mirrors/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2025-09-20 21:31:14 +02:00
Code Issues Projects Releases Wiki Activity

Add new certificatesresolvers options

Browse Source
This commit is contained in:
Ludovic Fernandez 2025-09-09 17:36:05 +02:00 committed by GitHub
parent 02443545e7
commit a090452807
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 122 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
docs/content/https/acme.md
View File

@ -201,6 +201,36 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
--certificatesresolvers.myresolver.acme.tlschallenge=true --certificatesresolvers.myresolver.acme.tlschallenge=true
``` ```
#### `Delay`
_Optional, Default=0_
The delay between the creation of the challenge and the validation.
A value lower than or equal to zero means no delay.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
tlsChallenge:
# ...
delay: 12
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.tlsChallenge]
# ...
delay = 12
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.tlschallenge.delay=12
```
### `httpChallenge` ### `httpChallenge`
Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI. Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
@ -252,6 +282,8 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
#### `Delay` #### `Delay`
_Optional, Default=0_
The delay between the creation of the challenge and the validation. The delay between the creation of the challenge and the validation.
A value lower than or equal to zero means no delay. A value lower than or equal to zero means no delay.
@ -998,6 +1030,39 @@ certificatesResolvers:
# ... # ...
``` ```
### `disableCommonName`
_Optional, Default=false_
Disable common name inside CSR and certificates.
It's recommended to disable the common name and required to get a certificate for IP.
- https://letsencrypt.org/docs/profiles/#certificate-common-name
- https://community.letsencrypt.org/t/ip-san-error-csr-contains-ip-address-in-common-name/239012/7
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
disableCommonName: true
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
disableCommonName = true
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.disableCommonName=true
# ...
```
### `keyType` ### `keyType`
_Optional, Default="RSA4096"_ _Optional, Default="RSA4096"_

4
docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
View File

@ -74,11 +74,12 @@ certificatesResolvers:
ACME certificate resolvers have the following configuration options: ACME certificate resolvers have the following configuration options:
| Field | Description | Default | Required | | Field | Description | Default | Required |
|:--------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------| |:--------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
| `acme.email` | Email address used for registration. | "" | Yes | | `acme.email` | Email address used for registration. | "" | Yes |
| `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No | | `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
| `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No | | `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
| `acme.keyType` | KeyType to use. | "RSA4096" | No | | `acme.keyType` | KeyType to use. | "RSA4096" | No |
| `acme.disableCommonName` | Disable common name inside CSR and certificates. | false | No |
| `acme.eab` | Enable external account binding. | | No | | `acme.eab` | Enable external account binding. | | No |
| `acme.eab.kid` | Key identifier from External CA. | "" | No | | `acme.eab.kid` | Key identifier from External CA. | "" | No |
| `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No | | `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No |
@ -96,6 +97,7 @@ ACME certificate resolvers have the following configuration options:
| `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes | | `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
| `acme.httpChallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No | | `acme.httpChallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No | | `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
| `acme.tlschallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| `acme.storage` | File path used for certificates storage. | "acme.json" | Yes | | `acme.storage` | File path used for certificates storage. | "acme.json" | Yes |
## Automatic Certificate Renewal ## Automatic Certificate Renewal

8
docs/content/reference/static-configuration/cli-ref.md
View File

@ -135,6 +135,9 @@ Timeout for receiving the response headers when communicating with the ACME serv
`--certificatesresolvers.<name>.acme.clienttimeout`: `--certificatesresolvers.<name>.acme.clienttimeout`:
Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```) Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
`--certificatesresolvers.<name>.acme.disablecommonname`:
Disable the common name in the CSR. (Default: ```false```)
`--certificatesresolvers.<name>.acme.dnschallenge`: `--certificatesresolvers.<name>.acme.dnschallenge`:
Activate DNS-01 Challenge. (Default: ```false```) Activate DNS-01 Challenge. (Default: ```false```)
@ -199,7 +202,10 @@ Certificate profile to use.
Storage to use. (Default: ```acme.json```) Storage to use. (Default: ```acme.json```)
`--certificatesresolvers.<name>.acme.tlschallenge`: `--certificatesresolvers.<name>.acme.tlschallenge`:
Activate TLS-ALPN-01 Challenge. (Default: ```true```) Activate TLS-ALPN-01 Challenge. (Default: ```false```)
`--certificatesresolvers.<name>.acme.tlschallenge.delay`:
Delay between the creation of the challenge and the validation. (Default: ```0```)
`--certificatesresolvers.<name>.tailscale`: `--certificatesresolvers.<name>.tailscale`:
Enables Tailscale certificate resolution. (Default: ```true```) Enables Tailscale certificate resolution. (Default: ```true```)

