
|
||||||
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note "Double Wildcard Certificates"
|
|
||||||
It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
|
|
||||||
|
|
||||||
Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
|
|
||||||
In this case the generated DNS TXT record for both domains is the same.
|
|
||||||
Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
|
|
||||||
it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
|
|
||||||
|
|
||||||
The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
|
|
||||||
The [Supported `provider` table](#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
|
|
||||||
|
|
||||||
## Known Domains, SANs
|
|
||||||
|
|
||||||
You can set SANs (alternative domains) for each main domain.
|
|
||||||
Every domain must have A/AAAA records pointing to Traefik.
|
|
||||||
Each domain & SAN will lead to a certificate request.
|
|
||||||
|
|
||||||
```toml tab="TOML"
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local1.com"
|
|
||||||
sans = ["test1.local1.com", "test2.local1.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local2.com"
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "*.local3.com"
|
|
||||||
sans = ["local3.com", "test1.test1.local3.com"]
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
```yaml tab="YAML"
|
|
||||||
acme:
|
|
||||||
# ...
|
|
||||||
domains:
|
|
||||||
- main: "local1.com"
|
|
||||||
sans:
|
|
||||||
- "test1.local1.com"
|
|
||||||
- "test2.local1.com"
|
|
||||||
- main: "local2.com"
|
|
||||||
- main: "*.local3.com"
|
|
||||||
sans:
|
|
||||||
- "local3.com"
|
|
||||||
- "test1.test1.local3.com"
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! important
|
|
||||||
The certificates for the domains listed in `acme.domains` are negotiated at Traefik startup only.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Wildcard certificates can only be verified through a `DNS-01` challenge.
|
|
||||||
|
|
||||||
## `caServer`
|
## `caServer`
|
||||||
|
|
||||||
??? example "Using the Let's Encrypt staging server"
|
??? example "Using the Let's Encrypt staging server"
|
||||||
|
|
||||||
```toml tab="TOML"
|
```toml tab="File (TOML)"
|
||||||
[acme]
|
[certificatesResolvers.sample.acme]
|
||||||
# ...
|
# ...
|
||||||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
# ...
|
# ...
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```yaml tab="File (YAML)"
|
||||||
acme:
|
certificatesResolvers:
|
||||||
# ...
|
sample:
|
||||||
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
|
acme:
|
||||||
# ...
|
# ...
|
||||||
|
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||||
|
# ...
|
||||||
```
|
```
|
||||||
|
|
||||||
## `onHostRule`
|
```bash tab="CLI"
|
||||||
|
# ...
|
||||||
Enable certificate generation on [routers](../routing/routers/index.md) `Host` & `HostSNI` rules.
|
--certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
|
# ...
|
||||||
This will request a certificate from Let's Encrypt for each router with a Host rule.
|
```
|
||||||
|
|
||||||
```toml tab="TOML"
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
onHostRule = true
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
```yaml tab="YAML"
|
|
||||||
acme:
|
|
||||||
# ...
|
|
||||||
onHostRule: true
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note "Multiple Hosts in a Rule"
|
|
||||||
The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
`onHostRule` option can not be used to generate wildcard certificates. Refer to [wildcard generation](#wildcard-domains) for further information.
|
|
||||||
|
|
||||||
## `storage`
|
## `storage`
|
||||||
|
|
||||||
The `storage` option sets the location where your ACME certificates are saved to.
|
The `storage` option sets the location where your ACME certificates are saved to.
|
||||||
|
|
||||||
```toml tab="TOML"
|
```toml tab="File (TOML)"
|
||||||
[acme]
|
[certificatesResolvers.sample.acme]
|
||||||
# ...
|
# ...
|
||||||
storage = "acme.json"
|
storage = "acme.json"
|
||||||
# ...
|
# ...
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```toml tab="File (TOML)"
|
||||||
acme
|
certificatesResolvers:
|
||||||
# ...
|
sample:
|
||||||
storage: acme.json
|
acme:
|
||||||
# ...
|
# ...
|
||||||
|
storage: acme.json
|
||||||
|
# ...
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash tab="CLI"
|
||||||
|
# ...
|
||||||
|
--certificatesResolvers.sample.acme.storage=acme.json
|
||||||
|
# ...
|
||||||
```
|
```
|
||||||
|
|
||||||
The value can refer to some kinds of storage:
|
The value can refer to some kinds of storage:
|
||||||
|
|
|
@ -1,123 +1,89 @@
|
||||||
# Enable ACME (Let's Encrypt): automatic SSL.
|
# Enable ACME (Let's Encrypt): automatic SSL.
|
||||||
[acme]
|
[certificatesResolvers.sample.acme]
|
||||||
|
|
||||||
# Email address used for registration.
|
# Email address used for registration.
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
email = "test@traefik.io"
|
|
||||||
|
|
||||||
# File or key used for certificates storage.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
storage = "acme.json"
|
|
||||||
|
|
||||||
# If true, display debug log messages from the acme client library.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# acmeLogging = true
|
|
||||||
|
|
||||||
# If true, override certificates in key-value store when using storeconfig.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# overrideCertificates = true
|
|
||||||
|
|
||||||
# Enable certificate generation on routers host rules.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# onHostRule = true
|
|
||||||
|
|
||||||
# CA server to use.
|
|
||||||
# Uncomment the line to use Let's Encrypt's staging server,
|
|
||||||
# leave commented to go to prod.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "https://acme-v02.api.letsencrypt.org/directory"
|
|
||||||
#
|
|
||||||
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
|
|
||||||
# KeyType to use.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "RSA4096"
|
|
||||||
#
|
|
||||||
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
|
|
||||||
#
|
|
||||||
# KeyType = "RSA4096"
|
|
||||||
|
|
||||||
# Use a TLS-ALPN-01 ACME challenge.
|
|
||||||
#
|
|
||||||
# Optional (but recommended)
|
|
||||||
#
|
|
||||||
[acme.tlsChallenge]
|
|
||||||
|
|
||||||
# Use a HTTP-01 ACME challenge.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [acme.httpChallenge]
|
|
||||||
|
|
||||||
# EntryPoint to use for the HTTP-01 challenges.
|
|
||||||
#
|
#
|
||||||
# Required
|
# Required
|
||||||
#
|
#
|
||||||
# entryPoint = "web"
|
email = "test@traefik.io"
|
||||||
|
|
||||||
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
|
# File or key used for certificates storage.
|
||||||
# Note: mandatory for wildcard certificate generation.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [acme.dnsChallenge]
|
|
||||||
|
|
||||||
# DNS provider used.
|
|
||||||
#
|
#
|
||||||
# Required
|
# Required
|
||||||
#
|
#
|
||||||
# provider = "digitalocean"
|
storage = "acme.json"
|
||||||
|
|
||||||
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
|
# CA server to use.
|
||||||
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
|
# Uncomment the line to use Let's Encrypt's staging server,
|
||||||
# Useful if internal networks block external DNS queries.
|
# leave commented to go to prod.
|
||||||
#
|
#
|
||||||
# Optional
|
# Optional
|
||||||
# Default: 0
|
# Default: "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
#
|
#
|
||||||
# delayBeforeCheck = 0
|
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
|
|
||||||
# Use following DNS servers to resolve the FQDN authority.
|
# KeyType to use.
|
||||||
#
|
#
|
||||||
# Optional
|
# Optional
|
||||||
# Default: empty
|
# Default: "RSA4096"
|
||||||
#
|
#
|
||||||
# resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
|
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
|
||||||
|
#
|
||||||
|
# keyType = "RSA4096"
|
||||||
|
|
||||||
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
|
# Use a TLS-ALPN-01 ACME challenge.
|
||||||
#
|
#
|
||||||
# NOT RECOMMENDED:
|
# Optional (but recommended)
|
||||||
# Increase the risk of reaching Let's Encrypt's rate limits.
|
#
|
||||||
|
[certificatesResolvers.sample.acme.tlsChallenge]
|
||||||
|
|
||||||
|
# Use a HTTP-01 ACME challenge.
|
||||||
#
|
#
|
||||||
# Optional
|
# Optional
|
||||||
# Default: false
|
|
||||||
#
|
#
|
||||||
# disablePropagationCheck = true
|
# [certificatesResolvers.sample.acme.httpChallenge]
|
||||||
|
|
||||||
# Domains list.
|
# EntryPoint to use for the HTTP-01 challenges.
|
||||||
# Only domains defined here can generate wildcard certificates.
|
#
|
||||||
# The certificates for these domains are negotiated at traefik startup only.
|
# Required
|
||||||
#
|
#
|
||||||
# [[acme.domains]]
|
# entryPoint = "web"
|
||||||
# main = "local1.com"
|
|
||||||
# sans = ["test1.local1.com", "test2.local1.com"]
|
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
|
||||||
# [[acme.domains]]
|
# Note: mandatory for wildcard certificate generation.
|
||||||
# main = "local2.com"
|
#
|
||||||
# [[acme.domains]]
|
# Optional
|
||||||
# main = "*.local3.com"
|
#
|
||||||
# sans = ["local3.com", "test1.test1.local3.com"]
|
# [certificatesResolvers.sample.acme.dnsChallenge]
|
||||||
|
|
||||||
|
# DNS provider used.
|
||||||
|
#
|
||||||
|
# Required
|
||||||
|
#
|
||||||
|
# provider = "digitalocean"
|
||||||
|
|
||||||
|
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
|
||||||
|
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
|
||||||
|
# Useful if internal networks block external DNS queries.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: 0
|
||||||
|
#
|
||||||
|
# delayBeforeCheck = 0
|
||||||
|
|
||||||
|
# Use following DNS servers to resolve the FQDN authority.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: empty
|
||||||
|
#
|
||||||
|
# resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
|
||||||
|
|
||||||
|
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
|
||||||
|
#
|
||||||
|
# NOT RECOMMENDED:
|
||||||
|
# Increase the risk of reaching Let's Encrypt's rate limits.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: false
|
||||||
|
#
|
||||||
|
# disablePropagationCheck = true
|
||||||
|
|
89
docs/content/https/ref-acme.txt
Normal file
89
docs/content/https/ref-acme.txt
Normal file
|
@ -0,0 +1,89 @@
|
||||||
|
# Enable ACME (Let's Encrypt): automatic SSL.
|
||||||
|
--certificatesResolvers.sample.acme
|
||||||
|
|
||||||
|
# Email address used for registration.
|
||||||
|
#
|
||||||
|
# Required
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.email="test@traefik.io"
|
||||||
|
|
||||||
|
# File or key used for certificates storage.
|
||||||
|
#
|
||||||
|
# Required
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.storage="acme.json"
|
||||||
|
|
||||||
|
# CA server to use.
|
||||||
|
# Uncomment the line to use Let's Encrypt's staging server,
|
||||||
|
# leave commented to go to prod.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
|
|
||||||
|
# KeyType to use.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: "RSA4096"
|
||||||
|
#
|
||||||
|
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.keyType=RSA4096
|
||||||
|
|
||||||
|
# Use a TLS-ALPN-01 ACME challenge.
|
||||||
|
#
|
||||||
|
# Optional (but recommended)
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.tlsChallenge
|
||||||
|
|
||||||
|
# Use a HTTP-01 ACME challenge.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.httpChallenge
|
||||||
|
|
||||||
|
# EntryPoint to use for the HTTP-01 challenges.
|
||||||
|
#
|
||||||
|
# Required
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
|
||||||
|
|
||||||
|
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
|
||||||
|
# Note: mandatory for wildcard certificate generation.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.dnsChallenge
|
||||||
|
|
||||||
|
# DNS provider used.
|
||||||
|
#
|
||||||
|
# Required
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
|
||||||
|
|
||||||
|
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
|
||||||
|
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
|
||||||
|
# Useful if internal networks block external DNS queries.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: 0
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
|
||||||
|
|
||||||
|
# Use following DNS servers to resolve the FQDN authority.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: empty
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.dnsChallenge.resolvers="1.1.1.1:53,8.8.8.8:53"
|
||||||
|
|
||||||
|
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
|
||||||
|
#
|
||||||
|
# NOT RECOMMENDED:
|
||||||
|
# Increase the risk of reaching Let's Encrypt's rate limits.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: false
|
||||||
|
#
|
||||||
|
--certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
|
|
@ -1,127 +1,93 @@
|
||||||
# Enable ACME (Let's Encrypt): automatic SSL.
|
certificatesResolvers:
|
||||||
acme:
|
sample:
|
||||||
|
# Enable ACME (Let's Encrypt): automatic SSL.
|
||||||
|
acme:
|
||||||
|
|
||||||
# Email address used for registration.
|
# Email address used for registration.
|
||||||
#
|
#
|
||||||
# Required
|
# Required
|
||||||
#
|
#
|
||||||
email: "test@traefik.io"
|
email: "test@traefik.io"
|
||||||
|
|
||||||
# File or key used for certificates storage.
|
# File or key used for certificates storage.
|
||||||
#
|
#
|
||||||
# Required
|
# Required
|
||||||
#
|
#
|
||||||
storage: "acme.json"
|
storage: "acme.json"
|
||||||
|
|
||||||
# If true, display debug log messages from the acme client library.
|
# CA server to use.
|
||||||
#
|
# Uncomment the line to use Let's Encrypt's staging server,
|
||||||
# Optional
|
# leave commented to go to prod.
|
||||||
# Default: false
|
#
|
||||||
#
|
# Optional
|
||||||
# acmeLogging: true
|
# Default: "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
#
|
||||||
|
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
|
|
||||||
# If true, override certificates in key-value store when using storeconfig.
|
# KeyType to use.
|
||||||
#
|
#
|
||||||
# Optional
|
# Optional
|
||||||
# Default: false
|
# Default: "RSA4096"
|
||||||
#
|
#
|
||||||
# overrideCertificates: true
|
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
|
||||||
|
#
|
||||||
|
# keyType: RSA4096
|
||||||
|
|
||||||
# Enable certificate generation on routers host rules.
|
# Use a TLS-ALPN-01 ACME challenge.
|
||||||
#
|
#
|
||||||
# Optional
|
# Optional (but recommended)
|
||||||
# Default: false
|
#
|
||||||
#
|
tlsChallenge:
|
||||||
# onHostRule: true
|
|
||||||
|
|
||||||
# CA server to use.
|
# Use a HTTP-01 ACME challenge.
|
||||||
# Uncomment the line to use Let's Encrypt's staging server,
|
#
|
||||||
# leave commented to go to prod.
|
# Optional
|
||||||
#
|
#
|
||||||
# Optional
|
# httpChallenge:
|
||||||
# Default: "https://acme-v02.api.letsencrypt.org/directory"
|
|
||||||
#
|
|
||||||
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
|
|
||||||
# KeyType to use.
|
# EntryPoint to use for the HTTP-01 challenges.
|
||||||
#
|
#
|
||||||
# Optional
|
# Required
|
||||||
# Default: "RSA4096"
|
#
|
||||||
#
|
# entryPoint: web
|
||||||
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
|
|
||||||
#
|
|
||||||
# KeyType: RSA4096
|
|
||||||
|
|
||||||
# Use a TLS-ALPN-01 ACME challenge.
|
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
|
||||||
#
|
# Note: mandatory for wildcard certificate generation.
|
||||||
# Optional (but recommended)
|
#
|
||||||
#
|
# Optional
|
||||||
tlsChallenge:
|
#
|
||||||
|
# dnsChallenge:
|
||||||
|
|
||||||
# Use a HTTP-01 ACME challenge.
|
# DNS provider used.
|
||||||
#
|
#
|
||||||
# Optional
|
# Required
|
||||||
#
|
#
|
||||||
# httpChallenge:
|
# provider: digitalocean
|
||||||
|
|
||||||
# EntryPoint to use for the HTTP-01 challenges.
|
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
|
||||||
#
|
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
|
||||||
# Required
|
# Useful if internal networks block external DNS queries.
|
||||||
#
|
#
|
||||||
# entryPoint: web
|
# Optional
|
||||||
|
# Default: 0
|
||||||
|
#
|
||||||
|
# delayBeforeCheck: 0
|
||||||
|
|
||||||
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
|
# Use following DNS servers to resolve the FQDN authority.
|
||||||
# Note: mandatory for wildcard certificate generation.
|
#
|
||||||
#
|
# Optional
|
||||||
# Optional
|
# Default: empty
|
||||||
#
|
#
|
||||||
# dnsChallenge:
|
# resolvers
|
||||||
|
# - "1.1.1.1:53"
|
||||||
|
# - "8.8.8.8:53"
|
||||||
|
|
||||||
# DNS provider used.
|
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
|
||||||
#
|
#
|
||||||
# Required
|
# NOT RECOMMENDED:
|
||||||
#
|
# Increase the risk of reaching Let's Encrypt's rate limits.
|
||||||
# provider: digitalocean
|
#
|
||||||
|
# Optional
|
||||||
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
|
# Default: false
|
||||||
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
|
#
|
||||||
# Useful if internal networks block external DNS queries.
|
# disablePropagationCheck: true
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 0
|
|
||||||
#
|
|
||||||
# delayBeforeCheck: 0
|
|
||||||
|
|
||||||
# Use following DNS servers to resolve the FQDN authority.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: empty
|
|
||||||
#
|
|
||||||
# resolvers
|
|
||||||
# - "1.1.1.1:53"
|
|
||||||
# - "8.8.8.8:53"
|
|
||||||
|
|
||||||
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
|
|
||||||
#
|
|
||||||
# NOT RECOMMENDED:
|
|
||||||
# Increase the risk of reaching Let's Encrypt's rate limits.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# disablePropagationCheck: true
|
|
||||||
|
|
||||||
# Domains list.
|
|
||||||
# Only domains defined here can generate wildcard certificates.
|
|
||||||
# The certificates for these domains are negotiated at traefik startup only.
|
|
||||||
#
|
|
||||||
# domains:
|
|
||||||
# - main: "local1.com"
|
|
||||||
# sans:
|
|
||||||
# - "test1.local1.com"
|
|
||||||
# - "test2.local1.com"
|
|
||||||
# - main: "local2.com"
|
|
||||||
# - main: "*.local3.com"
|
|
||||||
# sans:
|
|
||||||
# - "local3.com"
|
|
||||||
# - "test1.test1.local3.com"
|
|
||||||
|
|
|
@ -36,60 +36,6 @@ Keep access logs with status codes in the specified range.
|
||||||
`--accesslog.format`:
|
`--accesslog.format`:
|
||||||
Access log format: json | common (Default: ```common```)
|
Access log format: json | common (Default: ```common```)
|
||||||
|
|
||||||
`--acme.acmelogging`:
|
|
||||||
Enable debug logging of ACME actions. (Default: ```false```)
|
|
||||||
|
|
||||||
`--acme.caserver`:
|
|
||||||
CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
|
|
||||||
|
|
||||||
`--acme.dnschallenge`:
|
|
||||||
Activate DNS-01 Challenge. (Default: ```false```)
|
|
||||||
|
|
||||||
`--acme.dnschallenge.delaybeforecheck`:
|
|
||||||
Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
|
|
||||||
|
|
||||||
`--acme.dnschallenge.disablepropagationcheck`:
|
|
||||||
Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
|
|
||||||
|
|
||||||
`--acme.dnschallenge.provider`:
|
|
||||||
Use a DNS-01 based challenge provider rather than HTTPS.
|
|
||||||
|
|
||||||
`--acme.dnschallenge.resolvers`:
|
|
||||||
Use following DNS servers to resolve the FQDN authority.
|
|
||||||
|
|
||||||
`--acme.domains`:
|
|
||||||
The list of domains for which certificates are generated on startup. Wildcard domains only accepted with DNSChallenge.
|
|
||||||
|
|
||||||
`--acme.domains[n].main`:
|
|
||||||
Default subject name.
|
|
||||||
|
|
||||||
`--acme.domains[n].sans`:
|
|
||||||
Subject alternative names.
|
|
||||||
|
|
||||||
`--acme.email`:
|
|
||||||
Email address used for registration.
|
|
||||||
|
|
||||||
`--acme.entrypoint`:
|
|
||||||
EntryPoint to use.
|
|
||||||
|
|
||||||
`--acme.httpchallenge`:
|
|
||||||
Activate HTTP-01 Challenge. (Default: ```false```)
|
|
||||||
|
|
||||||
`--acme.httpchallenge.entrypoint`:
|
|
||||||
HTTP challenge EntryPoint
|
|
||||||
|
|
||||||
`--acme.keytype`:
|
|
||||||
KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
|
|
||||||
|
|
||||||
`--acme.onhostrule`:
|
|
||||||
Enable certificate generation on router Host rules. (Default: ```false```)
|
|
||||||
|
|
||||||
`--acme.storage`:
|
|
||||||
Storage to use. (Default: ```acme.json```)
|
|
||||||
|
|
||||||
`--acme.tlschallenge`:
|
|
||||||
Activate TLS-ALPN-01 Challenge. (Default: ```true```)
|
|
||||||
|
|
||||||
`--api`:
|
`--api`:
|
||||||
Enable api/dashboard. (Default: ```false```)
|
Enable api/dashboard. (Default: ```false```)
|
||||||
|
|
||||||
|
@ -111,6 +57,45 @@ Enable more detailed statistics. (Default: ```false```)
|
||||||
`--api.statistics.recenterrors`:
|
`--api.statistics.recenterrors`:
|
||||||
Number of recent errors logged. (Default: ```10```)
|
Number of recent errors logged. (Default: ```10```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>`:
|
||||||
|
Certificates resolvers configuration. (Default: ```false```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.caserver`:
|
||||||
|
CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.dnschallenge`:
|
||||||
|
Activate DNS-01 Challenge. (Default: ```false```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck`:
|
||||||
|
Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck`:
|
||||||
|
Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.dnschallenge.provider`:
|
||||||
|
Use a DNS-01 based challenge provider rather than HTTPS.
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.dnschallenge.resolvers`:
|
||||||
|
Use following DNS servers to resolve the FQDN authority.
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.email`:
|
||||||
|
Email address used for registration.
