diff --git a/docs/content/https/acme.md b/docs/content/https/acme.md index 24cbbd21b..ae22d5da8 100644 --- a/docs/content/https/acme.md +++ b/docs/content/https/acme.md @@ -201,6 +201,34 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry --certificatesresolvers.myresolver.acme.tlschallenge=true ``` +#### `Delay` + +The delay between the creation of the challenge and the validation. +A value lower than or equal to zero means no delay. + +```yaml tab="File (YAML)" +certificatesResolvers: + myresolver: + acme: + # ... + tlsChallenge: + # ... + delay: 12 +``` + +```toml tab="File (TOML)" +[certificatesResolvers.myresolver.acme] + # ... + [certificatesResolvers.myresolver.acme.tlsChallenge] + # ... + delay = 12 +``` + +```bash tab="CLI" +# ... +--certificatesresolvers.myresolver.acme.tlschallenge.delay=12 +``` + ### `httpChallenge` Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI. @@ -998,6 +1026,39 @@ certificatesResolvers: # ... ``` +### `disableCommonName` + +_Optional, Default=false_ + +Disable common name inside CSR and certificates. + +It's recommended to disable the common name and required to get a certificate for IP. + +- https://letsencrypt.org/docs/profiles/#certificate-common-name +- https://community.letsencrypt.org/t/ip-san-error-csr-contains-ip-address-in-common-name/239012/7 + +```yaml tab="File (YAML)" +certificatesResolvers: + myresolver: + acme: + # ... + disableCommonName: true + # ... +``` + +```toml tab="File (TOML)" +[certificatesResolvers.myresolver.acme] + # ... + disableCommonName = true + # ... +``` + +```bash tab="CLI" +# ... +--certificatesresolvers.myresolver.acme.disableCommonName=true +# ... +``` + ### `keyType` _Optional, Default="RSA4096"_ diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go index 35ea148f8..4f312b5f9 100644 --- a/pkg/provider/acme/provider.go +++ b/pkg/provider/acme/provider.go @@ -21,6 +21,7 @@ import ( "github.com/go-acme/lego/v4/challenge" "github.com/go-acme/lego/v4/challenge/dns01" "github.com/go-acme/lego/v4/challenge/http01" + "github.com/go-acme/lego/v4/challenge/tlsalpn01" "github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/providers/dns" "github.com/go-acme/lego/v4/registration" @@ -45,6 +46,7 @@ type Configuration struct { PreferredChain string `description:"Preferred chain to use." json:"preferredChain,omitempty" toml:"preferredChain,omitempty" yaml:"preferredChain,omitempty" export:"true"` Profile string `description:"Certificate profile to use." json:"profile,omitempty" toml:"profile,omitempty" yaml:"profile,omitempty" export:"true"` EmailAddresses []string `description:"CSR email addresses to use." json:"emailAddresses,omitempty" toml:"emailAddresses,omitempty" yaml:"emailAddresses,omitempty"` + DisableCommonName bool `description:"Disable the common name in the CSR." json:"disableCommonName,omitempty" toml:"disableCommonName,omitempty" yaml:"disableCommonName,omitempty" export:"true"` Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty" export:"true"` KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty" export:"true"` EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"` @@ -117,7 +119,9 @@ type HTTPChallenge struct { } // TLSChallenge contains TLS challenge configuration. -type TLSChallenge struct{} +type TLSChallenge struct { + Delay ptypes.Duration `description:"Delay between the creation of the challenge and the validation." json:"delay,omitempty" toml:"delay,omitempty" yaml:"delay,omitempty" export:"true"` +} // Provider holds configurations of the provider. type Provider struct { @@ -292,6 +296,7 @@ func (p *Provider) getClient() (*lego.Client, error) { config.CADirURL = caServer config.Certificate.KeyType = GetKeyType(ctx, p.KeyType) config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version) + config.Certificate.DisableCommonName = p.DisableCommonName config.HTTPClient, err = p.createHTTPClient() if err != nil { @@ -371,7 +376,7 @@ func (p *Provider) getClient() (*lego.Client, error) { if p.TLSChallenge != nil { logger.Debug().Msg("Using TLS Challenge provider.") - err = client.Challenge.SetTLSALPN01Provider(p.TLSChallengeProvider) + err = client.Challenge.SetTLSALPN01Provider(p.TLSChallengeProvider, tlsalpn01.SetDelay(time.Duration(p.TLSChallenge.Delay))) if err != nil { return nil, err }