mirrors/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2025-09-21 05:41:19 +02:00
Code Issues Projects Releases Wiki Activity

Add new certificatesresolvers options

Browse Source
This commit is contained in:
Ludovic Fernandez 2025-09-09 17:36:05 +02:00 committed by GitHub
parent 02443545e7
commit a090452807
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 122 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
docs/content/https/acme.md
View File

@ -201,6 +201,36 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
--certificatesresolvers.myresolver.acme.tlschallenge=true --certificatesresolvers.myresolver.acme.tlschallenge=true
``` ```
#### `Delay`
_Optional, Default=0_
The delay between the creation of the challenge and the validation.
A value lower than or equal to zero means no delay.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
tlsChallenge:
# ...
delay: 12
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.tlsChallenge]
# ...
delay = 12
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.tlschallenge.delay=12
```
### `httpChallenge` ### `httpChallenge`
Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI. Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
@ -252,6 +282,8 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
#### `Delay` #### `Delay`
_Optional, Default=0_
The delay between the creation of the challenge and the validation. The delay between the creation of the challenge and the validation.
A value lower than or equal to zero means no delay. A value lower than or equal to zero means no delay.
@ -998,6 +1030,39 @@ certificatesResolvers:
# ... # ...
``` ```
### `disableCommonName`
_Optional, Default=false_
Disable common name inside CSR and certificates.
It's recommended to disable the common name and required to get a certificate for IP.
- https://letsencrypt.org/docs/profiles/#certificate-common-name
- https://community.letsencrypt.org/t/ip-san-error-csr-contains-ip-address-in-common-name/239012/7
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
disableCommonName: true
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
disableCommonName = true
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.disableCommonName=true
# ...
```
### `keyType` ### `keyType`
_Optional, Default="RSA4096"_ _Optional, Default="RSA4096"_

50
docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
View File

@ -73,30 +73,32 @@ certificatesResolvers:
ACME certificate resolvers have the following configuration options: ACME certificate resolvers have the following configuration options:
| Field | Description | Default | Required | | Field | Description | Default | Required |
|:--------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------| |:--------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
| `acme.email` | Email address used for registration. | "" | Yes | | `acme.email` | Email address used for registration. | "" | Yes |
| `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No | | `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
| `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No | | `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
| `acme.keyType` | KeyType to use. | "RSA4096" | No | | `acme.keyType` | KeyType to use. | "RSA4096" | No |
| `acme.eab` | Enable external account binding. | | No | | `acme.disableCommonName` | Disable common name inside CSR and certificates. | false | No |
| `acme.eab.kid` | Key identifier from External CA. | "" | No | | `acme.eab` | Enable external account binding. | | No |
| `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No | | `acme.eab.kid` | Key identifier from External CA. | "" | No |
| `acme.certificatesDuration` | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No | | `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No |
| `acme.clientTimeout` | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No | | `acme.certificatesDuration` | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No |
| `acme.clientResponseHeaderTimeout` | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No | | `acme.clientTimeout` | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No |
| `acme.dnsChallenge` | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No | | `acme.clientResponseHeaderTimeout` | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No |
| `acme.dnsChallenge.provider` | DNS provider to use. | "" | No | | `acme.dnsChallenge` | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No |
| `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority. | [] | No | | `acme.dnsChallenge.provider` | DNS provider to use. | "" | No |
| `acme.dnsChallenge.propagation.delayBeforeChecks` | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries. | 0s | No | | `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority. | [] | No |
| `acme.dnsChallenge.propagation.disableChecks` | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding. | false | No | | `acme.dnsChallenge.propagation.delayBeforeChecks` | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries. | 0s | No |
| `acme.dnsChallenge.propagation.requireAllRNS` | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead. | false | No | | `acme.dnsChallenge.propagation.disableChecks` | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding. | false | No |
| `acme.dnsChallenge.propagation.disableANSChecks` | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No | | `acme.dnsChallenge.propagation.requireAllRNS` | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead. | false | No |
| `acme.httpChallenge` | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No | | `acme.dnsChallenge.propagation.disableANSChecks` | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No |
| `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes | | `acme.httpChallenge` | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No |
| `acme.httpChallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No | | `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
| `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No | | `acme.httpChallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| `acme.storage` | File path used for certificates storage. | "acme.json" | Yes | | `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
| `acme.tlschallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| `acme.storage` | File path used for certificates storage. | "acme.json" | Yes |
## Automatic Certificate Renewal ## Automatic Certificate Renewal