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.httpchallenge`:
|
||||||
|
Activate HTTP-01 Challenge. (Default: ```false```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.httpchallenge.entrypoint`:
|
||||||
|
HTTP challenge EntryPoint
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.keytype`:
|
||||||
|
KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.storage`:
|
||||||
|
Storage to use. (Default: ```acme.json```)
|
||||||
|
|
||||||
|
`--certificatesresolvers.<name>.acme.tlschallenge`:
|
||||||
|
Activate TLS-ALPN-01 Challenge. (Default: ```true```)
|
||||||
|
|
||||||
`--entrypoints.<name>`:
|
`--entrypoints.<name>`:
|
||||||
Entry points definition. (Default: ```false```)
|
Entry points definition. (Default: ```false```)
|
||||||
|
|
||||||
|
|
|
@ -36,60 +36,6 @@ Keep access logs with status codes in the specified range.
|
||||||
`TRAEFIK_ACCESSLOG_FORMAT`:
|
`TRAEFIK_ACCESSLOG_FORMAT`:
|
||||||
Access log format: json | common (Default: ```common```)
|
Access log format: json | common (Default: ```common```)
|
||||||
|
|
||||||
`TRAEFIK_ACME_ACMELOGGING`:
|
|
||||||
Enable debug logging of ACME actions. (Default: ```false```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_CASERVER`:
|
|
||||||
CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_DNSCHALLENGE`:
|
|
||||||
Activate DNS-01 Challenge. (Default: ```false```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:
|
|
||||||
Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:
|
|
||||||
Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_DNSCHALLENGE_PROVIDER`:
|
|
||||||
Use a DNS-01 based challenge provider rather than HTTPS.
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_DNSCHALLENGE_RESOLVERS`:
|
|
||||||
Use following DNS servers to resolve the FQDN authority.
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_DOMAINS`:
|
|
||||||
The list of domains for which certificates are generated on startup. Wildcard domains only accepted with DNSChallenge.
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_DOMAINS[n]_MAIN`:
|
|
||||||
Default subject name.
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_DOMAINS[n]_SANS`:
|
|
||||||
Subject alternative names.
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_EMAIL`:
|
|
||||||
Email address used for registration.
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_ENTRYPOINT`:
|
|
||||||
EntryPoint to use.
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_HTTPCHALLENGE`:
|
|
||||||
Activate HTTP-01 Challenge. (Default: ```false```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_HTTPCHALLENGE_ENTRYPOINT`:
|
|
||||||
HTTP challenge EntryPoint
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_KEYTYPE`:
|
|
||||||
KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_ONHOSTRULE`:
|
|
||||||
Enable certificate generation on router Host rules. (Default: ```false```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_STORAGE`:
|
|
||||||
Storage to use. (Default: ```acme.json```)
|
|
||||||
|
|
||||||
`TRAEFIK_ACME_TLSCHALLENGE`:
|
|
||||||
Activate TLS-ALPN-01 Challenge. (Default: ```true```)
|
|
||||||
|
|
||||||
`TRAEFIK_API`:
|
`TRAEFIK_API`:
|
||||||
Enable api/dashboard. (Default: ```false```)
|
Enable api/dashboard. (Default: ```false```)
|
||||||
|
|
||||||
|
@ -111,6 +57,45 @@ Enable more detailed statistics. (Default: ```false```)
|
||||||
`TRAEFIK_API_STATISTICS_RECENTERRORS`:
|
`TRAEFIK_API_STATISTICS_RECENTERRORS`:
|
||||||
Number of recent errors logged. (Default: ```10```)
|
Number of recent errors logged. (Default: ```10```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>`:
|
||||||
|
Certificates resolvers configuration. (Default: ```false```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CASERVER`:
|
||||||
|
CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:
|
||||||
|
Activate DNS-01 Challenge. (Default: ```false```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:
|
||||||
|
Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:
|
||||||
|
Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROVIDER`:
|
||||||
|
Use a DNS-01 based challenge provider rather than HTTPS.
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_RESOLVERS`:
|
||||||
|
Use following DNS servers to resolve the FQDN authority.
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EMAIL`:
|
||||||
|
Email address used for registration.
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE`:
|
||||||
|
Activate HTTP-01 Challenge. (Default: ```false```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_ENTRYPOINT`:
|
||||||
|
HTTP challenge EntryPoint
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_KEYTYPE`:
|
||||||
|
KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_STORAGE`:
|
||||||
|
Storage to use. (Default: ```acme.json```)
|
||||||
|
|
||||||
|
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`:
|
||||||
|
Activate TLS-ALPN-01 Challenge. (Default: ```true```)
|
||||||
|
|
||||||
`TRAEFIK_ENTRYPOINTS_<NAME>`:
|
`TRAEFIK_ENTRYPOINTS_<NAME>`:
|
||||||
Entry points definition. (Default: ```false```)
|
Entry points definition. (Default: ```false```)
|
||||||
|
|
||||||
|
|
|
@ -221,12 +221,10 @@
|
||||||
|
|
||||||
[acme]
|
[acme]
|
||||||
email = "foobar"
|
email = "foobar"
|
||||||
acmeLogging = true
|
|
||||||
caServer = "foobar"
|
caServer = "foobar"
|
||||||
storage = "foobar"
|
storage = "foobar"
|
||||||
entryPoint = "foobar"
|
entryPoint = "foobar"
|
||||||
keyType = "foobar"
|
keyType = "foobar"
|
||||||
onHostRule = true
|
|
||||||
[acme.dnsChallenge]
|
[acme.dnsChallenge]
|
||||||
provider = "foobar"
|
provider = "foobar"
|
||||||
delayBeforeCheck = 42
|
delayBeforeCheck = 42
|
||||||
|
|
|
@ -230,12 +230,10 @@ hostResolver:
|
||||||
resolvDepth: 42
|
resolvDepth: 42
|
||||||
acme:
|
acme:
|
||||||
email: foobar
|
email: foobar
|
||||||
acmeLogging: true
|
|
||||||
caServer: foobar
|
caServer: foobar
|
||||||
storage: foobar
|
storage: foobar
|
||||||
entryPoint: foobar
|
entryPoint: foobar
|
||||||
keyType: foobar
|
keyType: foobar
|
||||||
onHostRule: true
|
|
||||||
dnsChallenge:
|
dnsChallenge:
|
||||||
provider: foobar
|
provider: foobar
|
||||||
delayBeforeCheck: 42
|
delayBeforeCheck: 42
|
||||||
|
|
|
@ -325,9 +325,9 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
|
||||||
service: service-id
|
service: service-id
|
||||||
```
|
```
|
||||||
|
|
||||||
#### `Options`
|
#### `options`
|
||||||
|
|
||||||
The `Options` field enables fine-grained control of the TLS parameters.
|
The `options` field enables fine-grained control of the TLS parameters.
|
||||||
It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
|
It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
|
||||||
|
|
||||||
!!! note "Server Name Association"
|
!!! note "Server Name Association"
|
||||||
|
@ -384,13 +384,13 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
|
||||||
[http.routers.routerfoo]
|
[http.routers.routerfoo]
|
||||||
rule = "Host(`snitest.com`) && Path(`/foo`)"
|
rule = "Host(`snitest.com`) && Path(`/foo`)"
|
||||||
[http.routers.routerfoo.tls]
|
[http.routers.routerfoo.tls]
|
||||||
options="foo"
|
options = "foo"
|
||||||
|
|
||||||
[http.routers]
|
[http.routers]
|
||||||
[http.routers.routerbar]
|
[http.routers.routerbar]
|
||||||
rule = "Host(`snitest.com`) && Path(`/bar`)"
|
rule = "Host(`snitest.com`) && Path(`/bar`)"
|
||||||
[http.routers.routerbar.tls]
|
[http.routers.routerbar.tls]
|
||||||
options="bar"
|
options = "bar"
|
||||||
```
|
```
|
||||||
|
|
||||||
```yaml tab="YAML"
|
```yaml tab="YAML"
|
||||||
|
@ -409,6 +409,76 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
|
||||||
|
|
||||||
If that happens, both mappings are discarded, and the host name (`snitest.com` in this case) for these routers gets associated with the default TLS options instead.
|
If that happens, both mappings are discarded, and the host name (`snitest.com` in this case) for these routers gets associated with the default TLS options instead.
|
||||||
|
|
||||||
|
#### `certResolver`
|
||||||
|
|
||||||
|
If `certResolver` is defined, Traefik will try to generate certificates based on routers `Host` & `HostSNI` rules.
|
||||||
|
|
||||||
|
```toml tab="TOML"
|
||||||
|
[http.routers]
|
||||||
|
[http.routers.routerfoo]
|
||||||
|
rule = "Host(`snitest.com`) && Path(`/foo`)"
|
||||||
|
[http.routers.routerfoo.tls]
|
||||||
|
certResolver = "foo"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="YAML"
|
||||||
|
http:
|
||||||
|
routers:
|
||||||
|
routerfoo:
|
||||||
|
rule: "Host(`snitest.com`) && Path(`/foo`)"
|
||||||
|
tls:
|
||||||
|
certResolver: foo
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note "Multiple Hosts in a Rule"
|
||||||
|
The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
|
||||||
|
|
||||||
|
#### `domains`
|
||||||
|
|
||||||
|
You can set SANs (alternative domains) for each main domain.
|
||||||
|
Every domain must have A/AAAA records pointing to Traefik.
|
||||||
|
Each domain & SAN will lead to a certificate request.
|
||||||
|
|
||||||
|
```toml tab="TOML"
|
||||||
|
[http.routers]
|
||||||
|
[http.routers.routerbar]
|
||||||
|
rule = "Host(`snitest.com`) && Path(`/bar`)"
|
||||||
|
[http.routers.routerbar.tls]
|
||||||
|
certResolver = "bar"
|
||||||
|
[[http.routers.routerbar.tls.domains]]
|
||||||
|
main = "snitest.com"
|
||||||
|
sans = "*.snitest.com"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="YAML"
|
||||||
|
http:
|
||||||
|
routers:
|
||||||
|
routerbar:
|
||||||
|
rule: "Host(`snitest.com`) && Path(`/bar`)"
|
||||||
|
tls:
|
||||||
|
certResolver: "bar"
|
||||||
|
domains:
|
||||||
|
- main: "snitest.com"
|
||||||
|
sans: "*.snitest.com"
|
||||||
|
```
|
||||||
|
|
||||||
|
[ACME v2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
|
||||||
|
As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](./../../https/acme.md#dnschallenge).
|
||||||
|
|
||||||
|
Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
|
||||||
|
In this case the generated DNS TXT record for both domains is the same.
|
||||||
|
Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
|
||||||
|
it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
|
||||||
|
|
||||||
|
The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
|
||||||
|
The [Supported `provider` table](./../../https/acme.md#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
Wildcard certificates can only be verified through a `DNS-01` challenge.
|
||||||
|
|
||||||
|
!!! note "Double Wildcard Certificates"
|
||||||
|
It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
|
||||||
|
|
||||||
## Configuring TCP Routers
|
## Configuring TCP Routers
|
||||||
|
|
||||||
### General
|
### General
|
||||||
|
@ -593,9 +663,9 @@ Services are the target for the router.
|
||||||
|
|
||||||
In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.
|
In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.
|
||||||
|
|
||||||
#### `Options`
|
#### `options`
|
||||||
|
|
||||||
The `Options` field enables fine-grained control of the TLS parameters.
|
The `options` field enables fine-grained control of the TLS parameters.
|
||||||
It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
|
It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
|
||||||
|
|
||||||
??? example "Configuring the tls options"
|
??? example "Configuring the tls options"
|
||||||
|
@ -636,3 +706,51 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
|
||||||
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
||||||
- "TLS_RSA_WITH_AES_256_GCM_SHA384"
|
- "TLS_RSA_WITH_AES_256_GCM_SHA384"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### `certResolver`
|
||||||
|
|
||||||
|
See [`certResolver` for HTTP router](./index.md#certresolver) for more information.
|
||||||
|
|
||||||
|
```toml tab="TOML"
|
||||||
|
[tcp.routers]
|
||||||
|
[tcp.routers.routerfoo]
|
||||||
|
rule = "HostSNI(`snitest.com`)"
|
||||||
|
[tcp.routers.routerfoo.tls]
|
||||||
|
certResolver = "foo"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="YAML"
|
||||||
|
tcp:
|
||||||
|
routers:
|
||||||
|
routerfoo:
|
||||||
|
rule: "HostSNI(`snitest.com`)"
|
||||||
|
tls:
|
||||||
|
certResolver: foo
|
||||||
|
```
|
||||||
|
|
||||||
|
#### `domains`
|
||||||
|
|
||||||
|
See [`domains` for HTTP router](./index.md#domains) for more information.
|
||||||
|
|
||||||
|
```toml tab="TOML"
|
||||||
|
[tcp.routers]
|
||||||
|
[tcp.routers.routerbar]
|
||||||
|
rule = "HostSNI(`snitest.com`)"
|
||||||
|
[tcp.routers.routerbar.tls]
|
||||||
|
certResolver = "bar"
|
||||||
|
[[tcp.routers.routerbar.tls.domains]]
|
||||||
|
main = "snitest.com"
|
||||||
|
sans = "*.snitest.com"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="YAML"
|
||||||
|
tcp:
|
||||||
|
routers:
|
||||||
|
routerbar:
|
||||||
|
rule: "HostSNI(`snitest.com`)"
|
||||||
|
tls:
|
||||||
|
certResolver: "bar"
|
||||||
|
domains:
|
||||||
|
- main: "snitest.com"
|
||||||
|
sans: "*.snitest.com"
|
||||||
|
```
|
||||||
|
|
|
@ -33,16 +33,13 @@ spec:
|
||||||
- --entrypoints.web.Address=:8000
|
- --entrypoints.web.Address=:8000
|
||||||
- --entrypoints.websecure.Address=:4443
|
- --entrypoints.websecure.Address=:4443
|
||||||
- --providers.kubernetescrd
|
- --providers.kubernetescrd
|
||||||
- --acme
|
- --certificatesresolvers.default.acme.tlschallenge
|
||||||
- --acme.acmelogging
|
- --certificatesresolvers.default.acme.email=foo@you.com
|
||||||
- --acme.tlschallenge
|
- --certificatesresolvers.default.acme.entrypoint=websecure
|
||||||
- --acme.onhostrule
|
- --certificatesresolvers.default.acme.storage=acme.json
|
||||||
- --acme.email=foo@you.com
|
|
||||||
- --acme.entrypoint=websecure
|
|
||||||
- --acme.storage=acme.json
|
|
||||||
# Please note that this is the staging Let's Encrypt server.
|
# Please note that this is the staging Let's Encrypt server.
|
||||||
# Once you get things working, you should remove that whole line altogether.
|
# Once you get things working, you should remove that whole line altogether.
|
||||||
- --acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
|
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
|
||||||
ports:
|
ports:
|
||||||
- name: web
|
- name: web
|
||||||
containerPort: 8000
|
containerPort: 8000
|
||||||
|
|
|
@ -26,5 +26,5 @@ spec:
|
||||||
services:
|
services:
|
||||||
- name: whoami
|
- name: whoami
|
||||||
port: 80
|
port: 80
|
||||||
# Please note the use of an empty TLS object to enable TLS with Let's Encrypt.
|
tls:
|
||||||
tls: {}
|
certResolver: default
|
||||||
|
|
|
@ -11,6 +11,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/containous/traefik/integration/try"
|
"github.com/containous/traefik/integration/try"
|
||||||
|
"github.com/containous/traefik/pkg/config/static"
|
||||||
"github.com/containous/traefik/pkg/provider/acme"
|
"github.com/containous/traefik/pkg/provider/acme"
|
||||||
"github.com/containous/traefik/pkg/testhelpers"
|
"github.com/containous/traefik/pkg/testhelpers"
|
||||||
"github.com/containous/traefik/pkg/types"
|
"github.com/containous/traefik/pkg/types"
|
||||||
|
@ -26,17 +27,23 @@ type AcmeSuite struct {
|
||||||
fakeDNSServer *dns.Server
|
fakeDNSServer *dns.Server
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type subCases struct {
|
||||||
|
host string
|
||||||
|
expectedCommonName string
|
||||||
|
expectedAlgorithm x509.PublicKeyAlgorithm
|
||||||
|
}
|
||||||
|
|
||||||
type acmeTestCase struct {
|
type acmeTestCase struct {
|
||||||
template templateModel
|
template templateModel
|
||||||
traefikConfFilePath string
|
traefikConfFilePath string
|
||||||
expectedCommonName string
|
subCases []subCases
|
||||||
expectedAlgorithm x509.PublicKeyAlgorithm
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type templateModel struct {
|
type templateModel struct {
|
||||||
|
Domains []types.Domain
|
||||||
PortHTTP string
|
PortHTTP string
|
||||||
PortHTTPS string
|
PortHTTPS string
|
||||||
Acme acme.Configuration
|
Acme map[string]static.CertificateResolver
|
||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -120,40 +127,48 @@ func (s *AcmeSuite) TearDownSuite(c *check.C) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01DomainsAtStart(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01Domains(c *check.C) {
|
||||||
c.Skip("We need to fix DefaultCertificate at start")
|
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: acmeDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Domains: []types.Domain{{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
Main: "traefik.acme.wtf",
|
||||||
Domains: types.Domains{types.Domain{
|
}},
|
||||||
Main: "traefik.acme.wtf",
|
Acme: map[string]static.CertificateResolver{
|
||||||
|
"default": {ACME: &acme.Configuration{
|
||||||
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: acmeDomain,
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01DomainsInSANAtStart(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01DomainsInSAN(c *check.C) {
|
||||||
c.Skip("We need to fix DefaultCertificate at start")
|
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: "acme.wtf",
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Domains: []types.Domain{{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
Main: "acme.wtf",
|
||||||
Domains: types.Domains{types.Domain{
|
SANs: []string{"traefik.acme.wtf"},
|
||||||
Main: "acme.wtf",
|
}},
|
||||||
SANs: []string{"traefik.acme.wtf"},
|
Acme: map[string]static.CertificateResolver{
|
||||||
|
"default": {ACME: &acme.Configuration{
|
||||||
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: "acme.wtf",
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
@ -162,14 +177,49 @@ func (s *AcmeSuite) TestHTTP01DomainsInSANAtStart(c *check.C) {
|
||||||
func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: acmeDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: map[string]static.CertificateResolver{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
"default": {ACME: &acme.Configuration{
|
||||||
OnHostRule: true,
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *AcmeSuite) TestMultipleResolver(c *check.C) {
|
||||||
|
testCase := acmeTestCase{
|
||||||
|
traefikConfFilePath: "fixtures/acme/acme_multiple_resolvers.toml",
|
||||||
|
subCases: []subCases{
|
||||||
|
{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: acmeDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
host: "tchouk.acme.wtf",
|
||||||
|
expectedCommonName: "tchouk.acme.wtf",
|
||||||
|
expectedAlgorithm: x509.ECDSA,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
template: templateModel{
|
||||||
|
Acme: map[string]static.CertificateResolver{
|
||||||
|
"default": {ACME: &acme.Configuration{
|
||||||
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
|
}},
|
||||||
|
"tchouk": {ACME: &acme.Configuration{
|
||||||
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
|
KeyType: "EC256",
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: acmeDomain,
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
@ -178,15 +228,19 @@ func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
|
||||||
func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: acmeDomain,
|
||||||
|
expectedAlgorithm: x509.ECDSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: map[string]static.CertificateResolver{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
"default": {ACME: &acme.Configuration{
|
||||||
OnHostRule: true,
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
KeyType: "EC384",
|
KeyType: "EC384",
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: acmeDomain,
|
|
||||||
expectedAlgorithm: x509.ECDSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
@ -195,31 +249,39 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
|
||||||
func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: acmeDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: map[string]static.CertificateResolver{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
"default": {ACME: &acme.Configuration{
|
||||||
OnHostRule: true,
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
KeyType: "INVALID",
|
KeyType: "INVALID",
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: acmeDomain,
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *AcmeSuite) TestHTTP01OnHostRuleStaticCertificatesWithWildcard(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_tls.toml",
|
traefikConfFilePath: "fixtures/acme/acme_tls.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: wildcardDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: map[string]static.CertificateResolver{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
"default": {ACME: &acme.Configuration{
|
||||||
OnHostRule: true,
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: wildcardDomain,
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
@ -228,14 +290,38 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleStaticCertificatesWithWildcard(c *check.