8
docs/content/reference/static-configuration/env-ref.md
View File

@ -135,6 +135,9 @@ Timeout for receiving the response headers when communicating with the ACME serv
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTTIMEOUT`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTTIMEOUT`:
Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```) Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DISABLECOMMONNAME`:
Disable the common name in the CSR. (Default: ```false```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:
Activate DNS-01 Challenge. (Default: ```false```) Activate DNS-01 Challenge. (Default: ```false```)
@ -199,7 +202,10 @@ Certificate profile to use.
Storage to use. (Default: ```acme.json```) Storage to use. (Default: ```acme.json```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`:
Activate TLS-ALPN-01 Challenge. (Default: ```true```) Activate TLS-ALPN-01 Challenge. (Default: ```false```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE_DELAY`:
Delay between the creation of the challenge and the validation. (Default: ```0```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_TAILSCALE`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_TAILSCALE`:
Enables Tailscale certificate resolution. (Default: ```true```) Enables Tailscale certificate resolution. (Default: ```true```)

4
docs/content/reference/static-configuration/file.toml
View File

@ -528,6 +528,7 @@
preferredChain = "foobar" preferredChain = "foobar"
profile = "foobar" profile = "foobar"
emailAddresses = ["foobar", "foobar"] emailAddresses = ["foobar", "foobar"]
disableCommonName = true
storage = "foobar" storage = "foobar"
keyType = "foobar" keyType = "foobar"
certificatesDuration = 42 certificatesDuration = 42
@ -553,6 +554,7 @@
entryPoint = "foobar" entryPoint = "foobar"
delay = "42s" delay = "42s"
[certificatesResolvers.CertificateResolver0.acme.tlsChallenge] [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
delay = "42s"
[certificatesResolvers.CertificateResolver0.tailscale] [certificatesResolvers.CertificateResolver0.tailscale]
[certificatesResolvers.CertificateResolver1] [certificatesResolvers.CertificateResolver1]
[certificatesResolvers.CertificateResolver1.acme] [certificatesResolvers.CertificateResolver1.acme]
@ -561,6 +563,7 @@
preferredChain = "foobar" preferredChain = "foobar"
profile = "foobar" profile = "foobar"
emailAddresses = ["foobar", "foobar"] emailAddresses = ["foobar", "foobar"]
disableCommonName = true
storage = "foobar" storage = "foobar"
keyType = "foobar" keyType = "foobar"
certificatesDuration = 42 certificatesDuration = 42
@ -586,6 +589,7 @@
entryPoint = "foobar" entryPoint = "foobar"
delay = "42s" delay = "42s"
[certificatesResolvers.CertificateResolver1.acme.tlsChallenge] [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
delay = "42s"
[certificatesResolvers.CertificateResolver1.tailscale] [certificatesResolvers.CertificateResolver1.tailscale]
[experimental] [experimental]

8
docs/content/reference/static-configuration/file.yaml
View File

@ -573,6 +573,7 @@ certificatesResolvers:
emailAddresses: emailAddresses:
- foobar - foobar
- foobar - foobar
disableCommonName: true
storage: foobar storage: foobar
keyType: foobar keyType: foobar
eab: eab:
@ -601,7 +602,8 @@ certificatesResolvers:
httpChallenge: httpChallenge:
entryPoint: foobar entryPoint: foobar
delay: 42s delay: 42s
tlsChallenge: {} tlsChallenge:
delay: 42s
tailscale: {} tailscale: {}
CertificateResolver1: CertificateResolver1:
acme: acme:
@ -612,6 +614,7 @@ certificatesResolvers:
emailAddresses: emailAddresses:
- foobar - foobar
- foobar - foobar
disableCommonName: true
storage: foobar storage: foobar
keyType: foobar keyType: foobar
eab: eab:
@ -640,7 +643,8 @@ certificatesResolvers:
httpChallenge: httpChallenge:
entryPoint: foobar entryPoint: foobar
delay: 42s delay: 42s
tlsChallenge: {} tlsChallenge:
delay: 42s
tailscale: {} tailscale: {}
experimental: experimental:
plugins: plugins:

9
pkg/provider/acme/provider.go
View File

@ -21,6 +21,7 @@ import (
"github.com/go-acme/lego/v4/challenge" "github.com/go-acme/lego/v4/challenge"
"github.com/go-acme/lego/v4/challenge/dns01" "github.com/go-acme/lego/v4/challenge/dns01"
"github.com/go-acme/lego/v4/challenge/http01" "github.com/go-acme/lego/v4/challenge/http01"
"github.com/go-acme/lego/v4/challenge/tlsalpn01"
"github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/lego"
"github.com/go-acme/lego/v4/providers/dns" "github.com/go-acme/lego/v4/providers/dns"
"github.com/go-acme/lego/v4/registration" "github.com/go-acme/lego/v4/registration"
@ -45,6 +46,7 @@ type Configuration struct {
PreferredChain string `description:"Preferred chain to use." json:"preferredChain,omitempty" toml:"preferredChain,omitempty" yaml:"preferredChain,omitempty" export:"true"` PreferredChain string `description:"Preferred chain to use." json:"preferredChain,omitempty" toml:"preferredChain,omitempty" yaml:"preferredChain,omitempty" export:"true"`
Profile string `description:"Certificate profile to use." json:"profile,omitempty" toml:"profile,omitempty" yaml:"profile,omitempty" export:"true"` Profile string `description:"Certificate profile to use." json:"profile,omitempty" toml:"profile,omitempty" yaml:"profile,omitempty" export:"true"`
EmailAddresses []string `description:"CSR email addresses to use." json:"emailAddresses,omitempty" toml:"emailAddresses,omitempty" yaml:"emailAddresses,omitempty"` EmailAddresses []string `description:"CSR email addresses to use." json:"emailAddresses,omitempty" toml:"emailAddresses,omitempty" yaml:"emailAddresses,omitempty"`
DisableCommonName bool `description:"Disable the common name in the CSR." json:"disableCommonName,omitempty" toml:"disableCommonName,omitempty" yaml:"disableCommonName,omitempty" export:"true"`
Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty" export:"true"` Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty" export:"true"`
KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty" export:"true"` KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty" export:"true"`
EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"` EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"`
@ -117,7 +119,9 @@ type HTTPChallenge struct {
} }
// TLSChallenge contains TLS challenge configuration. // TLSChallenge contains TLS challenge configuration.
type TLSChallenge struct{} type TLSChallenge struct {
Delay ptypes.Duration `description:"Delay between the creation of the challenge and the validation." json:"delay,omitempty" toml:"delay,omitempty" yaml:"delay,omitempty" export:"true"`
}
// Provider holds configurations of the provider. // Provider holds configurations of the provider.
type Provider struct { type Provider struct {
@ -292,6 +296,7 @@ func (p *Provider) getClient() (*lego.Client, error) {
config.CADirURL = caServer config.CADirURL = caServer
config.Certificate.KeyType = GetKeyType(ctx, p.KeyType) config.Certificate.KeyType = GetKeyType(ctx, p.KeyType)
config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version) config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)
config.Certificate.DisableCommonName = p.DisableCommonName
config.HTTPClient, err = p.createHTTPClient() config.HTTPClient, err = p.createHTTPClient()
if err != nil { if err != nil {
@ -371,7 +376,7 @@ func (p *Provider) getClient() (*lego.Client, error) {
if p.TLSChallenge != nil { if p.TLSChallenge != nil {
logger.Debug().Msg("Using TLS Challenge provider.") logger.Debug().Msg("Using TLS Challenge provider.")
err = client.Challenge.SetTLSALPN01Provider(p.TLSChallengeProvider) err = client.Challenge.SetTLSALPN01Provider(p.TLSChallengeProvider, tlsalpn01.SetDelay(time.Duration(p.TLSChallenge.Delay)))
if err != nil { if err != nil {
return nil, err return nil, err
} }