|
||||||
func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard(c *check.C) {
|
func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
|
traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: wildcardDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: map[string]static.CertificateResolver{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
"default": {ACME: &acme.Configuration{
|
||||||
OnHostRule: true,
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *AcmeSuite) TestTLSALPN01OnHostRuleTCP(c *check.C) {
|
||||||
|
testCase := acmeTestCase{
|
||||||
|
traefikConfFilePath: "fixtures/acme/acme_tcp.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: acmeDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
|
template: templateModel{
|
||||||
|
Acme: map[string]static.CertificateResolver{
|
||||||
|
"default": {ACME: &acme.Configuration{
|
||||||
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: wildcardDomain,
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
@ -244,72 +330,65 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard(c *check
|
||||||
func (s *AcmeSuite) TestTLSALPN01OnHostRule(c *check.C) {
|
func (s *AcmeSuite) TestTLSALPN01OnHostRule(c *check.C) {
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: acmeDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: map[string]static.CertificateResolver{
|
||||||
TLSChallenge: &acme.TLSChallenge{},
|
"default": {ACME: &acme.Configuration{
|
||||||
OnHostRule: true,
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: acmeDomain,
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *AcmeSuite) TestTLSALPN01DomainsAtStart(c *check.C) {
|
func (s *AcmeSuite) TestTLSALPN01Domains(c *check.C) {
|
||||||
c.Skip("We need to fix DefaultCertificate at start")
|
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: acmeDomain,
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Domains: []types.Domain{{
|
||||||
TLSChallenge: &acme.TLSChallenge{},
|
Main: "traefik.acme.wtf",
|
||||||
Domains: types.Domains{types.Domain{
|
}},
|
||||||
Main: "traefik.acme.wtf",
|
Acme: map[string]static.CertificateResolver{
|
||||||
|
"default": {ACME: &acme.Configuration{
|
||||||
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: acmeDomain,
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *AcmeSuite) TestTLSALPN01DomainsInSANAtStart(c *check.C) {
|
func (s *AcmeSuite) TestTLSALPN01DomainsInSAN(c *check.C) {
|
||||||
c.Skip("We need to fix DefaultCertificate at start")
|
|
||||||
testCase := acmeTestCase{
|
testCase := acmeTestCase{
|
||||||
traefikConfFilePath: "fixtures/acme/acme_base.toml",
|
traefikConfFilePath: "fixtures/acme/acme_domains.toml",
|
||||||
|
subCases: []subCases{{
|
||||||
|
host: acmeDomain,
|
||||||
|
expectedCommonName: "acme.wtf",
|
||||||
|
expectedAlgorithm: x509.RSA,
|
||||||
|
}},
|
||||||
template: templateModel{
|
template: templateModel{
|
||||||
Acme: acme.Configuration{
|
Domains: []types.Domain{{
|
||||||
TLSChallenge: &acme.TLSChallenge{},
|
Main: "acme.wtf",
|
||||||
Domains: types.Domains{types.Domain{
|
SANs: []string{"traefik.acme.wtf"},
|
||||||
Main: "acme.wtf",
|
}},
|
||||||
SANs: []string{"traefik.acme.wtf"},
|
Acme: map[string]static.CertificateResolver{
|
||||||
|
"default": {ACME: &acme.Configuration{
|
||||||
|
TLSChallenge: &acme.TLSChallenge{},
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedCommonName: "acme.wtf",
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *AcmeSuite) TestTLSALPN01DomainsWithProvidedWildcardDomainAtStart(c *check.C) {
|
|
||||||
c.Skip("We need to fix DefaultCertificate at start")
|
|
||||||
testCase := acmeTestCase{
|
|
||||||
traefikConfFilePath: "fixtures/acme/acme_tls.toml",
|
|
||||||
template: templateModel{
|
|
||||||
Acme: acme.Configuration{
|
|
||||||
TLSChallenge: &acme.TLSChallenge{},
|
|
||||||
Domains: types.Domains{types.Domain{
|
|
||||||
Main: acmeDomain,
|
|
||||||
}},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
expectedCommonName: wildcardDomain,
|
|
||||||
expectedAlgorithm: x509.RSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
s.retrieveAcmeCertificate(c, testCase)
|
s.retrieveAcmeCertificate(c, testCase)
|
||||||
|
@ -318,10 +397,11 @@ func (s *AcmeSuite) TestTLSALPN01DomainsWithProvidedWildcardDomainAtStart(c *che
|
||||||
// Test Let's encrypt down
|
// Test Let's encrypt down
|
||||||
func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
|
func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
|
||||||
file := s.adaptFile(c, "fixtures/acme/acme_base.toml", templateModel{
|
file := s.adaptFile(c, "fixtures/acme/acme_base.toml", templateModel{
|
||||||
Acme: acme.Configuration{
|
Acme: map[string]static.CertificateResolver{
|
||||||
CAServer: "http://wrongurl:4001/directory",
|
"default": {ACME: &acme.Configuration{
|
||||||
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
CAServer: "http://wrongurl:4001/directory",
|
||||||
OnHostRule: true,
|
HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
defer os.Remove(file)
|
defer os.Remove(file)
|
||||||
|
@ -347,8 +427,10 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase acmeTestCase) {
|
||||||
testCase.template.PortHTTPS = ":5001"
|
testCase.template.PortHTTPS = ":5001"
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(testCase.template.Acme.CAServer) == 0 {
|
for _, value := range testCase.template.Acme {
|
||||||
testCase.template.Acme.CAServer = s.getAcmeURL()
|
if len(value.ACME.CAServer) == 0 {
|
||||||
|
value.ACME.CAServer = s.getAcmeURL()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
file := s.adaptFile(c, testCase.traefikConfFilePath, testCase.template)
|
file := s.adaptFile(c, testCase.traefikConfFilePath, testCase.template)
|
||||||
|
@ -365,57 +447,59 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase acmeTestCase) {
|
||||||
backend := startTestServer("9010", http.StatusOK)
|
backend := startTestServer("9010", http.StatusOK)
|
||||||
defer backend.Close()
|
defer backend.Close()
|
||||||
|
|
||||||
client := &http.Client{
|
for _, sub := range testCase.subCases {
|
||||||
Transport: &http.Transport{
|
client := &http.Client{
|
||||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
Transport: &http.Transport{
|
||||||
},
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||||
}
|
|
||||||
|
|
||||||
// wait for traefik (generating acme account take some seconds)
|
|
||||||
err = try.Do(90*time.Second, func() error {
|
|
||||||
_, errGet := client.Get("https://127.0.0.1:5001")
|
|
||||||
return errGet
|
|
||||||
})
|
|
||||||
c.Assert(err, checker.IsNil)
|
|
||||||
|
|
||||||
client = &http.Client{
|
|
||||||
Transport: &http.Transport{
|
|
||||||
TLSClientConfig: &tls.Config{
|
|
||||||
InsecureSkipVerify: true,
|
|
||||||
ServerName: acmeDomain,
|
|
||||||
},
|
},
|
||||||
},
|
}
|
||||||
|
|
||||||
|
// wait for traefik (generating acme account take some seconds)
|
||||||
|
err = try.Do(60*time.Second, func() error {
|
||||||
|
_, errGet := client.Get("https://127.0.0.1:5001")
|
||||||
|
return errGet
|
||||||
|
})
|
||||||
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
|
client = &http.Client{
|
||||||
|
Transport: &http.Transport{
|
||||||
|
TLSClientConfig: &tls.Config{
|
||||||
|
InsecureSkipVerify: true,
|
||||||
|
ServerName: sub.host,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
|
||||||
|
req.Host = sub.host
|
||||||
|
req.Header.Set("Host", sub.host)
|
||||||
|
req.Header.Set("Accept", "*/*")
|
||||||
|
|
||||||
|
var resp *http.Response
|
||||||
|
|
||||||
|
// Retry to send a Request which uses the LE generated certificate
|
||||||
|
err = try.Do(60*time.Second, func() error {
|
||||||
|
resp, err = client.Do(req)
|
||||||
|
|
||||||
|
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
|
||||||
|
req.Close = true
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
|
||||||
|
if cn != sub.expectedCommonName {
|
||||||
|
return fmt.Errorf("domain %s found instead of %s", cn, sub.expectedCommonName)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
})
|
||||||
|
|
||||||
|
c.Assert(err, checker.IsNil)
|
||||||
|
c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
|
||||||
|
// Check Domain into response certificate
|
||||||
|
c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, sub.expectedCommonName)
|
||||||
|
c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, sub.expectedAlgorithm)
|
||||||
}
|
}
|
||||||
|
|
||||||
req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
|
|
||||||
req.Host = acmeDomain
|
|
||||||
req.Header.Set("Host", acmeDomain)
|
|
||||||
req.Header.Set("Accept", "*/*")
|
|
||||||
|
|
||||||
var resp *http.Response
|
|
||||||
|
|
||||||
// Retry to send a Request which uses the LE generated certificate
|
|
||||||
err = try.Do(60*time.Second, func() error {
|
|
||||||
resp, err = client.Do(req)
|
|
||||||
|
|
||||||
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
|
|
||||||
req.Close = true
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
cn := resp.TLS.PeerCertificates[0].Subject.CommonName
|
|
||||||
if cn != testCase.expectedCommonName {
|
|
||||||
return fmt.Errorf("domain %s found instead of %s", cn, testCase.expectedCommonName)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
|
|
||||||
c.Assert(err, checker.IsNil)
|
|
||||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
|
|
||||||
// Check Domain into response certificate
|
|
||||||
c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, testCase.expectedCommonName)
|
|
||||||
c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, testCase.expectedAlgorithm)
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,31 +11,24 @@
|
||||||
[entryPoints.web-secure]
|
[entryPoints.web-secure]
|
||||||
address = "{{ .PortHTTPS }}"
|
address = "{{ .PortHTTPS }}"
|
||||||
|
|
||||||
[acme]
|
{{range $name, $resolvers := .Acme }}
|
||||||
|
|
||||||
|
[certificatesResolvers.{{ $name }}.acme]
|
||||||
email = "test@traefik.io"
|
email = "test@traefik.io"
|
||||||
storage = "/tmp/acme.json"
|
storage = "/tmp/acme.json"
|
||||||
# entryPoint = "https"
|
keyType = "{{ $resolvers.ACME.KeyType }}"
|
||||||
acmeLogging = true
|
caServer = "{{ $resolvers.ACME.CAServer }}"
|
||||||
onHostRule = {{ .Acme.OnHostRule }}
|
|
||||||
keyType = "{{ .Acme.KeyType }}"
|
|
||||||
caServer = "{{ .Acme.CAServer }}"
|
|
||||||
|
|
||||||
{{if .Acme.HTTPChallenge }}
|
{{if $resolvers.ACME.HTTPChallenge }}
|
||||||
[acme.httpChallenge]
|
[certificatesResolvers.{{ $name }}.acme.httpChallenge]
|
||||||
entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
|
entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
{{if .Acme.TLSChallenge }}
|
{{if $resolvers.ACME.TLSChallenge }}
|
||||||
[acme.tlsChallenge]
|
[certificatesResolvers.{{ $name }}.acme.tlsChallenge]
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
{{range .Acme.Domains}}
|
{{end}}
|
||||||
[[acme.domains]]
|
|
||||||
main = "{{ .Main }}"
|
|
||||||
sans = [{{range .SANs }}
|
|
||||||
"{{.}}",
|
|
||||||
{{end}}]
|
|
||||||
{{end}}
|
|
||||||
|
|
||||||
[api]
|
[api]
|
||||||
|
|
||||||
|
@ -55,3 +48,4 @@
|
||||||
rule = "Host(`traefik.acme.wtf`)"
|
rule = "Host(`traefik.acme.wtf`)"
|
||||||
service = "test"
|
service = "test"
|
||||||
[http.routers.test.tls]
|
[http.routers.test.tls]
|
||||||
|
certResolver = "default"
|
||||||
|
|
58
integration/fixtures/acme/acme_domains.toml
Normal file
58
integration/fixtures/acme/acme_domains.toml
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
[global]
|
||||||
|
checkNewVersion = false
|
||||||
|
sendAnonymousUsage = false
|
||||||
|
|
||||||
|
[log]
|
||||||
|
level = "DEBUG"
|
||||||
|
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.web]
|
||||||
|
address = "{{ .PortHTTP }}"
|
||||||
|
[entryPoints.web-secure]
|
||||||
|
address = "{{ .PortHTTPS }}"
|
||||||
|
|
||||||
|
{{range $name, $resolvers := .Acme }}
|
||||||
|
|
||||||
|
[certificatesResolvers.{{ $name }}.acme]
|
||||||
|
email = "test@traefik.io"
|
||||||
|
storage = "/tmp/acme.json"
|
||||||
|
keyType = "{{ $resolvers.ACME.KeyType }}"
|
||||||
|
caServer = "{{ $resolvers.ACME.CAServer }}"
|
||||||
|
|
||||||
|
{{if $resolvers.ACME.HTTPChallenge }}
|
||||||
|
[certificatesResolvers.{{ $name }}.acme.httpChallenge]
|
||||||
|
entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
{{if $resolvers.ACME.TLSChallenge }}
|
||||||
|
[certificatesResolvers.{{ $name }}.acme.tlsChallenge]
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
[api]
|
||||||
|
|
||||||
|
[providers.file]
|
||||||
|
filename = "{{ .SelfFilename }}"
|
||||||
|
|
||||||
|
## dynamic configuration ##
|
||||||
|
|
||||||
|
[http.services]
|
||||||
|
[http.services.test.loadBalancer]
|
||||||
|
[[http.services.test.loadBalancer.servers]]
|
||||||
|
url = "http://127.0.0.1:9010"
|
||||||
|
|
||||||
|
[http.routers]
|
||||||
|
[http.routers.test]
|
||||||
|
entryPoints = ["web-secure"]
|
||||||
|
rule = "PathPrefix(`/`)"
|
||||||
|
service = "test"
|
||||||
|
[http.routers.test.tls]
|
||||||
|
certResolver = "default"
|
||||||
|
{{range .Domains}}
|
||||||
|
[[http.routers.test.tls.domains]]
|
||||||
|
main = "{{ .Main }}"
|
||||||
|
sans = [{{range .SANs }}
|
||||||
|
"{{.}}",
|
||||||
|
{{end}}]
|
||||||
|
{{end}}
|
58
integration/fixtures/acme/acme_multiple_resolvers.toml
Normal file
58
integration/fixtures/acme/acme_multiple_resolvers.toml
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
[global]
|
||||||
|
checkNewVersion = false
|
||||||
|
sendAnonymousUsage = false
|
||||||
|
|
||||||
|
[log]
|
||||||
|
level = "DEBUG"
|
||||||
|
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.web]
|
||||||
|
address = "{{ .PortHTTP }}"
|
||||||
|
[entryPoints.web-secure]
|
||||||
|
address = "{{ .PortHTTPS }}"
|
||||||
|
|
||||||
|
{{range $name, $resolvers := .Acme }}
|
||||||
|
|
||||||
|
[certificatesResolvers.{{ $name }}.acme]
|
||||||
|
email = "test@traefik.io"
|
||||||
|
storage = "/tmp/acme.json"
|
||||||
|
keyType = "{{ $resolvers.ACME.KeyType }}"
|
||||||
|
caServer = "{{ $resolvers.ACME.CAServer }}"
|
||||||
|
|
||||||
|
{{if $resolvers.ACME.HTTPChallenge }}
|
||||||
|
[certificatesResolvers.{{ $name }}.acme.httpChallenge]
|
||||||
|
entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
{{if $resolvers.ACME.TLSChallenge }}
|
||||||
|
[certificatesResolvers.{{ $name }}.acme.tlsChallenge]
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
[api]
|
||||||
|
|
||||||
|
[providers.file]
|
||||||
|
filename = "{{ .SelfFilename }}"
|
||||||
|
|
||||||
|
## dynamic configuration ##
|
||||||
|
|
||||||
|
[http.services]
|
||||||
|
[http.services.test.loadBalancer]
|
||||||
|
[[http.services.test.loadBalancer.servers]]
|
||||||
|
url = "http://127.0.0.1:9010"
|
||||||
|
|
||||||
|
[http.routers]
|
||||||
|
[http.routers.test]
|
||||||
|
entryPoints = ["web-secure"]
|
||||||
|
rule = "Host(`traefik.acme.wtf`)"
|
||||||
|
service = "test"
|
||||||
|
[http.routers.test.tls]
|
||||||
|
certResolver = "default"
|
||||||
|
|
||||||
|
[http.routers.tchouk]
|
||||||
|
entryPoints = ["web-secure"]
|
||||||
|
rule = "Host(`tchouk.acme.wtf`)"
|
||||||
|
service = "test"
|
||||||
|
[http.routers.tchouk.tls]
|
||||||
|
certResolver = "tchouk"
|
51
integration/fixtures/acme/acme_tcp.toml
Normal file
51
integration/fixtures/acme/acme_tcp.toml
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
[global]
|
||||||
|
checkNewVersion = false
|
||||||
|
sendAnonymousUsage = false
|
||||||
|
|
||||||
|
[log]
|
||||||
|
level = "DEBUG"
|
||||||
|
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.web]
|
||||||
|
address = "{{ .PortHTTP }}"
|
||||||
|
[entryPoints.web-secure]
|
||||||
|
address = "{{ .PortHTTPS }}"
|
||||||
|
|
||||||
|
{{range $name, $resolvers := .Acme }}
|
||||||
|
|
||||||
|
[certificatesResolvers.{{ $name }}.acme]
|
||||||
|
email = "test@traefik.io"
|
||||||
|
storage = "/tmp/acme.json"
|
||||||
|
keyType = "{{ $resolvers.ACME.KeyType }}"
|
||||||
|
caServer = "{{ $resolvers.ACME.CAServer }}"
|
||||||
|
|
||||||
|
{{if $resolvers.ACME.HTTPChallenge }}
|
||||||
|
[certificatesResolvers.{{ $name }}.acme.httpChallenge]
|
||||||
|
entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
{{if $resolvers.ACME.TLSChallenge }}
|
||||||
|
[certificatesResolvers.{{ $name }}.acme.tlsChallenge]
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
[api]
|
||||||
|
|
||||||
|
[providers.file]
|
||||||
|
filename = "{{ .SelfFilename }}"
|
||||||
|
|
||||||
|
## dynamic configuration ##
|
||||||
|
|
||||||
|
[tcp.services]
|
||||||
|
[tcp.services.test.loadBalancer]
|
||||||
|
[[tcp.services.test.loadBalancer.servers]]
|
||||||
|
address = "127.0.0.1:9010"
|
||||||
|
|
||||||
|
[tcp.routers]
|
||||||
|
[tcp.routers.test]
|
||||||
|
entryPoints = ["web-secure"]
|
||||||
|
rule = "HostSNI(`traefik.acme.wtf`)"
|
||||||
|
service = "test"
|
||||||
|
[tcp.routers.test.tls]
|
||||||
|
certResolver = "default"
|
|
@ -11,31 +11,24 @@
|
||||||
[entryPoints.web-secure]
|
[entryPoints.web-secure]
|
||||||
address = "{{ .PortHTTPS }}"
|
address = "{{ .PortHTTPS }}"
|
||||||
|
|
||||||
[acme]
|
{{range $name, $resolvers := .Acme }}
|
||||||
|
|
||||||
|
[certificatesResolvers.{{ $name }}.acme]
|
||||||
email = "test@traefik.io"
|
email = "test@traefik.io"
|
||||||
storage = "/tmp/acme.json"
|
storage = "/tmp/acme.json"
|
||||||
# entryPoint = "https"
|
keyType = "{{ $resolvers.ACME.KeyType }}"
|
||||||
acmeLogging = true
|
caServer = "{{ $resolvers.ACME.CAServer }}"
|
||||||
onHostRule = {{ .Acme.OnHostRule }}
|
|
||||||
keyType = "{{ .Acme.KeyType }}"
|
|
||||||
caServer = "{{ .Acme.CAServer }}"
|
|
||||||
|
|
||||||
{{if .Acme.HTTPChallenge }}
|
{{if $resolvers.ACME.HTTPChallenge }}
|
||||||
[acme.httpChallenge]
|
[certificatesResolvers.{{ $name }}.acme.httpChallenge]
|
||||||
entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
|
entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
{{if .Acme.TLSChallenge }}
|
{{if $resolvers.ACME.TLSChallenge }}
|
||||||
[acme.tlsChallenge]
|
[certificatesResolvers.{{ $name }}.acme.tlsChallenge]
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
{{range .Acme.Domains}}
|
{{end}}
|
||||||
[[acme.domains]]
|
|
||||||
main = "{{ .Main }}"
|
|
||||||
sans = [{{range .SANs }}
|
|
||||||
"{{.}}",
|
|
||||||
{{end}}]
|
|
||||||
{{end}}
|
|
||||||
|
|
||||||
[api]
|
[api]
|
||||||
|
|
||||||
|
|
|
@ -7,32 +7,29 @@
|
||||||
|
|
||||||
[entryPoints]
|
[entryPoints]
|
||||||
[entryPoints.web]
|
[entryPoints.web]
|
||||||
address = "{{ .PortHTTP }}"
|
address = "{{ .PortHTTP }}"
|
||||||
[entryPoints.web-secure]
|
[entryPoints.web-secure]
|
||||||
address = "{{ .PortHTTPS }}"
|
address = "{{ .PortHTTPS }}"
|
||||||
|
|
||||||
[acme]
|
{{range $name, $resolvers := .Acme }}
|
||||||
|
|
||||||
|
[certificatesResolvers.{{ $name }}.acme]
|
||||||
email = "test@traefik.io"
|
email = "test@traefik.io"
|
||||||
storage = "/tmp/acme.json"
|
storage = "/tmp/acme.json"
|
||||||
# entryPoint = "https"
|
keyType = "{{ $resolvers.ACME.KeyType }}"
|
||||||
acmeLogging = true
|
caServer = "{{ $resolvers.ACME.CAServer }}"
|
||||||
onHostRule = {{ .Acme.OnHostRule }}
|
|
||||||
keyType = "{{ .Acme.KeyType }}"
|
|
||||||
caServer = "{{ .Acme.CAServer }}"
|
|
||||||
|
|
||||||
{{if .Acme.HTTPChallenge }}
|
{{if $resolvers.ACME.HTTPChallenge }}
|
||||||
[acme.httpChallenge]
|
[certificatesResolvers.{{ $name }}.acme.httpChallenge]
|
||||||
entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
|
entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
{{range .Acme.Domains}}
|
{{if $resolvers.ACME.TLSChallenge }}
|
||||||
[[acme.domains]]
|
[certificatesResolvers.{{ $name }}.acme.tlsChallenge]
|
||||||
main = "{{ .Main }}"
|
|
||||||
sans = [{{range .SANs }}
|
|
||||||
"{{.}}",
|
|
||||||
{{end}}]
|
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
|
{{end}}
|
||||||
|
|
||||||
[api]
|
[api]
|
||||||
|
|
||||||
[providers]
|
[providers]
|
||||||
|
|
|
@ -8,42 +8,29 @@
|
||||||
[entryPoints]
|
[entryPoints]
|
||||||
[entryPoints.web]
|
[entryPoints.web]
|
||||||
address = "{{ .PortHTTP }}"
|
address = "{{ .PortHTTP }}"
|
||||||
|
|
||||||
[entryPoints.web-secure]
|
[entryPoints.web-secure]
|
||||||
address = "{{ .PortHTTPS }}"
|
address = "{{ .PortHTTPS }}"
|
||||||
|
|
||||||
[entryPoints.traefik]
|
[entryPoints.traefik]
|
||||||
address = ":9000"
|
address = ":9000"
|
||||||
# FIXME
|
|
||||||
# [entryPoints.traefik.tls]
|
|
||||||
# [entryPoints.traefik.tls.defaultCertificate]
|
|
||||||
# certFile = "fixtures/acme/ssl/wildcard.crt"
|
|
||||||
# keyFile = "fixtures/acme/ssl/wildcard.key"
|
|
||||||
|
|
||||||
[acme]
|
{{range $name, $resolvers := .Acme }}
|
||||||
|
|
||||||
|
[certificatesResolvers.{{ $name }}.acme]
|
||||||
email = "test@traefik.io"
|
email = "test@traefik.io"
|
||||||
storage = "/tmp/acme.json"
|
storage = "/tmp/acme.json"
|
||||||
# entryPoint = "https"
|
keyType = "{{ $resolvers.ACME.KeyType }}"
|
||||||
acmeLogging = true
|
caServer = "{{ $resolvers.ACME.CAServer }}"
|
||||||
onHostRule = {{ .Acme.OnHostRule }}
|
|
||||||
keyType = "{{ .Acme.KeyType }}"
|
|
||||||
caServer = "{{ .Acme.CAServer }}"
|
|
||||||
|
|
||||||
{{if .Acme.HTTPChallenge }}
|
{{if $resolvers.ACME.HTTPChallenge }}
|
||||||
[acme.httpChallenge]
|
[certificatesResolvers.{{ $name }}.acme.httpChallenge]
|
||||||
entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
|
entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
{{if .Acme.TLSChallenge }}
|
{{if $resolvers.ACME.TLSChallenge }}
|
||||||
[acme.tlsChallenge]
|
[certificatesResolvers.{{ $name }}.acme.tlsChallenge]
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
{{range .Acme.Domains}}
|
{{end}}
|
||||||
[[acme.domains]]
|
|
||||||
main = "{{ .Main }}"
|
|
||||||
sans = [{{range .SANs }}
|
|
||||||
"{{.}}",
|
|
||||||
{{end}}]
|
|
||||||
{{end}}
|
|
||||||
|
|
||||||
[api]
|
[api]
|
||||||
|
|
|
@ -265,7 +265,7 @@ func (s *HTTPSSuite) TestWithConflictingTLSOptions(c *check.C) {
|
||||||
c.Assert(err.Error(), checker.Contains, "protocol version not supported")
|
c.Assert(err.Error(), checker.Contains, "protocol version not supported")
|
||||||
|
|
||||||
// with unknown tls option
|
// with unknown tls option
|
||||||
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains(fmt.Sprintf("found different TLS options for routers on the same host %v, so using the default TLS option instead", tr4.TLSClientConfig.ServerName)))
|
err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains(fmt.Sprintf("found different TLS options for routers on the same host %v, so using the default TLS options instead", tr4.TLSClientConfig.ServerName)))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -537,7 +537,7 @@ func (s *SimpleSuite) TestRouterConfigErrors(c *check.C) {
|
||||||
defer cmd.Process.Kill()
|
defer cmd.Process.Kill()
|
||||||
|
|
||||||
// All errors
|
// All errors
|
||||||
err = try.GetRequest("http://127.0.0.1:8080/api/http/routers", 1000*time.Millisecond, try.BodyContains(`["middleware \"unknown@file\" does not exist","found different TLS options for routers on the same host snitest.net, so using the default TLS option instead"]`))
|
err = try.GetRequest("http://127.0.0.1:8080/api/http/routers", 1000*time.Millisecond, try.BodyContains(`["middleware \"unknown@file\" does not exist","found different TLS options for routers on the same host snitest.net, so using the default TLS options instead"]`))
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
// router4 is enabled, but in warning state because its tls options conf was messed up
|
// router4 is enabled, but in warning state because its tls options conf was messed up
|
||||||
|
|
|
@ -89,23 +89,18 @@ func TestDo_globalConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
config.ACME = &acme.Configuration{
|
config.CertificatesResolvers = map[string]static.CertificateResolver{
|
||||||
Email: "acme Email",
|
"default": {
|
||||||
ACMELogging: true,
|
ACME: &acme.Configuration{
|
||||||
CAServer: "CAServer",
|
Email: "acme Email",
|
||||||
Storage: "Storage",
|
CAServer: "CAServer",
|
||||||
EntryPoint: "EntryPoint",
|
Storage: "Storage",
|
||||||
KeyType: "MyKeyType",
|
KeyType: "MyKeyType",
|
||||||
OnHostRule: true,
|
DNSChallenge: &acmeprovider.DNSChallenge{Provider: "DNSProvider"},
|
||||||
DNSChallenge: &acmeprovider.DNSChallenge{Provider: "DNSProvider"},
|
HTTPChallenge: &acmeprovider.HTTPChallenge{
|
||||||
HTTPChallenge: &acmeprovider.HTTPChallenge{
|
EntryPoint: "MyEntryPoint",
|
||||||
EntryPoint: "MyEntryPoint",
|
},
|
||||||
},
|
TLSChallenge: &acmeprovider.TLSChallenge{},
|
||||||
TLSChallenge: &acmeprovider.TLSChallenge{},
|
|
||||||
Domains: []types.Domain{
|
|
||||||
{
|
|
||||||
Main: "Domains Main",
|
|
||||||
SANs: []string{"Domains acme SANs 1", "Domains acme SANs 2", "Domains acme SANs 3"},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -126,9 +121,6 @@ func TestDo_globalConfiguration(t *testing.T) {
|
||||||
config.API = &static.API{
|
config.API = &static.API{
|
||||||
EntryPoint: "traefik",
|
EntryPoint: "traefik",
|
||||||
Dashboard: true,
|
Dashboard: true,
|
||||||
Statistics: &types.Statistics{
|
|
||||||
RecentErrors: 111,
|
|
||||||
},
|
|
||||||
DashboardAssets: &assetfs.AssetFS{
|
DashboardAssets: &assetfs.AssetFS{
|
||||||
Asset: func(path string) ([]byte, error) {
|
Asset: func(path string) ([]byte, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
|
|
|
@ -212,7 +212,6 @@
|
||||||
storage = "foobar"
|
storage = "foobar"
|
||||||
entryPoint = "foobar"
|
entryPoint = "foobar"
|
||||||
keyType = "foobar"
|
keyType = "foobar"
|
||||||
onHostRule = true
|
|
||||||
[acme.dnsChallenge]
|
[acme.dnsChallenge]
|
||||||
provider = "foobar"
|
provider = "foobar"
|
||||||
delayBeforeCheck = 42
|
delayBeforeCheck = 42
|
||||||
|
|
|
@ -1,6 +1,10 @@
|
||||||
package dynamic
|
package dynamic
|
||||||
|
|
||||||
import "reflect"
|
import (
|
||||||
|
"reflect"
|
||||||
|
|
||||||
|
"github.com/containous/traefik/pkg/types"
|
||||||
|
)
|
||||||
|
|
||||||
// +k8s:deepcopy-gen=true
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
||||||
|
@ -34,7 +38,9 @@ type Router struct {
|
||||||
|
|
||||||
// RouterTLSConfig holds the TLS configuration for a router
|
// RouterTLSConfig holds the TLS configuration for a router
|
||||||
type RouterTLSConfig struct {
|
type RouterTLSConfig struct {
|
||||||
Options string `json:"options,omitempty" toml:"options,omitempty" yaml:"options,omitempty"`
|
Options string `json:"options,omitempty" toml:"options,omitempty" yaml:"options,omitempty"`
|
||||||
|
CertResolver string `json:"certResolver,omitempty" toml:"certResolver,omitempty" yaml:"certResolver,omitempty"`
|
||||||
|
Domains []types.Domain `json:"domains,omitempty" toml:"domains,omitempty" yaml:"domains,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// +k8s:deepcopy-gen=true
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
|
@ -1,6 +1,10 @@
|
||||||
package dynamic
|
package dynamic
|
||||||
|
|
||||||
import "reflect"
|
import (
|
||||||
|
"reflect"
|
||||||
|
|
||||||
|
"github.com/containous/traefik/pkg/types"
|
||||||
|
)
|
||||||
|
|
||||||
// +k8s:deepcopy-gen=true
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
||||||
|
@ -31,8 +35,10 @@ type TCPRouter struct {
|
||||||
|
|
||||||
// RouterTCPTLSConfig holds the TLS configuration for a router
|
// RouterTCPTLSConfig holds the TLS configuration for a router
|
||||||
type RouterTCPTLSConfig struct {
|
type RouterTCPTLSConfig struct {
|
||||||
Passthrough bool `json:"passthrough" toml:"passthrough" yaml:"passthrough"`
|
Passthrough bool `json:"passthrough" toml:"passthrough" yaml:"passthrough"`
|
||||||
Options string `json:"options,omitempty" toml:"options,omitempty" yaml:"options,omitempty"`
|
Options string `json:"options,omitempty" toml:"options,omitempty" yaml:"options,omitempty"`
|
||||||
|
CertResolver string `json:"certResolver,omitempty" toml:"certResolver,omitempty" yaml:"certResolver,omitempty"`
|
||||||
|
Domains []types.Domain `json:"domains,omitempty" toml:"domains,omitempty" yaml:"domains,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// +k8s:deepcopy-gen=true
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
|
@ -30,6 +30,7 @@ package dynamic
|
||||||
|
|
||||||
import (
|
import (
|
||||||
tls "github.com/containous/traefik/pkg/tls"
|
tls "github.com/containous/traefik/pkg/tls"
|
||||||
|
types "github.com/containous/traefik/pkg/types"
|
||||||
)
|
)
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
@ -876,7 +877,7 @@ func (in *Router) DeepCopyInto(out *Router) {
|
||||||
if in.TLS != nil {
|
if in.TLS != nil {
|
||||||
in, out := &in.TLS, &out.TLS
|
in, out := &in.TLS, &out.TLS
|
||||||
*out = new(RouterTLSConfig)
|
*out = new(RouterTLSConfig)
|
||||||
**out = **in
|
(*in).DeepCopyInto(*out)
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -894,6 +895,13 @@ func (in *Router) DeepCopy() *Router {
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *RouterTCPTLSConfig) DeepCopyInto(out *RouterTCPTLSConfig) {
|
func (in *RouterTCPTLSConfig) DeepCopyInto(out *RouterTCPTLSConfig) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.Domains != nil {
|
||||||
|
in, out := &in.Domains, &out.Domains
|
||||||
|
*out = make([]types.Domain, len(*in))
|
||||||
|
for i := range *in {
|
||||||
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -910,6 +918,13 @@ func (in *RouterTCPTLSConfig) DeepCopy() *RouterTCPTLSConfig {
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *RouterTLSConfig) DeepCopyInto(out *RouterTLSConfig) {
|
func (in *RouterTLSConfig) DeepCopyInto(out *RouterTLSConfig) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.Domains != nil {
|
||||||
|
in, out := &in.Domains, &out.Domains
|
||||||
|
*out = make([]types.Domain, len(*in))
|
||||||
|
for i := range *in {
|
||||||
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1096,7 +1111,7 @@ func (in *TCPRouter) DeepCopyInto(out *TCPRouter) {
|
||||||
if in.TLS != nil {
|
if in.TLS != nil {
|
||||||
in, out := &in.TLS, &out.TLS
|
in, out := &in.TLS, &out.TLS
|
||||||
*out = new(RouterTCPTLSConfig)
|
*out = new(RouterTCPTLSConfig)
|
||||||
**out = **in
|
(*in).DeepCopyInto(*out)
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -44,7 +44,7 @@ func Test_getRootFieldNames(t *testing.T) {
|
||||||
|
|
||||||
func Test_decodeFileToNode_compare(t *testing.T) {
|
func Test_decodeFileToNode_compare(t *testing.T) {
|
||||||
nodeToml, err := decodeFileToNode("./fixtures/sample.toml",
|
nodeToml, err := decodeFileToNode("./fixtures/sample.toml",
|
||||||
"Global", "ServersTransport", "EntryPoints", "Providers", "API", "Metrics", "Ping", "Log", "AccessLog", "Tracing", "HostResolver", "ACME")
|
"Global", "ServersTransport", "EntryPoints", "Providers", "API", "Metrics", "Ping", "Log", "AccessLog", "Tracing", "HostResolver", "CertificatesResolvers")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
@ -59,7 +59,7 @@ func Test_decodeFileToNode_compare(t *testing.T) {
|
||||||
|
|
||||||
func Test_decodeFileToNode_Toml(t *testing.T) {
|
func Test_decodeFileToNode_Toml(t *testing.T) {
|
||||||
node, err := decodeFileToNode("./fixtures/sample.toml",
|
node, err := decodeFileToNode("./fixtures/sample.toml",
|
||||||
"Global", "ServersTransport", "EntryPoints", "Providers", "API", "Metrics", "Ping", "Log", "AccessLog", "Tracing", "HostResolver", "ACME")
|
"Global", "ServersTransport", "EntryPoints", "Providers", "API", "Metrics", "Ping", "Log", "AccessLog", "Tracing", "HostResolver", "CertificatesResolvers")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
@ -85,42 +85,35 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
|
||||||
{Name: "retryAttempts", Value: "true"},
|
{Name: "retryAttempts", Value: "true"},
|
||||||
{Name: "statusCodes", Value: "foobar,foobar"}}},
|
{Name: "statusCodes", Value: "foobar,foobar"}}},
|
||||||
{Name: "format", Value: "foobar"}}},
|
{Name: "format", Value: "foobar"}}},
|
||||||
{Name: "acme",
|
|
||||||
Children: []*parser.Node{
|
|
||||||
{Name: "acmeLogging", Value: "true"},
|
|
||||||
{Name: "caServer", Value: "foobar"},
|
|
||||||
{Name: "dnsChallenge", Children: []*parser.Node{
|
|
||||||
{Name: "delayBeforeCheck", Value: "42"},
|
|
||||||
{Name: "disablePropagationCheck", Value: "true"},
|
|
||||||
{Name: "provider", Value: "foobar"},
|
|
||||||
{Name: "resolvers", Value: "foobar,foobar"},
|
|
||||||
}},
|
|
||||||
{Name: "domains", Children: []*parser.Node{
|
|
||||||
{Name: "[0]", Children: []*parser.Node{
|
|
||||||
{Name: "main", Value: "foobar"},
|
|
||||||
{Name: "sans", Value: "foobar,foobar"},
|
|
||||||
}},
|
|
||||||
{Name: "[1]", Children: []*parser.Node{
|
|
||||||
{Name: "main", Value: "foobar"},
|
|
||||||
{Name: "sans", Value: "foobar,foobar"},
|
|
||||||
}},
|
|
||||||
}},
|
|
||||||
{Name: "email", Value: "foobar"},
|
|
||||||
{Name: "entryPoint", Value: "foobar"},
|
|
||||||
{Name: "httpChallenge", Children: []*parser.Node{
|
|
||||||
{Name: "entryPoint", Value: "foobar"}}},
|
|
||||||
{Name: "keyType", Value: "foobar"},
|
|
||||||
{Name: "onHostRule", Value: "true"},
|
|
||||||
{Name: "storage", Value: "foobar"},
|
|
||||||
{Name: "tlsChallenge"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{Name: "api", Children: []*parser.Node{
|
{Name: "api", Children: []*parser.Node{
|
||||||
{Name: "dashboard", Value: "true"},
|
{Name: "dashboard", Value: "true"},
|
||||||
{Name: "entryPoint", Value: "foobar"},
|
{Name: "entryPoint", Value: "foobar"},
|
||||||
{Name: "middlewares", Value: "foobar,foobar"},
|
{Name: "middlewares", Value: "foobar,foobar"},
|
||||||
{Name: "statistics", Children: []*parser.Node{
|
{Name: "statistics", Children: []*parser.Node{
|
||||||
{Name: "recentErrors", Value: "42"}}}}},
|
{Name: "recentErrors", Value: "42"}}}}},
|
||||||
|
{Name: "certificatesResolvers", Children: []*parser.Node{
|
||||||
|
{Name: "default", Children: []*parser.Node{
|
||||||
|
{Name: "acme",
|
||||||
|
Children: []*parser.Node{
|
||||||
|
{Name: "acmeLogging", Value: "true"},
|
||||||
|
{Name: "caServer", Value: "foobar"},
|
||||||
|
{Name: "dnsChallenge", Children: []*parser.Node{
|
||||||
|
{Name: "delayBeforeCheck", Value: "42"},
|
||||||
|
{Name: "disablePropagationCheck", Value: "true"},
|
||||||
|
{Name: "provider", Value: "foobar"},
|
||||||
|
{Name: "resolvers", Value: "foobar,foobar"},
|
||||||
|
}},
|
||||||
|
{Name: "email", Value: "foobar"},
|
||||||
|
{Name: "entryPoint", Value: "foobar"},
|
||||||
|
{Name: "httpChallenge", Children: []*parser.Node{
|
||||||
|
{Name: "entryPoint", Value: "foobar"}}},
|
||||||
|
{Name: "keyType", Value: "foobar"},
|
||||||
|
{Name: "storage", Value: "foobar"},
|
||||||
|
{Name: "tlsChallenge"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}},
|
||||||
|
}},
|
||||||
{Name: "entryPoints", Children: []*parser.Node{
|
{Name: "entryPoints", Children: []*parser.Node{
|
||||||
{Name: "EntryPoint0", Children: []*parser.Node{
|
{Name: "EntryPoint0", Children: []*parser.Node{
|
||||||
{Name: "address", Value: "foobar"},
|
{Name: "address", Value: "foobar"},
|
||||||
|
@ -327,42 +320,35 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
|
||||||
{Name: "retryAttempts", Value: "true"},
|
{Name: "retryAttempts", Value: "true"},
|
||||||
{Name: "statusCodes", Value: "foobar,foobar"}}},
|
{Name: "statusCodes", Value: "foobar,foobar"}}},
|
||||||
{Name: "format", Value: "foobar"}}},
|
{Name: "format", Value: "foobar"}}},
|
||||||
{Name: "acme",
|
|
||||||
Children: []*parser.Node{
|
|
||||||
{Name: "acmeLogging", Value: "true"},
|
|
||||||
{Name: "caServer", Value: "foobar"},
|
|
||||||
{Name: "dnsChallenge", Children: []*parser.Node{
|
|
||||||
{Name: "delayBeforeCheck", Value: "42"},
|
|
||||||
{Name: "disablePropagationCheck", Value: "true"},
|
|
||||||
{Name: "provider", Value: "foobar"},
|
|
||||||
{Name: "resolvers", Value: "foobar,foobar"},
|
|
||||||
}},
|
|
||||||
{Name: "domains", Children: []*parser.Node{
|
|
||||||
{Name: "[0]", Children: []*parser.Node{
|
|
||||||
{Name: "main", Value: "foobar"},
|
|
||||||
{Name: "sans", Value: "foobar,foobar"},
|
|
||||||
}},
|
|
||||||
{Name: "[1]", Children: []*parser.Node{
|
|
||||||
{Name: "main", Value: "foobar"},
|
|
||||||
{Name: "sans", Value: "foobar,foobar"},
|
|
||||||
}},
|
|
||||||
}},
|
|
||||||
{Name: "email", Value: "foobar"},
|
|
||||||
{Name: "entryPoint", Value: "foobar"},
|
|
||||||
{Name: "httpChallenge", Children: []*parser.Node{
|
|
||||||
{Name: "entryPoint", Value: "foobar"}}},
|
|
||||||
{Name: "keyType", Value: "foobar"},
|
|
||||||
{Name: "onHostRule", Value: "true"},
|
|
||||||
{Name: "storage", Value: "foobar"},
|
|
||||||
{Name: "tlsChallenge"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{Name: "api", Children: []*parser.Node{
|
{Name: "api", Children: []*parser.Node{
|
||||||
{Name: "dashboard", Value: "true"},
|
{Name: "dashboard", Value: "true"},
|
||||||
{Name: "entryPoint", Value: "foobar"},
|
{Name: "entryPoint", Value: "foobar"},
|
||||||
{Name: "middlewares", Value: "foobar,foobar"},
|
{Name: "middlewares", Value: "foobar,foobar"},
|
||||||
{Name: "statistics", Children: []*parser.Node{
|
{Name: "statistics", Children: []*parser.Node{
|
||||||
{Name: "recentErrors", Value: "42"}}}}},
|
{Name: "recentErrors", Value: "42"}}}}},
|
||||||
|
{Name: "certificatesResolvers", Children: []*parser.Node{
|
||||||
|
{Name: "default", Children: []*parser.Node{
|
||||||
|
{Name: "acme",
|
||||||
|
Children: []*parser.Node{
|
||||||
|
{Name: "acmeLogging", Value: "true"},
|
||||||
|
{Name: "caServer", Value: "foobar"},
|
||||||
|
{Name: "dnsChallenge", Children: []*parser.Node{
|
||||||
|
{Name: "delayBeforeCheck", Value: "42"},
|
||||||
|
{Name: "disablePropagationCheck", Value: "true"},
|
||||||
|
{Name: "provider", Value: "foobar"},
|
||||||
|
{Name: "resolvers", Value: "foobar,foobar"},
|
||||||
|
}},
|
||||||
|
{Name: "email", Value: "foobar"},
|
||||||
|
{Name: "entryPoint", Value: "foobar"},
|
||||||
|
{Name: "httpChallenge", Children: []*parser.Node{
|
||||||
|
{Name: "entryPoint", Value: "foobar"}}},
|
||||||
|
{Name: "keyType", Value: "foobar"},
|
||||||
|
{Name: "storage", Value: "foobar"},
|
||||||
|
{Name: "tlsChallenge"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}},
|
||||||
|
}},
|
||||||
{Name: "entryPoints", Children: []*parser.Node{
|
{Name: "entryPoints", Children: []*parser.Node{
|
||||||
{Name: "EntryPoint0", Children: []*parser.Node{
|
{Name: "EntryPoint0", Children: []*parser.Node{
|
||||||
{Name: "address", Value: "foobar"},
|
{Name: "address", Value: "foobar"},
|
||||||
|
|
|
@ -205,30 +205,21 @@
|
||||||
resolvConfig = "foobar"
|
resolvConfig = "foobar"
|
||||||
resolvDepth = 42
|
resolvDepth = 42
|
||||||
|
|
||||||
[acme]
|
[certificatesResolvers.default.acme]
|
||||||
email = "foobar"
|
email = "foobar"
|
||||||
acmeLogging = true
|
acmeLogging = true
|
||||||
caServer = "foobar"
|
caServer = "foobar"
|
||||||
storage = "foobar"
|
storage = "foobar"
|
||||||
entryPoint = "foobar"
|
entryPoint = "foobar"
|
||||||
keyType = "foobar"
|
keyType = "foobar"
|
||||||
onHostRule = true
|
[certificatesResolvers.default.acme.dnsChallenge]
|
||||||
[acme.dnsChallenge]
|
|
||||||
provider = "foobar"
|
provider = "foobar"
|
||||||
delayBeforeCheck = 42
|
delayBeforeCheck = 42
|
||||||
resolvers = ["foobar", "foobar"]
|
resolvers = ["foobar", "foobar"]
|
||||||
disablePropagationCheck = true
|
disablePropagationCheck = true
|
||||||
[acme.httpChallenge]
|
[certificatesResolvers.default.acme.httpChallenge]
|
||||||
entryPoint = "foobar"
|
entryPoint = "foobar"
|
||||||
[acme.tlsChallenge]
|
[certificatesResolvers.default.acme.tlsChallenge]
|
||||||
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "foobar"
|
|
||||||
sans = ["foobar", "foobar"]
|
|
||||||
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "foobar"
|
|
||||||
sans = ["foobar", "foobar"]
|
|
||||||
|
|
||||||
## Dynamic configuration
|
## Dynamic configuration
|
||||||
|
|
||||||
|
|
|
@ -214,30 +214,23 @@ hostResolver:
|
||||||
cnameFlattening: true
|
cnameFlattening: true
|
||||||
resolvConfig: foobar
|
resolvConfig: foobar
|
||||||
resolvDepth: 42
|
resolvDepth: 42
|
||||||
acme:
|
|
||||||
email: foobar
|
certificatesResolvers:
|
||||||
acmeLogging: true
|
default:
|
||||||
caServer: foobar
|
acme:
|
||||||
storage: foobar
|
email: foobar
|
||||||
entryPoint: foobar
|
acmeLogging: true
|
||||||
keyType: foobar
|
caServer: foobar
|
||||||
onHostRule: true
|
storage: foobar
|
||||||
dnsChallenge:
|
entryPoint: foobar
|
||||||
provider: foobar
|
keyType: foobar
|
||||||
delayBeforeCheck: 42
|
dnsChallenge:
|
||||||
resolvers:
|
provider: foobar
|
||||||
- foobar
|
delayBeforeCheck: 42
|
||||||
- foobar
|
resolvers:
|
||||||
disablePropagationCheck: true
|
- foobar
|
||||||
httpChallenge:
|
- foobar
|
||||||
entryPoint: foobar
|
disablePropagationCheck: true
|
||||||
tlsChallenge: {}
|
httpChallenge:
|
||||||
domains:
|
entryPoint: foobar
|
||||||
- main: foobar
|
tlsChallenge: {}
|
||||||
sans:
|
|
||||||
- foobar
|
|
||||||
- foobar
|
|
||||||
- main: foobar
|
|
||||||
sans:
|
|
||||||
- foobar
|
|
||||||
- foobar
|
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
package static
|
package static
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"fmt"
|
||||||
|
stdlog "log"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -23,7 +24,8 @@ import (
|
||||||
"github.com/containous/traefik/pkg/tracing/zipkin"
|
"github.com/containous/traefik/pkg/tracing/zipkin"
|
||||||
"github.com/containous/traefik/pkg/types"
|
"github.com/containous/traefik/pkg/types"
|
||||||
assetfs "github.com/elazarl/go-bindata-assetfs"
|
assetfs "github.com/elazarl/go-bindata-assetfs"
|
||||||
"github.com/go-acme/lego/challenge/dns01"
|
legolog "github.com/go-acme/lego/log"
|
||||||
|
"github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -59,6 +61,11 @@ type Configuration struct {
|
||||||
|
|
||||||
HostResolver *types.HostResolverConfig `description:"Enable CNAME Flattening." json:"hostResolver,omitempty" toml:"hostResolver,omitempty" yaml:"hostResolver,omitempty" label:"allowEmpty" export:"true"`
|
HostResolver *types.HostResolverConfig `description:"Enable CNAME Flattening." json:"hostResolver,omitempty" toml:"hostResolver,omitempty" yaml:"hostResolver,omitempty" label:"allowEmpty" export:"true"`
|
||||||
|
|
||||||
|
CertificatesResolvers map[string]CertificateResolver `description:"Certificates resolvers configuration." json:"certificatesResolvers,omitempty" toml:"certificatesResolvers,omitempty" yaml:"certificatesResolvers,omitempty" export:"true"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateResolver contains the configuration for the different types of certificates resolver.
|
||||||
|
type CertificateResolver struct {
|
||||||
ACME *acmeprovider.Configuration `description:"Enable ACME (Let's Encrypt): automatic SSL." json:"acme,omitempty" toml:"acme,omitempty" yaml:"acme,omitempty" export:"true"`
|
ACME *acmeprovider.Configuration `description:"Enable ACME (Let's Encrypt): automatic SSL." json:"acme,omitempty" toml:"acme,omitempty" yaml:"acme,omitempty" export:"true"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -194,64 +201,35 @@ func (c *Configuration) SetEffectiveConfiguration() {
|
||||||
c.initACMEProvider()
|
c.initACMEProvider()
|
||||||
}
|
}
|
||||||
|
|
||||||
// FIXME handle on new configuration ACME struct
|
|
||||||
func (c *Configuration) initACMEProvider() {
|
func (c *Configuration) initACMEProvider() {
|
||||||
if c.ACME != nil {
|
for _, resolver := range c.CertificatesResolvers {
|
||||||
c.ACME.CAServer = getSafeACMECAServer(c.ACME.CAServer)
|
if resolver.ACME != nil {
|
||||||
|
resolver.ACME.CAServer = getSafeACMECAServer(resolver.ACME.CAServer)
|
||||||
if c.ACME.DNSChallenge != nil && c.ACME.HTTPChallenge != nil {
|
|
||||||
log.Warn("Unable to use DNS challenge and HTTP challenge at the same time. Fallback to DNS challenge.")
|
|
||||||
c.ACME.HTTPChallenge = nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if c.ACME.DNSChallenge != nil && c.ACME.TLSChallenge != nil {
|
|
||||||
log.Warn("Unable to use DNS challenge and TLS challenge at the same time. Fallback to DNS challenge.")
|
|
||||||
c.ACME.TLSChallenge = nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if c.ACME.HTTPChallenge != nil && c.ACME.TLSChallenge != nil {
|
|
||||||
log.Warn("Unable to use HTTP challenge and TLS challenge at the same time. Fallback to TLS challenge.")
|
|
||||||
c.ACME.HTTPChallenge = nil
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// InitACMEProvider create an acme provider from the ACME part of globalConfiguration
|
legolog.Logger = stdlog.New(log.WithoutContext().WriterLevel(logrus.DebugLevel), "legolog: ", 0)
|
||||||
func (c *Configuration) InitACMEProvider() (*acmeprovider.Provider, error) {
|
|
||||||
if c.ACME != nil {
|
|
||||||
if len(c.ACME.Storage) == 0 {
|
|
||||||
return nil, errors.New("unable to initialize ACME provider with no storage location for the certificates")
|
|
||||||
}
|
|
||||||
return &acmeprovider.Provider{
|
|
||||||
Configuration: c.ACME,
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
return nil, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidateConfiguration validate that configuration is coherent
|
// ValidateConfiguration validate that configuration is coherent
|
||||||
func (c *Configuration) ValidateConfiguration() {
|
func (c *Configuration) ValidateConfiguration() error {
|
||||||
if c.ACME != nil {
|
var acmeEmail string
|
||||||
for _, domain := range c.ACME.Domains {
|
for name, resolver := range c.CertificatesResolvers {
|
||||||
if domain.Main != dns01.UnFqdn(domain.Main) {
|
if resolver.ACME == nil {
|
||||||
log.Warnf("FQDN detected, please remove the trailing dot: %s", domain.Main)
|
continue
|
||||||
}
|
|
||||||
for _, san := range domain.SANs {
|
|
||||||
if san != dns01.UnFqdn(san) {
|
|
||||||
log.Warnf("FQDN detected, please remove the trailing dot: %s", san)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(resolver.ACME.Storage) == 0 {
|
||||||
|
return fmt.Errorf("unable to initialize certificates resolver %q with no storage location for the certificates", name)
|
||||||
|
}
|
||||||
|
|
||||||
|
if acmeEmail != "" && resolver.ACME.Email != acmeEmail {
|
||||||
|
return fmt.Errorf("unable to initialize certificates resolver %q, all the acme resolvers must use the same email", name)
|
||||||
|
}
|
||||||
|
acmeEmail = resolver.ACME.Email
|
||||||
}
|
}
|
||||||
// FIXME Validate store config?
|
|
||||||
// if c.ACME != nil {
|
return nil
|
||||||
// if _, ok := c.EntryPoints[c.ACME.EntryPoint]; !ok {
|
|
||||||
// log.Fatalf("Unknown entrypoint %q for ACME configuration", c.ACME.EntryPoint)
|
|
||||||
// }
|
|
||||||
// else if c.EntryPoints[c.ACME.EntryPoint].TLS == nil {
|
|
||||||
// log.Fatalf("Entrypoint %q has no TLS configuration for ACME configuration", c.ACME.EntryPoint)
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func getSafeACMECAServer(caServerSrc string) string {
|
func getSafeACMECAServer(caServerSrc string) string {
|
||||||
|
|
|
@ -17,7 +17,7 @@ import (
|
||||||
var _ challenge.ProviderTimeout = (*challengeHTTP)(nil)
|
var _ challenge.ProviderTimeout = (*challengeHTTP)(nil)
|
||||||
|
|
||||||
type challengeHTTP struct {
|
type challengeHTTP struct {
|
||||||
Store Store
|
Store ChallengeStore
|
||||||
}
|
}
|
||||||
|
|
||||||
// Present presents a challenge to obtain new ACME certificate.
|
// Present presents a challenge to obtain new ACME certificate.
|
||||||
|
@ -52,7 +52,7 @@ func (p *Provider) Append(router *mux.Router) {
|
||||||
domain = req.Host
|
domain = req.Host
|
||||||
}
|
}
|
||||||
|
|
||||||
tokenValue := getTokenValue(ctx, token, domain, p.Store)
|
tokenValue := getTokenValue(ctx, token, domain, p.ChallengeStore)
|
||||||
if len(tokenValue) > 0 {
|
if len(tokenValue) > 0 {
|
||||||
rw.WriteHeader(http.StatusOK)
|
rw.WriteHeader(http.StatusOK)
|
||||||
_, err = rw.Write(tokenValue)
|
_, err = rw.Write(tokenValue)
|
||||||
|
@ -66,7 +66,7 @@ func (p *Provider) Append(router *mux.Router) {
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
||||||
func getTokenValue(ctx context.Context, token, domain string, store Store) []byte {
|
func getTokenValue(ctx context.Context, token, domain string, store ChallengeStore) []byte {
|
||||||
logger := log.FromContext(ctx)
|
logger := log.FromContext(ctx)
|
||||||
logger.Debugf("Retrieving the ACME challenge for token %v...", token)
|
logger.Debugf("Retrieving the ACME challenge for token %v...", token)
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ import (
|
||||||
var _ challenge.Provider = (*challengeTLSALPN)(nil)
|
var _ challenge.Provider = (*challengeTLSALPN)(nil)
|
||||||
|
|
||||||
type challengeTLSALPN struct {
|
type challengeTLSALPN struct {
|
||||||
Store Store
|
Store ChallengeStore
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *challengeTLSALPN) Present(domain, token, keyAuth string) error {
|
func (c *challengeTLSALPN) Present(domain, token, keyAuth string) error {
|
||||||
|
@ -37,7 +37,7 @@ func (c *challengeTLSALPN) CleanUp(domain, token, keyAuth string) error {
|
||||||
|
|
||||||
// GetTLSALPNCertificate Get the temp certificate for ACME TLS-ALPN-O1 challenge.
|
// GetTLSALPNCertificate Get the temp certificate for ACME TLS-ALPN-O1 challenge.
|
||||||
func (p *Provider) GetTLSALPNCertificate(domain string) (*tls.Certificate, error) {
|
func (p *Provider) GetTLSALPNCertificate(domain string) (*tls.Certificate, error) {
|
||||||
cert, err := p.Store.GetTLSChallenge(domain)
|
cert, err := p.ChallengeStore.GetTLSChallenge(domain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,7 +5,6 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"regexp"
|
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"github.com/containous/traefik/pkg/log"
|
"github.com/containous/traefik/pkg/log"
|
||||||
|
@ -16,25 +15,34 @@ var _ Store = (*LocalStore)(nil)
|
||||||
|
|
||||||
// LocalStore Stores implementation for local file
|
// LocalStore Stores implementation for local file
|
||||||
type LocalStore struct {
|
type LocalStore struct {
|
||||||
|
saveDataChan chan map[string]*StoredData
|
||||||
filename string
|
filename string
|
||||||
storedData *StoredData
|
|
||||||
SaveDataChan chan *StoredData `json:"-"`
|
lock sync.RWMutex
|
||||||
lock sync.RWMutex
|
storedData map[string]*StoredData
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewLocalStore initializes a new LocalStore with a file name
|
// NewLocalStore initializes a new LocalStore with a file name
|
||||||
func NewLocalStore(filename string) *LocalStore {
|
func NewLocalStore(filename string) *LocalStore {
|
||||||
store := &LocalStore{filename: filename, SaveDataChan: make(chan *StoredData)}
|
store := &LocalStore{filename: filename, saveDataChan: make(chan map[string]*StoredData)}
|
||||||
store.listenSaveAction()
|
store.listenSaveAction()
|
||||||
return store
|
return store
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *LocalStore) get() (*StoredData, error) {
|
func (s *LocalStore) save(resolverName string, storedData *StoredData) {
|
||||||
|
s.lock.Lock()
|
||||||
|
defer s.lock.Unlock()
|
||||||
|
|
||||||
|
s.storedData[resolverName] = storedData
|
||||||
|
s.saveDataChan <- s.storedData
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *LocalStore) get(resolverName string) (*StoredData, error) {
|
||||||
|
s.lock.Lock()
|
||||||
|
defer s.lock.Unlock()
|
||||||
|
|
||||||
if s.storedData == nil {
|
if s.storedData == nil {
|
||||||
s.storedData = &StoredData{
|
s.storedData = map[string]*StoredData{}
|
||||||
HTTPChallenges: make(map[string]map[string][]byte),
|
|
||||||
TLSChallenges: make(map[string]*Certificate),
|
|
||||||
}
|
|
||||||
|
|
||||||
hasData, err := CheckFile(s.filename)
|
hasData, err := CheckFile(s.filename)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -56,49 +64,40 @@ func (s *LocalStore) get() (*StoredData, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(file) > 0 {
|
if len(file) > 0 {
|
||||||
if err := json.Unmarshal(file, s.storedData); err != nil {
|
if err := json.Unmarshal(file, &s.storedData); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if ACME Account is in ACME V1 format
|
|
||||||
if s.storedData.Account != nil && s.storedData.Account.Registration != nil {
|
|
||||||
isOldRegistration, err := regexp.MatchString(RegistrationURLPathV1Regexp, s.storedData.Account.Registration.URI)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if isOldRegistration {
|
|
||||||
logger.Debug("Reseting ACME account.")
|
|
||||||
s.storedData.Account = nil
|
|
||||||
s.SaveDataChan <- s.storedData
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Delete all certificates with no value
|
// Delete all certificates with no value
|
||||||
var certificates []*Certificate
|
var certificates []*CertAndStore
|
||||||
for _, certificate := range s.storedData.Certificates {
|
for _, storedData := range s.storedData {
|
||||||
if len(certificate.Certificate) == 0 || len(certificate.Key) == 0 {
|
for _, certificate := range storedData.Certificates {
|
||||||
logger.Debugf("Deleting empty certificate %v for %v", certificate, certificate.Domain.ToStrArray())
|
if len(certificate.Certificate.Certificate) == 0 || len(certificate.Key) == 0 {
|
||||||
continue
|
logger.Debugf("Deleting empty certificate %v for %v", certificate, certificate.Domain.ToStrArray())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
certificates = append(certificates, certificate)
|
||||||
|
}
|
||||||
|
if len(certificates) < len(storedData.Certificates) {
|
||||||
|
storedData.Certificates = certificates
|
||||||
|
s.saveDataChan <- s.storedData
|
||||||
}
|
}
|
||||||
certificates = append(certificates, certificate)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(certificates) < len(s.storedData.Certificates) {
|
|
||||||
s.storedData.Certificates = certificates
|
|
||||||
s.SaveDataChan <- s.storedData
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return s.storedData, nil
|
if s.storedData[resolverName] == nil {
|
||||||
|
s.storedData[resolverName] = &StoredData{}
|
||||||
|
}
|
||||||
|
return s.storedData[resolverName], nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// listenSaveAction listens to a chan to store ACME data in json format into LocalStore.filename
|
// listenSaveAction listens to a chan to store ACME data in json format into LocalStore.filename
|
||||||
func (s *LocalStore) listenSaveAction() {
|
func (s *LocalStore) listenSaveAction() {
|
||||||
safe.Go(func() {
|
safe.Go(func() {
|
||||||
logger := log.WithoutContext().WithField(log.ProviderName, "acme")
|
logger := log.WithoutContext().WithField(log.ProviderName, "acme")
|
||||||
for object := range s.SaveDataChan {
|
for object := range s.saveDataChan {
|
||||||
data, err := json.MarshalIndent(object, "", " ")
|
data, err := json.MarshalIndent(object, "", " ")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err)
|
logger.Error(err)
|
||||||
|
@ -113,8 +112,8 @@ func (s *LocalStore) listenSaveAction() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAccount returns ACME Account
|
// GetAccount returns ACME Account
|
||||||
func (s *LocalStore) GetAccount() (*Account, error) {
|
func (s *LocalStore) GetAccount(resolverName string) (*Account, error) {
|
||||||
storedData, err := s.get()
|
storedData, err := s.get(resolverName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -123,21 +122,21 @@ func (s *LocalStore) GetAccount() (*Account, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SaveAccount stores ACME Account
|
// SaveAccount stores ACME Account
|
||||||
func (s *LocalStore) SaveAccount(account *Account) error {
|
func (s *LocalStore) SaveAccount(resolverName string, account *Account) error {
|
||||||
storedData, err := s.get()
|
storedData, err := s.get(resolverName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
storedData.Account = account
|
storedData.Account = account
|
||||||
s.SaveDataChan <- storedData
|
s.save(resolverName, storedData)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetCertificates returns ACME Certificates list
|
// GetCertificates returns ACME Certificates list
|
||||||
func (s *LocalStore) GetCertificates() ([]*Certificate, error) {
|
func (s *LocalStore) GetCertificates(resolverName string) ([]*CertAndStore, error) {
|
||||||
storedData, err := s.get()
|
storedData, err := s.get(resolverName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -146,20 +145,37 @@ func (s *LocalStore) GetCertificates() ([]*Certificate, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SaveCertificates stores ACME Certificates list
|
// SaveCertificates stores ACME Certificates list
|
||||||
func (s *LocalStore) SaveCertificates(certificates []*Certificate) error {
|
func (s *LocalStore) SaveCertificates(resolverName string, certificates []*CertAndStore) error {
|
||||||
storedData, err := s.get()
|
storedData, err := s.get(resolverName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
storedData.Certificates = certificates
|
storedData.Certificates = certificates
|
||||||
s.SaveDataChan <- storedData
|
s.save(resolverName, storedData)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// LocalChallengeStore is an implementation of the ChallengeStore in memory.
|
||||||
|
type LocalChallengeStore struct {
|
||||||
|
storedData *StoredChallengeData
|
||||||
|
lock sync.RWMutex
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewLocalChallengeStore initializes a new LocalChallengeStore.
|
||||||
|
func NewLocalChallengeStore() *LocalChallengeStore {
|
||||||
|
return &LocalChallengeStore{
|
||||||
|
storedData: &StoredChallengeData{
|
||||||
|
HTTPChallenges: make(map[string]map[string][]byte),
|
||||||
|
TLSChallenges: make(map[string]*Certificate),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
// GetHTTPChallengeToken Get the http challenge token from the store
|
// GetHTTPChallengeToken Get the http challenge token from the store
|
||||||
func (s *LocalStore) GetHTTPChallengeToken(token, domain string) ([]byte, error) {
|
func (s *LocalChallengeStore) GetHTTPChallengeToken(token, domain string) ([]byte, error) {
|
||||||
s.lock.RLock()
|
s.lock.RLock()
|
||||||
defer s.lock.RUnlock()
|
defer s.lock.RUnlock()
|
||||||
|
|
||||||
|
@ -179,7 +195,7 @@ func (s *LocalStore) GetHTTPChallengeToken(token, domain string) ([]byte, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetHTTPChallengeToken Set the http challenge token in the store
|
// SetHTTPChallengeToken Set the http challenge token in the store
|
||||||
func (s *LocalStore) SetHTTPChallengeToken(token, domain string, keyAuth []byte) error {
|
func (s *LocalChallengeStore) SetHTTPChallengeToken(token, domain string, keyAuth []byte) error {
|
||||||
s.lock.Lock()
|
s.lock.Lock()
|
||||||
defer s.lock.Unlock()
|
defer s.lock.Unlock()
|
||||||
|
|
||||||
|
@ -196,7 +212,7 @@ func (s *LocalStore) SetHTTPChallengeToken(token, domain string, keyAuth []byte)
|
||||||
}
|
}
|
||||||
|
|
||||||
// RemoveHTTPChallengeToken Remove the http challenge token in the store
|
// RemoveHTTPChallengeToken Remove the http challenge token in the store
|
||||||
func (s *LocalStore) RemoveHTTPChallengeToken(token, domain string) error {
|
func (s *LocalChallengeStore) RemoveHTTPChallengeToken(token, domain string) error {
|
||||||
s.lock.Lock()
|
s.lock.Lock()
|
||||||
defer s.lock.Unlock()
|
defer s.lock.Unlock()
|
||||||
|
|
||||||
|
@ -214,7 +230,7 @@ func (s *LocalStore) RemoveHTTPChallengeToken(token, domain string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// AddTLSChallenge Add a certificate to the ACME TLS-ALPN-01 certificates storage
|
// AddTLSChallenge Add a certificate to the ACME TLS-ALPN-01 certificates storage
|
||||||
func (s *LocalStore) AddTLSChallenge(domain string, cert *Certificate) error {
|
func (s *LocalChallengeStore) AddTLSChallenge(domain string, cert *Certificate) error {
|
||||||
s.lock.Lock()
|
s.lock.Lock()
|
||||||
defer s.lock.Unlock()
|
defer s.lock.Unlock()
|
||||||
|
|
||||||
|
@ -227,7 +243,7 @@ func (s *LocalStore) AddTLSChallenge(domain string, cert *Certificate) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetTLSChallenge Get a certificate from the ACME TLS-ALPN-01 certificates storage
|
// GetTLSChallenge Get a certificate from the ACME TLS-ALPN-01 certificates storage
|
||||||
func (s *LocalStore) GetTLSChallenge(domain string) (*Certificate, error) {
|
func (s *LocalChallengeStore) GetTLSChallenge(domain string) (*Certificate, error) {
|
||||||
s.lock.Lock()
|
s.lock.Lock()
|
||||||
defer s.lock.Unlock()
|
defer s.lock.Unlock()
|
||||||
|
|
||||||
|
@ -239,7 +255,7 @@ func (s *LocalStore) GetTLSChallenge(domain string) (*Certificate, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// RemoveTLSChallenge Remove a certificate from the ACME TLS-ALPN-01 certificates storage
|
// RemoveTLSChallenge Remove a certificate from the ACME TLS-ALPN-01 certificates storage
|
||||||
func (s *LocalStore) RemoveTLSChallenge(domain string) error {
|
func (s *LocalChallengeStore) RemoveTLSChallenge(domain string) error {
|
||||||
s.lock.Lock()
|
s.lock.Lock()
|
||||||
defer s.lock.Unlock()
|
defer s.lock.Unlock()
|
||||||
|
|
||||||
|
|
|
@ -6,8 +6,6 @@ import (
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
|
||||||
fmtlog "log"
|
|
||||||
"net/url"
|
"net/url"
|
||||||
"reflect"
|
"reflect"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -25,10 +23,8 @@ import (
|
||||||
"github.com/go-acme/lego/challenge"
|
"github.com/go-acme/lego/challenge"
|
||||||
"github.com/go-acme/lego/challenge/dns01"
|
"github.com/go-acme/lego/challenge/dns01"
|
||||||
"github.com/go-acme/lego/lego"
|
"github.com/go-acme/lego/lego"
|
||||||
legolog "github.com/go-acme/lego/log"
|
|
||||||
"github.com/go-acme/lego/providers/dns"
|
"github.com/go-acme/lego/providers/dns"
|
||||||
"github.com/go-acme/lego/registration"
|
"github.com/go-acme/lego/registration"
|
||||||
"github.com/sirupsen/logrus"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -39,16 +35,12 @@ var (
|
||||||
// Configuration holds ACME configuration provided by users
|
// Configuration holds ACME configuration provided by users
|
||||||
type Configuration struct {
|
type Configuration struct {
|
||||||
Email string `description:"Email address used for registration." json:"email,omitempty" toml:"email,omitempty" yaml:"email,omitempty"`
|
Email string `description:"Email address used for registration." json:"email,omitempty" toml:"email,omitempty" yaml:"email,omitempty"`
|
||||||
ACMELogging bool `description:"Enable debug logging of ACME actions." json:"acmeLogging,omitempty" toml:"acmeLogging,omitempty" yaml:"acmeLogging,omitempty"`
|
|
||||||
CAServer string `description:"CA server to use." json:"caServer,omitempty" toml:"caServer,omitempty" yaml:"caServer,omitempty"`
|
CAServer string `description:"CA server to use." json:"caServer,omitempty" toml:"caServer,omitempty" yaml:"caServer,omitempty"`
|
||||||
Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty"`
|
Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty"`
|
||||||
EntryPoint string `description:"EntryPoint to use." json:"entryPoint,omitempty" toml:"entryPoint,omitempty" yaml:"entryPoint,omitempty"`
|
|
||||||
KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty"`
|
KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty"`
|
||||||
OnHostRule bool `description:"Enable certificate generation on router Host rules." json:"onHostRule,omitempty" toml:"onHostRule,omitempty" yaml:"onHostRule,omitempty"`
|
|
||||||
DNSChallenge *DNSChallenge `description:"Activate DNS-01 Challenge." json:"dnsChallenge,omitempty" toml:"dnsChallenge,omitempty" yaml:"dnsChallenge,omitempty" label:"allowEmpty"`
|
DNSChallenge *DNSChallenge `description:"Activate DNS-01 Challenge." json:"dnsChallenge,omitempty" toml:"dnsChallenge,omitempty" yaml:"dnsChallenge,omitempty" label:"allowEmpty"`
|
||||||
HTTPChallenge *HTTPChallenge `description:"Activate HTTP-01 Challenge." json:"httpChallenge,omitempty" toml:"httpChallenge,omitempty" yaml:"httpChallenge,omitempty" label:"allowEmpty"`
|
HTTPChallenge *HTTPChallenge `description:"Activate HTTP-01 Challenge." json:"httpChallenge,omitempty" toml:"httpChallenge,omitempty" yaml:"httpChallenge,omitempty" label:"allowEmpty"`
|
||||||
TLSChallenge *TLSChallenge `description:"Activate TLS-ALPN-01 Challenge." json:"tlsChallenge,omitempty" toml:"tlsChallenge,omitempty" yaml:"tlsChallenge,omitempty" label:"allowEmpty"`
|
TLSChallenge *TLSChallenge `description:"Activate TLS-ALPN-01 Challenge." json:"tlsChallenge,omitempty" toml:"tlsChallenge,omitempty" yaml:"tlsChallenge,omitempty" label:"allowEmpty"`
|
||||||
Domains []types.Domain `description:"The list of domains for which certificates are generated on startup. Wildcard domains only accepted with DNSChallenge." json:"domains,omitempty" toml:"domains,omitempty" yaml:"domains,omitempty"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetDefaults sets the default values.
|
// SetDefaults sets the default values.
|
||||||
|
@ -58,6 +50,12 @@ func (a *Configuration) SetDefaults() {
|
||||||
a.KeyType = "RSA4096"
|
a.KeyType = "RSA4096"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CertAndStore allows mapping a TLS certificate to a TLS store.
|
||||||
|
type CertAndStore struct {
|
||||||
|
Certificate
|
||||||
|
Store string
|
||||||
|
}
|
||||||
|
|
||||||
// Certificate is a struct which contains all data needed from an ACME certificate
|
// Certificate is a struct which contains all data needed from an ACME certificate
|
||||||
type Certificate struct {
|
type Certificate struct {
|
||||||
Domain types.Domain `json:"domain,omitempty" toml:"domain,omitempty" yaml:"domain,omitempty"`
|
Domain types.Domain `json:"domain,omitempty" toml:"domain,omitempty" yaml:"domain,omitempty"`
|
||||||
|
@ -84,11 +82,13 @@ type TLSChallenge struct{}
|
||||||
// Provider holds configurations of the provider.
|
// Provider holds configurations of the provider.
|
||||||
type Provider struct {
|
type Provider struct {
|
||||||
*Configuration
|
*Configuration
|
||||||
|
ResolverName string
|
||||||
Store Store `json:"store,omitempty" toml:"store,omitempty" yaml:"store,omitempty"`
|
Store Store `json:"store,omitempty" toml:"store,omitempty" yaml:"store,omitempty"`
|
||||||
certificates []*Certificate
|
ChallengeStore ChallengeStore
|
||||||
|
certificates []*CertAndStore
|
||||||
account *Account
|
account *Account
|
||||||
client *lego.Client
|
client *lego.Client
|
||||||
certsChan chan *Certificate
|
certsChan chan *CertAndStore
|
||||||
configurationChan chan<- dynamic.Message
|
configurationChan chan<- dynamic.Message
|
||||||
tlsManager *traefiktls.Manager
|
tlsManager *traefiktls.Manager
|
||||||
clientMutex sync.Mutex
|
clientMutex sync.Mutex
|
||||||
|
@ -113,41 +113,20 @@ func (p *Provider) ListenConfiguration(config dynamic.Configuration) {
|
||||||
p.configFromListenerChan <- config
|
p.configFromListenerChan <- config
|
||||||
}
|
}
|
||||||
|
|
||||||
// ListenRequest resolves new certificates for a domain from an incoming request and return a valid Certificate to serve (onDemand option)
|
|
||||||
func (p *Provider) ListenRequest(domain string) (*tls.Certificate, error) {
|
|
||||||
ctx := log.With(context.Background(), log.Str(log.ProviderName, "acme"))
|
|
||||||
|
|
||||||
acmeCert, err := p.resolveCertificate(ctx, types.Domain{Main: domain}, false)
|
|
||||||
if acmeCert == nil || err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
cert, err := tls.X509KeyPair(acmeCert.Certificate, acmeCert.PrivateKey)
|
|
||||||
|
|
||||||
return &cert, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Init for compatibility reason the BaseProvider implements an empty Init
|
// Init for compatibility reason the BaseProvider implements an empty Init
|
||||||
func (p *Provider) Init() error {
|
func (p *Provider) Init() error {
|
||||||
|
|
||||||
ctx := log.With(context.Background(), log.Str(log.ProviderName, "acme"))
|
ctx := log.With(context.Background(), log.Str(log.ProviderName, "acme"))
|
||||||
logger := log.FromContext(ctx)
|
logger := log.FromContext(ctx)
|
||||||
|
|
||||||
if p.ACMELogging {
|
|
||||||
legolog.Logger = fmtlog.New(logger.WriterLevel(logrus.InfoLevel), "legolog: ", 0)
|
|
||||||
} else {
|
|
||||||
legolog.Logger = fmtlog.New(ioutil.Discard, "", 0)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(p.Configuration.Storage) == 0 {
|
if len(p.Configuration.Storage) == 0 {
|
||||||
return errors.New("unable to initialize ACME provider with no storage location for the certificates")
|
return errors.New("unable to initialize ACME provider with no storage location for the certificates")
|
||||||
}
|
}
|
||||||
p.Store = NewLocalStore(p.Configuration.Storage)
|
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
p.account, err = p.Store.GetAccount()
|
p.account, err = p.Store.GetAccount(p.ResolverName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("unable to get ACME account : %v", err)
|
return fmt.Errorf("unable to get ACME account: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Reset Account if caServer changed, thus registration URI can be updated
|
// Reset Account if caServer changed, thus registration URI can be updated
|
||||||
|
@ -156,7 +135,7 @@ func (p *Provider) Init() error {
|
||||||
p.account = nil
|
p.account = nil
|
||||||
}
|
}
|
||||||
|
|
||||||
p.certificates, err = p.Store.GetCertificates()
|
p.certificates, err = p.Store.GetCertificates(p.ResolverName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("unable to get ACME certificates : %v", err)
|
return fmt.Errorf("unable to get ACME certificates : %v", err)
|
||||||
}
|
}
|
||||||
|
@ -188,7 +167,7 @@ func isAccountMatchingCaServer(ctx context.Context, accountURI string, serverURI
|
||||||
// Provide allows the file provider to provide configurations to traefik
|
// Provide allows the file provider to provide configurations to traefik
|
||||||
// using the given Configuration channel.
|
// using the given Configuration channel.
|
||||||
func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.Pool) error {
|
func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.Pool) error {
|
||||||
ctx := log.With(context.Background(), log.Str(log.ProviderName, "acme"))
|
ctx := log.With(context.Background(), log.Str(log.ProviderName, "acme."+p.ResolverName))
|
||||||
|
|
||||||
p.pool = pool
|
p.pool = pool
|
||||||
|
|
||||||
|
@ -198,17 +177,6 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
|
||||||
p.configurationChan = configurationChan
|
p.configurationChan = configurationChan
|
||||||
p.refreshCertificates()
|
p.refreshCertificates()
|
||||||
|
|
||||||
p.deleteUnnecessaryDomains(ctx)
|
|
||||||
for i := 0; i < len(p.Domains); i++ {
|
|
||||||
domain := p.Domains[i]
|
|
||||||
safe.Go(func() {
|
|
||||||
if _, err := p.resolveCertificate(ctx, domain, true); err != nil {
|
|
||||||
log.WithoutContext().WithField(log.ProviderName, "acme").
|
|
||||||
Errorf("Unable to obtain ACME certificate for domains %q : %v", strings.Join(domain.ToStrArray(), ","), err)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
p.renewCertificates(ctx)
|
p.renewCertificates(ctx)
|
||||||
|
|
||||||
ticker := time.NewTicker(24 * time.Hour)
|
ticker := time.NewTicker(24 * time.Hour)
|
||||||
|
@ -275,13 +243,18 @@ func (p *Provider) getClient() (*lego.Client, error) {
|
||||||
|
|
||||||
// Save the account once before all the certificates generation/storing
|
// Save the account once before all the certificates generation/storing
|
||||||
// No certificate can be generated if account is not initialized
|
// No certificate can be generated if account is not initialized
|
||||||
err = p.Store.SaveAccount(account)
|
err = p.Store.SaveAccount(p.ResolverName, account)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
switch {
|
if (p.DNSChallenge == nil || len(p.DNSChallenge.Provider) == 0) &&
|
||||||
case p.DNSChallenge != nil && len(p.DNSChallenge.Provider) > 0:
|
(p.HTTPChallenge == nil || len(p.HTTPChallenge.EntryPoint) == 0) &&
|
||||||
|
p.TLSChallenge == nil {
|
||||||
|
return nil, errors.New("ACME challenge not specified, please select TLS or HTTP or DNS Challenge")
|
||||||
|
}
|
||||||
|
|
||||||
|
if p.DNSChallenge != nil && len(p.DNSChallenge.Provider) > 0 {
|
||||||
logger.Debugf("Using DNS Challenge provider: %s", p.DNSChallenge.Provider)
|
logger.Debugf("Using DNS Challenge provider: %s", p.DNSChallenge.Provider)
|
||||||
|
|
||||||
var provider challenge.Provider
|
var provider challenge.Provider
|
||||||
|
@ -304,25 +277,24 @@ func (p *Provider) getClient() (*lego.Client, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
case p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0:
|
if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 {
|
||||||
logger.Debug("Using HTTP Challenge provider.")
|
logger.Debug("Using HTTP Challenge provider.")
|
||||||
|
|
||||||
err = client.Challenge.SetHTTP01Provider(&challengeHTTP{Store: p.Store})
|
err = client.Challenge.SetHTTP01Provider(&challengeHTTP{Store: p.ChallengeStore})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
case p.TLSChallenge != nil:
|
if p.TLSChallenge != nil {
|
||||||
logger.Debug("Using TLS Challenge provider.")
|
logger.Debug("Using TLS Challenge provider.")
|
||||||
|
|
||||||
err = client.Challenge.SetTLSALPN01Provider(&challengeTLSALPN{Store: p.Store})
|
err = client.Challenge.SetTLSALPN01Provider(&challengeTLSALPN{Store: p.ChallengeStore})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
default:
|
|
||||||
return nil, errors.New("ACME challenge not specified, please select TLS or HTTP or DNS Challenge")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
p.client = client
|
p.client = client
|
||||||
|
@ -346,7 +318,7 @@ func (p *Provider) initAccount(ctx context.Context) (*Account, error) {
|
||||||
return p.account, nil
|
return p.account, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *Provider) resolveDomains(ctx context.Context, domains []string) {
|
func (p *Provider) resolveDomains(ctx context.Context, domains []string, tlsStore string) {
|
||||||
if len(domains) == 0 {
|
if len(domains) == 0 {
|
||||||
log.FromContext(ctx).Debug("No domain parsed in provider ACME")
|
log.FromContext(ctx).Debug("No domain parsed in provider ACME")
|
||||||
return
|
return
|
||||||
|
@ -362,7 +334,7 @@ func (p *Provider) resolveDomains(ctx context.Context, domains []string) {
|
||||||
}
|
}
|
||||||
|
|
||||||
safe.Go(func() {
|
safe.Go(func() {
|
||||||
if _, err := p.resolveCertificate(ctx, domain, false); err != nil {
|
if _, err := p.resolveCertificate(ctx, domain, tlsStore); err != nil {
|
||||||
log.FromContext(ctx).Errorf("Unable to obtain ACME certificate for domains %q: %v", strings.Join(domains, ","), err)
|
log.FromContext(ctx).Errorf("Unable to obtain ACME certificate for domains %q: %v", strings.Join(domains, ","), err)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -376,32 +348,72 @@ func (p *Provider) watchNewDomains(ctx context.Context) {
|
||||||
case config := <-p.configFromListenerChan:
|
case config := <-p.configFromListenerChan:
|
||||||
if config.TCP != nil {
|
if config.TCP != nil {
|
||||||
for routerName, route := range config.TCP.Routers {
|
for routerName, route := range config.TCP.Routers {
|
||||||
if route.TLS == nil {
|
if route.TLS == nil || route.TLS.CertResolver != p.ResolverName {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
|
ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
|
||||||
|
|
||||||
domains, err := rules.ParseHostSNI(route.Rule)
|
tlsStore := "default"
|
||||||
if err != nil {
|
if len(route.TLS.Domains) > 0 {
|
||||||
log.FromContext(ctxRouter).Errorf("Error parsing domains in provider ACME: %v", err)
|
for _, domain := range route.TLS.Domains {
|
||||||
continue
|
if domain.Main != dns01.UnFqdn(domain.Main) {
|
||||||
|
log.Warnf("FQDN detected, please remove the trailing dot: %s", domain.Main)
|
||||||
|
}
|
||||||
|
for _, san := range domain.SANs {
|
||||||
|
if san != dns01.UnFqdn(san) {
|
||||||
|
log.Warnf("FQDN detected, please remove the trailing dot: %s", san)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
domains := deleteUnnecessaryDomains(ctxRouter, route.TLS.Domains)
|
||||||
|
for i := 0; i < len(domains); i++ {
|
||||||
|
domain := domains[i]
|
||||||
|
safe.Go(func() {
|
||||||
|
if _, err := p.resolveCertificate(ctx, domain, tlsStore); err != nil {
|
||||||
|
log.WithoutContext().WithField(log.ProviderName, "acme."+p.ResolverName).
|
||||||
|
Errorf("Unable to obtain ACME certificate for domains %q : %v", strings.Join(domain.ToStrArray(), ","), err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
domains, err := rules.ParseHostSNI(route.Rule)
|
||||||
|
if err != nil {
|
||||||
|
log.FromContext(ctxRouter).Errorf("Error parsing domains in provider ACME: %v", err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
p.resolveDomains(ctxRouter, domains, tlsStore)
|
||||||
}
|
}
|
||||||
p.resolveDomains(ctxRouter, domains)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for routerName, route := range config.HTTP.Routers {
|
for routerName, route := range config.HTTP.Routers {
|
||||||
if route.TLS == nil {
|
if route.TLS == nil || route.TLS.CertResolver != p.ResolverName {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
|
ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
|
||||||
|
|
||||||
domains, err := rules.ParseDomains(route.Rule)
|
tlsStore := "default"
|
||||||
if err != nil {
|
if len(route.TLS.Domains) > 0 {
|
||||||
log.FromContext(ctxRouter).Errorf("Error parsing domains in provider ACME: %v", err)
|
domains := deleteUnnecessaryDomains(ctxRouter, route.TLS.Domains)
|
||||||
continue
|
for i := 0; i < len(domains); i++ {
|
||||||
|
domain := domains[i]
|
||||||
|
safe.Go(func() {
|
||||||
|
if _, err := p.resolveCertificate(ctx, domain, tlsStore); err != nil {
|
||||||
|
log.WithoutContext().WithField(log.ProviderName, "acme."+p.ResolverName).
|
||||||
|
Errorf("Unable to obtain ACME certificate for domains %q : %v", strings.Join(domain.ToStrArray(), ","), err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
domains, err := rules.ParseDomains(route.Rule)
|
||||||
|
if err != nil {
|
||||||
|
log.FromContext(ctxRouter).Errorf("Error parsing domains in provider ACME: %v", err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
p.resolveDomains(ctxRouter, domains, tlsStore)
|
||||||
}
|
}
|
||||||
p.resolveDomains(ctxRouter, domains)
|
|
||||||
}
|
}
|
||||||
case <-stop:
|
case <-stop:
|
||||||
return
|
return
|
||||||
|
@ -410,14 +422,14 @@ func (p *Provider) watchNewDomains(ctx context.Context) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *Provider) resolveCertificate(ctx context.Context, domain types.Domain, domainFromConfigurationFile bool) (*certificate.Resource, error) {
|
func (p *Provider) resolveCertificate(ctx context.Context, domain types.Domain, tlsStore string) (*certificate.Resource, error) {
|
||||||
domains, err := p.getValidDomains(ctx, domain, domainFromConfigurationFile)
|
domains, err := p.getValidDomains(ctx, domain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check provided certificates
|
// Check provided certificates
|
||||||
uncheckedDomains := p.getUncheckedDomains(ctx, domains, !domainFromConfigurationFile)
|
uncheckedDomains := p.getUncheckedDomains(ctx, domains, tlsStore)
|
||||||
if len(uncheckedDomains) == 0 {
|
if len(uncheckedDomains) == 0 {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
@ -457,7 +469,7 @@ func (p *Provider) resolveCertificate(ctx context.Context, domain types.Domain,
|
||||||
} else {
|
} else {
|
||||||
domain = types.Domain{Main: uncheckedDomains[0]}
|
domain = types.Domain{Main: uncheckedDomains[0]}
|
||||||
}
|
}
|
||||||
p.addCertificateForDomain(domain, cert.Certificate, cert.PrivateKey)
|
p.addCertificateForDomain(domain, cert.Certificate, cert.PrivateKey, tlsStore)
|
||||||
|
|
||||||
return cert, nil
|
return cert, nil
|
||||||
}
|
}
|
||||||
|
@ -480,22 +492,22 @@ func (p *Provider) addResolvingDomains(resolvingDomains []string) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *Provider) addCertificateForDomain(domain types.Domain, certificate []byte, key []byte) {
|
func (p *Provider) addCertificateForDomain(domain types.Domain, certificate []byte, key []byte, tlsStore string) {
|
||||||
p.certsChan <- &Certificate{Certificate: certificate, Key: key, Domain: domain}
|
p.certsChan <- &CertAndStore{Certificate: Certificate{Certificate: certificate, Key: key, Domain: domain}, Store: tlsStore}
|
||||||
}
|
}
|
||||||
|
|
||||||
// deleteUnnecessaryDomains deletes from the configuration :
|
// deleteUnnecessaryDomains deletes from the configuration :
|
||||||
// - Duplicated domains
|
// - Duplicated domains
|
||||||
// - Domains which are checked by wildcard domain
|
// - Domains which are checked by wildcard domain
|
||||||
func (p *Provider) deleteUnnecessaryDomains(ctx context.Context) {
|
func deleteUnnecessaryDomains(ctx context.Context, domains []types.Domain) []types.Domain {
|
||||||
var newDomains []types.Domain
|
var newDomains []types.Domain
|
||||||
|
|
||||||
logger := log.FromContext(ctx)
|
logger := log.FromContext(ctx)
|
||||||
|
|
||||||
for idxDomainToCheck, domainToCheck := range p.Domains {
|
for idxDomainToCheck, domainToCheck := range domains {
|
||||||
keepDomain := true
|
keepDomain := true
|
||||||
|
|
||||||
for idxDomain, domain := range p.Domains {
|
for idxDomain, domain := range domains {
|
||||||
if idxDomainToCheck == idxDomain {
|
if idxDomainToCheck == idxDomain {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
@ -538,11 +550,11 @@ func (p *Provider) deleteUnnecessaryDomains(ctx context.Context) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
p.Domains = newDomains
|
return newDomains
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *Provider) watchCertificate(ctx context.Context) {
|
func (p *Provider) watchCertificate(ctx context.Context) {
|
||||||
p.certsChan = make(chan *Certificate)
|
p.certsChan = make(chan *CertAndStore)
|
||||||
|
|
||||||
p.pool.Go(func(stop chan bool) {
|
p.pool.Go(func(stop chan bool) {
|
||||||
for {
|
for {
|
||||||
|
@ -550,9 +562,8 @@ func (p *Provider) watchCertificate(ctx context.Context) {
|
||||||
case cert := <-p.certsChan:
|
case cert := <-p.certsChan:
|
||||||
certUpdated := false
|
certUpdated := false
|
||||||
for _, domainsCertificate := range p.certificates {
|
for _, domainsCertificate := range p.certificates {
|
||||||
if reflect.DeepEqual(cert.Domain, domainsCertificate.Domain) {
|
if reflect.DeepEqual(cert.Domain, domainsCertificate.Certificate.Domain) {
|
||||||
domainsCertificate.Certificate = cert.Certificate
|
domainsCertificate.Certificate = cert.Certificate
|
||||||
domainsCertificate.Key = cert.Key
|
|
||||||
certUpdated = true
|
certUpdated = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
@ -573,7 +584,7 @@ func (p *Provider) watchCertificate(ctx context.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *Provider) saveCertificates() error {
|
func (p *Provider) saveCertificates() error {
|
||||||
err := p.Store.SaveCertificates(p.certificates)
|
err := p.Store.SaveCertificates(p.ResolverName, p.certificates)
|
||||||
|
|
||||||
p.refreshCertificates()
|
p.refreshCertificates()
|
||||||
|
|
||||||
|
@ -582,7 +593,7 @@ func (p *Provider) saveCertificates() error {
|
||||||
|
|
||||||
func (p *Provider) refreshCertificates() {
|
func (p *Provider) refreshCertificates() {
|
||||||
conf := dynamic.Message{
|
conf := dynamic.Message{
|
||||||
ProviderName: "ACME",
|
ProviderName: "acme." + p.ResolverName,
|
||||||
Configuration: &dynamic.Configuration{
|
Configuration: &dynamic.Configuration{
|
||||||
HTTP: &dynamic.HTTPConfiguration{
|
HTTP: &dynamic.HTTPConfiguration{
|
||||||
Routers: map[string]*dynamic.Router{},
|
Routers: map[string]*dynamic.Router{},
|
||||||
|
@ -596,9 +607,10 @@ func (p *Provider) refreshCertificates() {
|
||||||
for _, cert := range p.certificates {
|
for _, cert := range p.certificates {
|
||||||
certConf := &traefiktls.CertAndStores{
|
certConf := &traefiktls.CertAndStores{
|
||||||
Certificate: traefiktls.Certificate{
|
Certificate: traefiktls.Certificate{
|
||||||
CertFile: traefiktls.FileOrContent(cert.Certificate),
|
CertFile: traefiktls.FileOrContent(cert.Certificate.Certificate),
|
||||||
KeyFile: traefiktls.FileOrContent(cert.Key),
|
KeyFile: traefiktls.FileOrContent(cert.Key),
|
||||||
},
|
},
|
||||||
|
Stores: []string{cert.Store},
|
||||||
}
|
}
|
||||||
conf.Configuration.TLS.Certificates = append(conf.Configuration.TLS.Certificates, certConf)
|
conf.Configuration.TLS.Certificates = append(conf.Configuration.TLS.Certificates, certConf)
|
||||||
}
|
}
|
||||||
|
@ -611,7 +623,7 @@ func (p *Provider) renewCertificates(ctx context.Context) {
|
||||||
|
|
||||||
logger.Info("Testing certificate renew...")
|
logger.Info("Testing certificate renew...")
|
||||||
for _, cert := range p.certificates {
|
for _, cert := range p.certificates {
|
||||||
crt, err := getX509Certificate(ctx, cert)
|
crt, err := getX509Certificate(ctx, &cert.Certificate)
|
||||||
// If there's an error, we assume the cert is broken, and needs update
|
// If there's an error, we assume the cert is broken, and needs update
|
||||||
// <= 30 days left, renew certificate
|
// <= 30 days left, renew certificate
|
||||||
if err != nil || crt == nil || crt.NotAfter.Before(time.Now().Add(24*30*time.Hour)) {
|
if err != nil || crt == nil || crt.NotAfter.Before(time.Now().Add(24*30*time.Hour)) {
|
||||||
|
@ -626,7 +638,7 @@ func (p *Provider) renewCertificates(ctx context.Context) {
|
||||||
renewedCert, err := client.Certificate.Renew(certificate.Resource{
|
renewedCert, err := client.Certificate.Renew(certificate.Resource{
|
||||||
Domain: cert.Domain.Main,
|
Domain: cert.Domain.Main,
|
||||||
PrivateKey: cert.Key,
|
PrivateKey: cert.Key,
|
||||||
Certificate: cert.Certificate,
|
Certificate: cert.Certificate.Certificate,
|
||||||
}, true, oscpMustStaple)
|
}, true, oscpMustStaple)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -639,20 +651,20 @@ func (p *Provider) renewCertificates(ctx context.Context) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
p.addCertificateForDomain(cert.Domain, renewedCert.Certificate, renewedCert.PrivateKey)
|
p.addCertificateForDomain(cert.Domain, renewedCert.Certificate, renewedCert.PrivateKey, cert.Store)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get provided certificate which check a domains list (Main and SANs)
|
// Get provided certificate which check a domains list (Main and SANs)
|
||||||
// from static and dynamic provided certificates
|
// from static and dynamic provided certificates
|
||||||
func (p *Provider) getUncheckedDomains(ctx context.Context, domainsToCheck []string, checkConfigurationDomains bool) []string {
|
func (p *Provider) getUncheckedDomains(ctx context.Context, domainsToCheck []string, tlsStore string) []string {
|
||||||
p.resolvingDomainsMutex.RLock()
|
p.resolvingDomainsMutex.RLock()
|
||||||
defer p.resolvingDomainsMutex.RUnlock()
|
defer p.resolvingDomainsMutex.RUnlock()
|
||||||
|
|
||||||
log.FromContext(ctx).Debugf("Looking for provided certificate(s) to validate %q...", domainsToCheck)
|
log.FromContext(ctx).Debugf("Looking for provided certificate(s) to validate %q...", domainsToCheck)
|
||||||
|
|
||||||
allDomains := p.tlsManager.GetStore("default").GetAllDomains()
|
allDomains := p.tlsManager.GetStore(tlsStore).GetAllDomains()
|
||||||
|
|
||||||
// Get ACME certificates
|
// Get ACME certificates
|
||||||
for _, cert := range p.certificates {
|
for _, cert := range p.certificates {
|
||||||
|
@ -664,13 +676,6 @@ func (p *Provider) getUncheckedDomains(ctx context.Context, domainsToCheck []str
|
||||||
allDomains = append(allDomains, domain)
|
allDomains = append(allDomains, domain)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get Configuration Domains
|
|
||||||
if checkConfigurationDomains {
|
|
||||||
for i := 0; i < len(p.Domains); i++ {
|
|
||||||
allDomains = append(allDomains, strings.Join(p.Domains[i].ToStrArray(), ","))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return searchUncheckedDomains(ctx, domainsToCheck, allDomains)
|
return searchUncheckedDomains(ctx, domainsToCheck, allDomains)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -712,17 +717,13 @@ func getX509Certificate(ctx context.Context, cert *Certificate) (*x509.Certifica
|
||||||
}
|
}
|
||||||
|
|
||||||
// getValidDomains checks if given domain is allowed to generate a ACME certificate and return it
|
// getValidDomains checks if given domain is allowed to generate a ACME certificate and return it
|
||||||
func (p *Provider) getValidDomains(ctx context.Context, domain types.Domain, wildcardAllowed bool) ([]string, error) {
|
func (p *Provider) getValidDomains(ctx context.Context, domain types.Domain) ([]string, error) {
|
||||||
domains := domain.ToStrArray()
|
domains := domain.ToStrArray()
|
||||||
if len(domains) == 0 {
|
if len(domains) == 0 {
|
||||||
return nil, errors.New("unable to generate a certificate in ACME provider when no domain is given")
|
return nil, errors.New("unable to generate a certificate in ACME provider when no domain is given")
|
||||||
}
|
}
|
||||||
|
|
||||||
if strings.HasPrefix(domain.Main, "*") {
|
if strings.HasPrefix(domain.Main, "*") {
|
||||||
if !wildcardAllowed {
|
|
||||||
return nil, fmt.Errorf("unable to generate a wildcard certificate in ACME provider for domain %q from a 'Host' rule", strings.Join(domains, ","))
|
|
||||||
}
|
|
||||||
|
|
||||||
if p.DNSChallenge == nil {
|
if p.DNSChallenge == nil {
|
||||||
return nil, fmt.Errorf("unable to generate a wildcard certificate in ACME provider for domain %q : ACME needs a DNSChallenge", strings.Join(domains, ","))
|
return nil, fmt.Errorf("unable to generate a wildcard certificate in ACME provider for domain %q : ACME needs a DNSChallenge", strings.Join(domains, ","))
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,7 +30,7 @@ func TestGetUncheckedCertificates(t *testing.T) {
|
||||||
desc string
|
desc string
|
||||||
dynamicCerts *safe.Safe
|
dynamicCerts *safe.Safe
|
||||||
resolvingDomains map[string]struct{}
|
resolvingDomains map[string]struct{}
|
||||||
acmeCertificates []*Certificate
|
acmeCertificates []*CertAndStore
|
||||||
domains []string
|
domains []string
|
||||||
expectedDomains []string
|
expectedDomains []string
|
||||||
}{
|
}{
|
||||||
|
@ -48,9 +48,11 @@ func TestGetUncheckedCertificates(t *testing.T) {
|
||||||
{
|
{
|
||||||
desc: "wildcard already exists in ACME certificates",
|
desc: "wildcard already exists in ACME certificates",
|
||||||
domains: []string{"*.traefik.wtf"},
|
domains: []string{"*.traefik.wtf"},
|
||||||
acmeCertificates: []*Certificate{
|
acmeCertificates: []*CertAndStore{
|
||||||
{
|
{
|
||||||
Domain: types.Domain{Main: "*.traefik.wtf"},
|
Certificate: Certificate{
|
||||||
|
Domain: types.Domain{Main: "*.traefik.wtf"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedDomains: nil,
|
expectedDomains: nil,
|
||||||
|
@ -69,9 +71,11 @@ func TestGetUncheckedCertificates(t *testing.T) {
|
||||||
{
|
{
|
||||||
desc: "domain CN already exists in ACME certificates and SANs to generate",
|
desc: "domain CN already exists in ACME certificates and SANs to generate",
|
||||||
domains: []string{"traefik.wtf", "foo.traefik.wtf"},
|
domains: []string{"traefik.wtf", "foo.traefik.wtf"},
|
||||||
acmeCertificates: []*Certificate{
|
acmeCertificates: []*CertAndStore{
|
||||||
{
|
{
|
||||||
Domain: types.Domain{Main: "traefik.wtf"},
|
Certificate: Certificate{
|
||||||
|
Domain: types.Domain{Main: "traefik.wtf"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedDomains: []string{"foo.traefik.wtf"},
|
expectedDomains: []string{"foo.traefik.wtf"},
|
||||||
|
@ -85,9 +89,11 @@ func TestGetUncheckedCertificates(t *testing.T) {
|
||||||
{
|
{
|
||||||
desc: "domain already exists in ACME certificates",
|
desc: "domain already exists in ACME certificates",
|
||||||
domains: []string{"traefik.wtf"},
|
domains: []string{"traefik.wtf"},
|
||||||
acmeCertificates: []*Certificate{
|
acmeCertificates: []*CertAndStore{
|
||||||
{
|
{
|
||||||
Domain: types.Domain{Main: "traefik.wtf"},
|
Certificate: Certificate{
|
||||||
|
Domain: types.Domain{Main: "traefik.wtf"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedDomains: nil,
|
expectedDomains: nil,
|
||||||
|
@ -101,9 +107,11 @@ func TestGetUncheckedCertificates(t *testing.T) {
|
||||||
{
|
{
|
||||||
desc: "domain matched by wildcard in ACME certificates",
|
desc: "domain matched by wildcard in ACME certificates",
|
||||||
domains: []string{"who.traefik.wtf", "foo.traefik.wtf"},
|
domains: []string{"who.traefik.wtf", "foo.traefik.wtf"},
|
||||||
acmeCertificates: []*Certificate{
|
acmeCertificates: []*CertAndStore{
|
||||||
{
|
{
|
||||||
Domain: types.Domain{Main: "*.traefik.wtf"},
|
Certificate: Certificate{
|
||||||
|
Domain: types.Domain{Main: "*.traefik.wtf"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedDomains: nil,
|
expectedDomains: nil,
|
||||||
|
@ -111,9 +119,11 @@ func TestGetUncheckedCertificates(t *testing.T) {
|
||||||
{
|
{
|
||||||
desc: "root domain with wildcard in ACME certificates",
|
desc: "root domain with wildcard in ACME certificates",
|
||||||
domains: []string{"traefik.wtf", "foo.traefik.wtf"},
|
domains: []string{"traefik.wtf", "foo.traefik.wtf"},
|
||||||
acmeCertificates: []*Certificate{
|
acmeCertificates: []*CertAndStore{
|
||||||
{
|
{
|
||||||
Domain: types.Domain{Main: "*.traefik.wtf"},
|
Certificate: Certificate{
|
||||||
|
Domain: types.Domain{Main: "*.traefik.wtf"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expectedDomains: []string{"traefik.wtf"},
|
expectedDomains: []string{"traefik.wtf"},
|
||||||
|
@ -171,7 +181,7 @@ func TestGetUncheckedCertificates(t *testing.T) {
|
||||||
resolvingDomains: test.resolvingDomains,
|
resolvingDomains: test.resolvingDomains,
|
||||||
}
|
}
|
||||||
|
|
||||||
domains := acmeProvider.getUncheckedDomains(context.Background(), test.domains, false)
|
domains := acmeProvider.getUncheckedDomains(context.Background(), test.domains, "default")
|
||||||
assert.Equal(t, len(test.expectedDomains), len(domains), "Unexpected domains.")
|
assert.Equal(t, len(test.expectedDomains), len(domains), "Unexpected domains.")
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -181,7 +191,6 @@ func TestGetValidDomain(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
desc string
|
desc string
|
||||||
domains types.Domain
|
domains types.Domain
|
||||||
wildcardAllowed bool
|
|
||||||
dnsChallenge *DNSChallenge
|
dnsChallenge *DNSChallenge
|
||||||
expectedErr string
|
expectedErr string
|
||||||
expectedDomains []string
|
expectedDomains []string
|
||||||
|
@ -190,7 +199,6 @@ func TestGetValidDomain(t *testing.T) {
|
||||||
desc: "valid wildcard",
|
desc: "valid wildcard",
|
||||||
domains: types.Domain{Main: "*.traefik.wtf"},
|
domains: types.Domain{Main: "*.traefik.wtf"},
|
||||||
dnsChallenge: &DNSChallenge{},
|
dnsChallenge: &DNSChallenge{},
|
||||||
wildcardAllowed: true,
|
|
||||||
expectedErr: "",
|
expectedErr: "",
|
||||||
expectedDomains: []string{"*.traefik.wtf"},
|
expectedDomains: []string{"*.traefik.wtf"},
|
||||||
},
|
},
|
||||||
|
@ -199,22 +207,12 @@ func TestGetValidDomain(t *testing.T) {
|
||||||
domains: types.Domain{Main: "traefik.wtf", SANs: []string{"foo.traefik.wtf"}},
|
domains: types.Domain{Main: "traefik.wtf", SANs: []string{"foo.traefik.wtf"}},
|
||||||
dnsChallenge: &DNSChallenge{},
|
dnsChallenge: &DNSChallenge{},
|
||||||
expectedErr: "",
|
expectedErr: "",
|
||||||
wildcardAllowed: true,
|
|
||||||
expectedDomains: []string{"traefik.wtf", "foo.traefik.wtf"},
|
expectedDomains: []string{"traefik.wtf", "foo.traefik.wtf"},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
desc: "unauthorized wildcard",
|
|
||||||
domains: types.Domain{Main: "*.traefik.wtf"},
|
|
||||||
dnsChallenge: &DNSChallenge{},
|
|
||||||
wildcardAllowed: false,
|
|
||||||
expectedErr: "unable to generate a wildcard certificate in ACME provider for domain \"*.traefik.wtf\" from a 'Host' rule",
|
|
||||||
expectedDomains: nil,
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
desc: "no domain",
|
desc: "no domain",
|
||||||
domains: types.Domain{},
|
domains: types.Domain{},
|
||||||
dnsChallenge: nil,
|
dnsChallenge: nil,
|
||||||
wildcardAllowed: true,
|
|
||||||
expectedErr: "unable to generate a certificate in ACME provider when no domain is given",
|
expectedErr: "unable to generate a certificate in ACME provider when no domain is given",
|
||||||
expectedDomains: nil,
|
expectedDomains: nil,
|
||||||
},
|
},
|
||||||
|
@ -222,7 +220,6 @@ func TestGetValidDomain(t *testing.T) {
|
||||||
desc: "no DNSChallenge",
|
desc: "no DNSChallenge",
|
||||||
domains: types.Domain{Main: "*.traefik.wtf", SANs: []string{"foo.traefik.wtf"}},
|
domains: types.Domain{Main: "*.traefik.wtf", SANs: []string{"foo.traefik.wtf"}},
|
||||||
dnsChallenge: nil,
|
dnsChallenge: nil,
|
||||||
wildcardAllowed: true,
|
|
||||||
expectedErr: "unable to generate a wildcard certificate in ACME provider for domain \"*.traefik.wtf,foo.traefik.wtf\" : ACME needs a DNSChallenge",
|
expectedErr: "unable to generate a wildcard certificate in ACME provider for domain \"*.traefik.wtf,foo.traefik.wtf\" : ACME needs a DNSChallenge",
|
||||||
expectedDomains: nil,
|
expectedDomains: nil,
|
||||||
},
|
},
|
||||||
|
@ -230,7 +227,6 @@ func TestGetValidDomain(t *testing.T) {
|
||||||
desc: "unauthorized wildcard with SAN",
|
desc: "unauthorized wildcard with SAN",
|
||||||
domains: types.Domain{Main: "*.*.traefik.wtf", SANs: []string{"foo.traefik.wtf"}},
|
domains: types.Domain{Main: "*.*.traefik.wtf", SANs: []string{"foo.traefik.wtf"}},
|
||||||
dnsChallenge: &DNSChallenge{},
|
dnsChallenge: &DNSChallenge{},
|
||||||
wildcardAllowed: true,
|
|
||||||
expectedErr: "unable to generate a wildcard certificate in ACME provider for domain \"*.*.traefik.wtf,foo.traefik.wtf\" : ACME does not allow '*.*' wildcard domain",
|
expectedErr: "unable to generate a wildcard certificate in ACME provider for domain \"*.*.traefik.wtf,foo.traefik.wtf\" : ACME does not allow '*.*' wildcard domain",
|
||||||
expectedDomains: nil,
|
expectedDomains: nil,
|
||||||
},
|
},
|
||||||
|
@ -238,7 +234,6 @@ func TestGetValidDomain(t *testing.T) {
|
||||||
desc: "wildcard and SANs",
|
desc: "wildcard and SANs",
|
||||||
domains: types.Domain{Main: "*.traefik.wtf", SANs: []string{"traefik.wtf"}},
|
domains: types.Domain{Main: "*.traefik.wtf", SANs: []string{"traefik.wtf"}},
|
||||||
dnsChallenge: &DNSChallenge{},
|
dnsChallenge: &DNSChallenge{},
|
||||||
wildcardAllowed: true,
|
|
||||||
expectedErr: "",
|
expectedErr: "",
|
||||||
expectedDomains: []string{"*.traefik.wtf", "traefik.wtf"},
|
expectedDomains: []string{"*.traefik.wtf", "traefik.wtf"},
|
||||||
},
|
},
|
||||||
|
@ -246,7 +241,6 @@ func TestGetValidDomain(t *testing.T) {
|
||||||
desc: "wildcard SANs",
|
desc: "wildcard SANs",
|
||||||
domains: types.Domain{Main: "*.traefik.wtf", SANs: []string{"*.acme.wtf"}},
|
domains: types.Domain{Main: "*.traefik.wtf", SANs: []string{"*.acme.wtf"}},
|
||||||
dnsChallenge: &DNSChallenge{},
|
dnsChallenge: &DNSChallenge{},
|
||||||
wildcardAllowed: true,
|
|
||||||
expectedErr: "",
|
expectedErr: "",
|
||||||
expectedDomains: []string{"*.traefik.wtf", "*.acme.wtf"},
|
expectedDomains: []string{"*.traefik.wtf", "*.acme.wtf"},
|
||||||
},
|
},
|
||||||
|
@ -259,7 +253,7 @@ func TestGetValidDomain(t *testing.T) {
|
||||||
|
|
||||||
acmeProvider := Provider{Configuration: &Configuration{DNSChallenge: test.dnsChallenge}}
|
acmeProvider := Provider{Configuration: &Configuration{DNSChallenge: test.dnsChallenge}}
|
||||||
|
|
||||||
domains, err := acmeProvider.getValidDomains(context.Background(), test.domains, test.wildcardAllowed)
|
domains, err := acmeProvider.getValidDomains(context.Background(), test.domains)
|
||||||
|
|
||||||
if len(test.expectedErr) > 0 {
|
if len(test.expectedErr) > 0 {
|
||||||
assert.EqualError(t, err, test.expectedErr, "Unexpected error.")
|
assert.EqualError(t, err, test.expectedErr, "Unexpected error.")
|
||||||
|
@ -439,10 +433,8 @@ func TestDeleteUnnecessaryDomains(t *testing.T) {
|
||||||
t.Run(test.desc, func(t *testing.T) {
|
t.Run(test.desc, func(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
acmeProvider := Provider{Configuration: &Configuration{Domains: test.domains}}
|
domains := deleteUnnecessaryDomains(context.Background(), test.domains)
|
||||||
|
assert.Equal(t, test.expectedDomains, domains, "unexpected domain")
|
||||||
acmeProvider.deleteUnnecessaryDomains(context.Background())
|
|
||||||
assert.Equal(t, test.expectedDomains, acmeProvider.Domains, "unexpected domain")
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,20 +1,27 @@
|
||||||
package acme
|
package acme
|
||||||
|
|
||||||
// StoredData represents the data managed by Store
|
// StoredData represents the data managed by Store.
|
||||||
type StoredData struct {
|
type StoredData struct {
|
||||||
Account *Account
|
Account *Account
|
||||||
Certificates []*Certificate
|
Certificates []*CertAndStore
|
||||||
|
}
|
||||||
|
|
||||||
|
// StoredChallengeData represents the data managed by ChallengeStore.
|
||||||
|
type StoredChallengeData struct {
|
||||||
HTTPChallenges map[string]map[string][]byte
|
HTTPChallenges map[string]map[string][]byte
|
||||||
TLSChallenges map[string]*Certificate
|
TLSChallenges map[string]*Certificate
|
||||||
}
|
}
|
||||||
|
|
||||||
// Store is a generic interface that represents a storage
|
// Store is a generic interface that represents a storage.
|
||||||
type Store interface {
|
type Store interface {
|
||||||
GetAccount() (*Account, error)
|
GetAccount(string) (*Account, error)
|
||||||
SaveAccount(*Account) error
|
SaveAccount(string, *Account) error
|
||||||
GetCertificates() ([]*Certificate, error)
|
GetCertificates(string) ([]*CertAndStore, error)
|
||||||
SaveCertificates([]*Certificate) error
|
SaveCertificates(string, []*CertAndStore) error
|
||||||
|
}
|
||||||
|
|
||||||
|
// ChallengeStore is a generic interface that represents a store for challenge data.
|
||||||
|
type ChallengeStore interface {
|
||||||
GetHTTPChallengeToken(token, domain string) ([]byte, error)
|
GetHTTPChallengeToken(token, domain string) ([]byte, error)
|
||||||
SetHTTPChallengeToken(token, domain string, keyAuth []byte) error
|
SetHTTPChallengeToken(token, domain string, keyAuth []byte) error
|
||||||
RemoveHTTPChallengeToken(token, domain string) error
|
RemoveHTTPChallengeToken(token, domain string) error
|
||||||
|
|
|
@ -438,7 +438,10 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
|
||||||
}
|
}
|
||||||
|
|
||||||
if ingressRoute.Spec.TLS != nil {
|
if ingressRoute.Spec.TLS != nil {
|
||||||
tlsConf := &dynamic.RouterTLSConfig{}
|
tlsConf := &dynamic.RouterTLSConfig{
|
||||||
|
CertResolver: ingressRoute.Spec.TLS.CertResolver,
|
||||||
|
}
|
||||||
|
|
||||||
if ingressRoute.Spec.TLS.Options != nil && len(ingressRoute.Spec.TLS.Options.Name) > 0 {
|
if ingressRoute.Spec.TLS.Options != nil && len(ingressRoute.Spec.TLS.Options.Name) > 0 {
|
||||||
tlsOptionsName := ingressRoute.Spec.TLS.Options.Name
|
tlsOptionsName := ingressRoute.Spec.TLS.Options.Name
|
||||||
// Is a Kubernetes CRD reference, (i.e. not a cross-provider reference)
|
// Is a Kubernetes CRD reference, (i.e. not a cross-provider reference)
|
||||||
|
@ -537,7 +540,8 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
|
||||||
|
|
||||||
if ingressRouteTCP.Spec.TLS != nil {
|
if ingressRouteTCP.Spec.TLS != nil {
|
||||||
conf.Routers[serviceName].TLS = &dynamic.RouterTCPTLSConfig{
|
conf.Routers[serviceName].TLS = &dynamic.RouterTCPTLSConfig{
|
||||||
Passthrough: ingressRouteTCP.Spec.TLS.Passthrough,
|
Passthrough: ingressRouteTCP.Spec.TLS.Passthrough,
|
||||||
|
CertResolver: ingressRouteTCP.Spec.TLS.CertResolver,
|
||||||
}
|
}
|
||||||
|
|
||||||
if ingressRouteTCP.Spec.TLS.Options != nil && len(ingressRouteTCP.Spec.TLS.Options.Name) > 0 {
|
if ingressRouteTCP.Spec.TLS.Options != nil && len(ingressRouteTCP.Spec.TLS.Options.Name) > 0 {
|
||||||
|
|
|
@ -32,7 +32,8 @@ type TLS struct {
|
||||||
// certificate details.
|
// certificate details.
|
||||||
SecretName string `json:"secretName"`
|
SecretName string `json:"secretName"`
|
||||||
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
||||||
Options *TLSOptionRef `json:"options"`
|
Options *TLSOptionRef `json:"options"`
|
||||||
|
CertResolver string `json:"certResolver"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// TLSOptionRef is a ref to the TLSOption resources.
|
// TLSOptionRef is a ref to the TLSOption resources.
|
||||||
|
|
|
@ -30,7 +30,8 @@ type TLSTCP struct {
|
||||||
SecretName string `json:"secretName"`
|
SecretName string `json:"secretName"`
|
||||||
Passthrough bool `json:"passthrough"`
|
Passthrough bool `json:"passthrough"`
|
||||||
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
||||||
Options *TLSOptionTCPRef `json:"options"`
|
Options *TLSOptionTCPRef `json:"options"`
|
||||||
|
CertResolver string `json:"certResolver"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// TLSOptionTCPRef is a ref to the TLSOption resources.
|
// TLSOptionTCPRef is a ref to the TLSOption resources.
|
||||||
|
|
|
@ -11,7 +11,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
// NewRouteAppenderFactory Creates a new RouteAppenderFactory
|
// NewRouteAppenderFactory Creates a new RouteAppenderFactory
|
||||||
func NewRouteAppenderFactory(staticConfiguration static.Configuration, entryPointName string, acmeProvider *acme.Provider) *RouteAppenderFactory {
|
func NewRouteAppenderFactory(staticConfiguration static.Configuration, entryPointName string, acmeProvider []*acme.Provider) *RouteAppenderFactory {
|
||||||
return &RouteAppenderFactory{
|
return &RouteAppenderFactory{
|
||||||
staticConfiguration: staticConfiguration,
|
staticConfiguration: staticConfiguration,
|
||||||
entryPointName: entryPointName,
|
entryPointName: entryPointName,
|
||||||
|
@ -23,15 +23,18 @@ func NewRouteAppenderFactory(staticConfiguration static.Configuration, entryPoin
|
||||||
type RouteAppenderFactory struct {
|
type RouteAppenderFactory struct {
|
||||||
staticConfiguration static.Configuration
|
staticConfiguration static.Configuration
|
||||||
entryPointName string
|
entryPointName string
|
||||||
acmeProvider *acme.Provider
|
acmeProvider []*acme.Provider
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewAppender Creates a new RouteAppender
|
// NewAppender Creates a new RouteAppender
|
||||||
func (r *RouteAppenderFactory) NewAppender(ctx context.Context, middlewaresBuilder *middleware.Builder, runtimeConfiguration *runtime.Configuration) types.RouteAppender {
|
func (r *RouteAppenderFactory) NewAppender(ctx context.Context, middlewaresBuilder *middleware.Builder, runtimeConfiguration *runtime.Configuration) types.RouteAppender {
|
||||||
aggregator := NewRouteAppenderAggregator(ctx, middlewaresBuilder, r.staticConfiguration, r.entryPointName, runtimeConfiguration)
|
aggregator := NewRouteAppenderAggregator(ctx, middlewaresBuilder, r.staticConfiguration, r.entryPointName, runtimeConfiguration)
|
||||||
|
|
||||||
if r.acmeProvider != nil && r.acmeProvider.HTTPChallenge != nil && r.acmeProvider.HTTPChallenge.EntryPoint == r.entryPointName {
|
for _, p := range r.acmeProvider {
|
||||||
aggregator.AddAppender(r.acmeProvider)
|
if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == r.entryPointName {
|
||||||
|
aggregator.AddAppender(p)
|
||||||
|
break
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return aggregator
|
return aggregator
|
||||||
|
|
|
@ -79,6 +79,11 @@ func (m *Manager) BuildHandlers(rootCtx context.Context, entryPoints []string) m
|
||||||
return entryPointHandlers
|
return entryPointHandlers
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type nameAndConfig struct {
|
||||||
|
routerName string // just so we have it as additional information when logging
|
||||||
|
TLSConfig *tls.Config
|
||||||
|
}
|
||||||
|
|
||||||
func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string]*runtime.TCPRouterInfo, configsHTTP map[string]*runtime.RouterInfo, handlerHTTP http.Handler, handlerHTTPS http.Handler) (*tcp.Router, error) {
|
func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string]*runtime.TCPRouterInfo, configsHTTP map[string]*runtime.RouterInfo, handlerHTTP http.Handler, handlerHTTPS http.Handler) (*tcp.Router, error) {
|
||||||
router := &tcp.Router{}
|
router := &tcp.Router{}
|
||||||
router.HTTPHandler(handlerHTTP)
|
router.HTTPHandler(handlerHTTP)
|
||||||
|
@ -86,15 +91,11 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
|
||||||
|
|
||||||
defaultTLSConf, err := m.tlsManager.Get("default", defaultTLSConfigName)
|
defaultTLSConf, err := m.tlsManager.Get("default", defaultTLSConfigName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
log.FromContext(ctx).Errorf("Error during the build of the default TLS configuration: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
router.HTTPSHandler(handlerHTTPS, defaultTLSConf)
|
router.HTTPSHandler(handlerHTTPS, defaultTLSConf)
|
||||||
|
|
||||||
type nameAndConfig struct {
|
|
||||||
routerName string // just so we have it as additional information when logging
|
|
||||||
TLSConfig *tls.Config
|
|
||||||
}
|
|
||||||
// Keyed by domain, then by options reference.
|
// Keyed by domain, then by options reference.
|
||||||
tlsOptionsForHostSNI := map[string]map[string]nameAndConfig{}
|
tlsOptionsForHostSNI := map[string]map[string]nameAndConfig{}
|
||||||
for routerHTTPName, routerHTTPConfig := range configsHTTP {
|
for routerHTTPName, routerHTTPConfig := range configsHTTP {
|
||||||
|
@ -156,7 +157,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
|
||||||
} else {
|
} else {
|
||||||
routers := make([]string, 0, len(tlsConfigs))
|
routers := make([]string, 0, len(tlsConfigs))
|
||||||
for _, v := range tlsConfigs {
|
for _, v := range tlsConfigs {
|
||||||
configsHTTP[v.routerName].AddError(fmt.Errorf("found different TLS options for routers on the same host %v, so using the default TLS option instead", hostSNI), false)
|
configsHTTP[v.routerName].AddError(fmt.Errorf("found different TLS options for routers on the same host %v, so using the default TLS options instead", hostSNI), false)
|
||||||
routers = append(routers, v.routerName)
|
routers = append(routers, v.routerName)
|
||||||
}
|
}
|
||||||
logger.Warnf("Found different TLS options for routers on the same host %v, so using the default TLS options instead for these routers: %#v", hostSNI, routers)
|
logger.Warnf("Found different TLS options for routers on the same host %v, so using the default TLS options instead for these routers: %#v", hostSNI, routers)
|
||||||
|
|
|
@ -74,17 +74,22 @@ func (m *Manager) Get(storeName string, configName string) (*tls.Config, error)
|
||||||
m.lock.RLock()
|
m.lock.RLock()
|
||||||
defer m.lock.RUnlock()
|
defer m.lock.RUnlock()
|
||||||
|
|
||||||
|
var tlsConfig *tls.Config
|
||||||
|
var err error
|
||||||
|
|
||||||
config, ok := m.configs[configName]
|
config, ok := m.configs[configName]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, fmt.Errorf("unknown TLS options: %s", configName)
|
err = fmt.Errorf("unknown TLS options: %s", configName)
|
||||||
|
tlsConfig = &tls.Config{}
|
||||||
}
|
}
|
||||||
|
|
||||||
store := m.getStore(storeName)
|
store := m.getStore(storeName)
|
||||||
|
|
||||||
tlsConfig, err := buildTLSConfig(config)
|
if err == nil {
|
||||||
if err != nil {
|
tlsConfig, err = buildTLSConfig(config)
|
||||||
log.Error(err)
|
if err != nil {
|
||||||
tlsConfig = &tls.Config{}
|
tlsConfig = &tls.Config{}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
@ -113,7 +118,8 @@ func (m *Manager) Get(storeName string, configName string) (*tls.Config, error)
|
||||||
log.WithoutContext().Debugf("Serving default certificate for request: %q", domainToCheck)
|
log.WithoutContext().Debugf("Serving default certificate for request: %q", domainToCheck)
|
||||||
return store.DefaultCertificate, nil
|
return store.DefaultCertificate, nil
|
||||||
}
|
}
|
||||||
return tlsConfig, nil
|
|
||||||
|
return tlsConfig, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *Manager) getStore(storeName string) *CertificateStore {
|
func (m *Manager) getStore(storeName string) *CertificateStore {
|
||||||
|
@ -143,7 +149,7 @@ func buildCertificateStore(tlsStore Store) (*CertificateStore, error) {
|
||||||
}
|
}
|
||||||
certificateStore.DefaultCertificate = cert
|
certificateStore.DefaultCertificate = cert
|
||||||
} else {
|
} else {
|
||||||
log.Debug("No default certificate, generate one")
|
log.Debug("No default certificate, generating one")
|
||||||
cert, err := generate.DefaultCertificate()
|
cert, err := generate.DefaultCertificate()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return certificateStore, err
|
return certificateStore, err
|
||||||
|
|
|
@ -152,11 +152,21 @@ func TestManager_Get(t *testing.T) {
|
||||||
|
|
||||||
func TestClientAuth(t *testing.T) {
|
func TestClientAuth(t *testing.T) {
|
||||||
tlsConfigs := map[string]Options{
|
tlsConfigs := map[string]Options{
|
||||||
"eca": {ClientAuth: ClientAuth{}},
|
"eca": {
|
||||||
"ecat": {ClientAuth: ClientAuth{ClientAuthType: ""}},
|
ClientAuth: ClientAuth{},
|
||||||
"ncc": {ClientAuth: ClientAuth{ClientAuthType: "NoClientCert"}},
|
},
|
||||||
"rcc": {ClientAuth: ClientAuth{ClientAuthType: "RequestClientCert"}},
|
"ecat": {
|
||||||
"racc": {ClientAuth: ClientAuth{ClientAuthType: "RequireAnyClientCert"}},
|
ClientAuth: ClientAuth{ClientAuthType: ""},
|
||||||
|
},
|
||||||
|
"ncc": {
|
||||||
|
ClientAuth: ClientAuth{ClientAuthType: "NoClientCert"},
|
||||||
|
},
|
||||||
|
"rcc": {
|
||||||
|
ClientAuth: ClientAuth{ClientAuthType: "RequestClientCert"},
|
||||||
|
},
|
||||||
|
"racc": {
|
||||||
|
ClientAuth: ClientAuth{ClientAuthType: "RequireAnyClientCert"},
|
||||||
|
},
|
||||||
"vccig": {
|
"vccig": {
|
||||||
ClientAuth: ClientAuth{
|
ClientAuth: ClientAuth{
|
||||||
CAFiles: []FileOrContent{localhostCert},
|
CAFiles: []FileOrContent{localhostCert},
|
||||||
|
@ -166,7 +176,9 @@ func TestClientAuth(t *testing.T) {
|
||||||
"vccigwca": {
|
"vccigwca": {
|
||||||
ClientAuth: ClientAuth{ClientAuthType: "VerifyClientCertIfGiven"},
|
ClientAuth: ClientAuth{ClientAuthType: "VerifyClientCertIfGiven"},
|
||||||
},
|
},
|
||||||
"ravcc": {ClientAuth: ClientAuth{ClientAuthType: "RequireAndVerifyClientCert"}},
|
"ravcc": {
|
||||||
|
ClientAuth: ClientAuth{ClientAuthType: "RequireAndVerifyClientCert"},
|
||||||
|
},
|
||||||
"ravccwca": {
|
"ravccwca": {
|
||||||
ClientAuth: ClientAuth{
|
ClientAuth: ClientAuth{
|
||||||
CAFiles: []FileOrContent{localhostCert},
|
CAFiles: []FileOrContent{localhostCert},
|
||||||
|
@ -179,7 +191,9 @@ func TestClientAuth(t *testing.T) {
|
||||||
ClientAuthType: "RequireAndVerifyClientCert",
|
ClientAuthType: "RequireAndVerifyClientCert",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"ucat": {ClientAuth: ClientAuth{ClientAuthType: "Unknown"}},
|
"ucat": {
|
||||||
|
ClientAuth: ClientAuth{ClientAuthType: "Unknown"},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
block, _ := pem.Decode([]byte(localhostCert))
|
block, _ := pem.Decode([]byte(localhostCert))
|
||||||
|
@ -191,6 +205,7 @@ func TestClientAuth(t *testing.T) {
|
||||||
tlsOptionsName string
|
tlsOptionsName string
|
||||||
expectedClientAuth tls.ClientAuthType
|
expectedClientAuth tls.ClientAuthType
|
||||||
expectedRawSubject []byte
|
expectedRawSubject []byte
|
||||||
|
expectedError bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
desc: "Empty ClientAuth option should get a tls.NoClientCert (default value)",
|
desc: "Empty ClientAuth option should get a tls.NoClientCert (default value)",
|
||||||
|
@ -223,14 +238,16 @@ func TestClientAuth(t *testing.T) {
|
||||||
expectedClientAuth: tls.VerifyClientCertIfGiven,
|
expectedClientAuth: tls.VerifyClientCertIfGiven,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "VerifyClientCertIfGiven option without CAFiles yields a default ClientAuthType (NoClientCert)",
|
desc: "VerifyClientCertIfGiven option without CAFiles yields a default ClientAuthType (NoClientCert)",
|
||||||
tlsOptionsName: "vccigwca",
|
tlsOptionsName: "vccigwca",
|
||||||
expectedClientAuth: tls.NoClientCert,
|
expectedClientAuth: tls.NoClientCert,
|
||||||
|
expectedError: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "RequireAndVerifyClientCert option without CAFiles yields a default ClientAuthType (NoClientCert)",
|
desc: "RequireAndVerifyClientCert option without CAFiles yields a default ClientAuthType (NoClientCert)",
|
||||||
tlsOptionsName: "ravcc",
|
tlsOptionsName: "ravcc",
|
||||||
expectedClientAuth: tls.NoClientCert,
|
expectedClientAuth: tls.NoClientCert,
|
||||||
|
expectedError: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "RequireAndVerifyClientCert option should get a tls.RequireAndVerifyClientCert as ClientAuthType with CA files",
|
desc: "RequireAndVerifyClientCert option should get a tls.RequireAndVerifyClientCert as ClientAuthType with CA files",
|
||||||
|
@ -242,11 +259,13 @@ func TestClientAuth(t *testing.T) {
|
||||||
desc: "Unknown option yields a default ClientAuthType (NoClientCert)",
|
desc: "Unknown option yields a default ClientAuthType (NoClientCert)",
|
||||||
tlsOptionsName: "ucat",
|
tlsOptionsName: "ucat",
|
||||||
expectedClientAuth: tls.NoClientCert,
|
expectedClientAuth: tls.NoClientCert,
|
||||||
|
expectedError: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "Bad CA certificate content yields a default ClientAuthType (NoClientCert)",
|
desc: "Bad CA certificate content yields a default ClientAuthType (NoClientCert)",
|
||||||
tlsOptionsName: "ravccwbca",
|
tlsOptionsName: "ravccwbca",
|
||||||
expectedClientAuth: tls.NoClientCert,
|
expectedClientAuth: tls.NoClientCert,
|
||||||
|
expectedError: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -259,6 +278,12 @@ func TestClientAuth(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
config, err := tlsManager.Get("default", test.tlsOptionsName)
|
config, err := tlsManager.Get("default", test.tlsOptionsName)
|
||||||
|
|
||||||
|
if test.expectedError {
|
||||||
|
assert.Error(t, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
if test.expectedRawSubject != nil {
|
if test.expectedRawSubject != nil {
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
package types
|
package types
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// +k8s:deepcopy-gen=true
|
||||||
|
|
||||||
// Domain holds a domain name with SANs.
|
// Domain holds a domain name with SANs.
|
||||||
type Domain struct {
|
type Domain struct {
|
||||||
Main string `description:"Default subject name." json:"main,omitempty" toml:"main,omitempty" yaml:"main,omitempty"`
|
Main string `description:"Default subject name." json:"main,omitempty" toml:"main,omitempty" yaml:"main,omitempty"`
|
||||||
|
@ -28,44 +29,6 @@ func (d *Domain) Set(domains []string) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Domains parse []Domain.
|
|
||||||
type Domains []Domain
|
|
||||||
|
|
||||||
// Set []Domain
|
|
||||||
func (ds *Domains) Set(str string) error {
|
|
||||||
fargs := func(c rune) bool {
|
|
||||||
return c == ',' || c == ';'
|
|
||||||
}
|
|
||||||
|
|
||||||
// get function
|
|
||||||
slice := strings.FieldsFunc(str, fargs)
|
|
||||||
if len(slice) < 1 {
|
|
||||||
return fmt.Errorf("parse error ACME.Domain. Unable to parse %s", str)
|
|
||||||
}
|
|
||||||
|
|
||||||
d := Domain{
|
|
||||||
Main: slice[0],
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(slice) > 1 {
|
|
||||||
d.SANs = slice[1:]
|
|
||||||
}
|
|
||||||
|
|
||||||
*ds = append(*ds, d)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Get []Domain.
|
|
||||||
func (ds *Domains) Get() interface{} { return []Domain(*ds) }
|
|
||||||
|
|
||||||
// String returns []Domain in string.
|
|
||||||
func (ds *Domains) String() string { return fmt.Sprintf("%+v", *ds) }
|
|
||||||
|
|
||||||
// SetValue sets []Domain into the parser
|
|
||||||
func (ds *Domains) SetValue(val interface{}) {
|
|
||||||
*ds = val.([]Domain)
|
|
||||||
}
|
|
||||||
|
|
||||||
// MatchDomain returns true if a domain match the cert domain.
|
// MatchDomain returns true if a domain match the cert domain.
|
||||||
func MatchDomain(domain string, certDomain string) bool {
|
func MatchDomain(domain string, certDomain string) bool {
|
||||||
if domain == certDomain {
|
if domain == certDomain {
|
||||||
|
|
50
pkg/types/zz_generated.deepcopy.go
Normal file
50
pkg/types/zz_generated.deepcopy.go
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
// +build !ignore_autogenerated
|
||||||
|
|
||||||
|
/*
|
||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2016-2019 Containous SAS
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in
|
||||||
|
all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
|
THE SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Code generated by deepcopy-gen. DO NOT EDIT.
|
||||||
|
|
||||||
|
package types
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *Domain) DeepCopyInto(out *Domain) {
|
||||||
|
*out = *in
|
||||||
|
if in.SANs != nil {
|
||||||
|
in, out := &in.SANs, &out.SANs
|
||||||
|
*out = make([]string, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Domain.
|
||||||
|
func (in *Domain) DeepCopy() *Domain {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(Domain)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
|
@ -11,4 +11,8 @@ REPO_ROOT=${HACK_DIR}/..
|
||||||
--go-header-file "${HACK_DIR}"/boilerplate.go.tmpl \
|
--go-header-file "${HACK_DIR}"/boilerplate.go.tmpl \
|
||||||
"$@"
|
"$@"
|
||||||
|
|
||||||
deepcopy-gen --input-dirs github.com/containous/traefik/pkg/config/dynamic --input-dirs github.com/containous/traefik/pkg/tls -O zz_generated.deepcopy --go-header-file "${HACK_DIR}"/boilerplate.go.tmpl
|
deepcopy-gen \
|
||||||
|
--input-dirs github.com/containous/traefik/pkg/config/dynamic \
|
||||||
|
--input-dirs github.com/containous/traefik/pkg/tls \
|
||||||
|
--input-dirs github.com/containous/traefik/pkg/types \
|
||||||
|
-O zz_generated.deepcopy --go-header-file "${HACK_DIR}"/boilerplate.go.tmpl
|
||||||
|
|
Loading…
Reference in a new issue