8
docs/content/reference/static-configuration/cli-ref.md
View File

@ -135,6 +135,9 @@ Timeout for receiving the response headers when communicating with the ACME serv
`--certificatesresolvers.<name>.acme.clienttimeout`: `--certificatesresolvers.<name>.acme.clienttimeout`:
Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```) Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
`--certificatesresolvers.<name>.acme.disablecommonname`:
Disable the common name in the CSR. (Default: ```false```)
`--certificatesresolvers.<name>.acme.dnschallenge`: `--certificatesresolvers.<name>.acme.dnschallenge`:
Activate DNS-01 Challenge. (Default: ```false```) Activate DNS-01 Challenge. (Default: ```false```)
@ -199,7 +202,10 @@ Certificate profile to use.
Storage to use. (Default: ```acme.json```) Storage to use. (Default: ```acme.json```)
`--certificatesresolvers.<name>.acme.tlschallenge`: `--certificatesresolvers.<name>.acme.tlschallenge`:
Activate TLS-ALPN-01 Challenge. (Default: ```true```) Activate TLS-ALPN-01 Challenge. (Default: ```false```)
`--certificatesresolvers.<name>.acme.tlschallenge.delay`:
Delay between the creation of the challenge and the validation. (Default: ```0```)
`--certificatesresolvers.<name>.tailscale`: `--certificatesresolvers.<name>.tailscale`:
Enables Tailscale certificate resolution. (Default: ```true```) Enables Tailscale certificate resolution. (Default: ```true```)

8
docs/content/reference/static-configuration/env-ref.md
View File

@ -135,6 +135,9 @@ Timeout for receiving the response headers when communicating with the ACME serv
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTTIMEOUT`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTTIMEOUT`:
Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```) Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DISABLECOMMONNAME`:
Disable the common name in the CSR. (Default: ```false```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:
Activate DNS-01 Challenge. (Default: ```false```) Activate DNS-01 Challenge. (Default: ```false```)
@ -199,7 +202,10 @@ Certificate profile to use.
Storage to use. (Default: ```acme.json```) Storage to use. (Default: ```acme.json```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`:
Activate TLS-ALPN-01 Challenge. (Default: ```true```) Activate TLS-ALPN-01 Challenge. (Default: ```false```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE_DELAY`:
Delay between the creation of the challenge and the validation. (Default: ```0```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_TAILSCALE`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_TAILSCALE`:
Enables Tailscale certificate resolution. (Default: ```true```) Enables Tailscale certificate resolution. (Default: ```true```)

4
docs/content/reference/static-configuration/file.toml
View File

@ -528,6 +528,7 @@
preferredChain = "foobar" preferredChain = "foobar"
profile = "foobar" profile = "foobar"
emailAddresses = ["foobar", "foobar"] emailAddresses = ["foobar", "foobar"]
disableCommonName = true
storage = "foobar" storage = "foobar"
keyType = "foobar" keyType = "foobar"
certificatesDuration = 42 certificatesDuration = 42
@ -553,6 +554,7 @@
entryPoint = "foobar" entryPoint = "foobar"
delay = "42s" delay = "42s"
[certificatesResolvers.CertificateResolver0.acme.tlsChallenge] [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
delay = "42s"
[certificatesResolvers.CertificateResolver0.tailscale] [certificatesResolvers.CertificateResolver0.tailscale]
[certificatesResolvers.CertificateResolver1] [certificatesResolvers.CertificateResolver1]
[certificatesResolvers.CertificateResolver1.acme] [certificatesResolvers.CertificateResolver1.acme]
@ -561,6 +563,7 @@
preferredChain = "foobar" preferredChain = "foobar"
profile = "foobar" profile = "foobar"
emailAddresses = ["foobar", "foobar"] emailAddresses = ["foobar", "foobar"]
disableCommonName = true
storage = "foobar" storage = "foobar"
keyType = "foobar" keyType = "foobar"
certificatesDuration = 42 certificatesDuration = 42
@ -586,6 +589,7 @@
entryPoint = "foobar" entryPoint = "foobar"
delay = "42s" delay = "42s"
[certificatesResolvers.CertificateResolver1.acme.tlsChallenge] [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
delay = "42s"
[certificatesResolvers.CertificateResolver1.tailscale] [certificatesResolvers.CertificateResolver1.tailscale]
[experimental] [experimental]

8
docs/content/reference/static-configuration/file.yaml
View File

@ -573,6 +573,7 @@ certificatesResolvers:
emailAddresses: emailAddresses:
- foobar - foobar
- foobar - foobar
disableCommonName: true
storage: foobar storage: foobar
keyType: foobar keyType: foobar
eab: eab:
@ -601,7 +602,8 @@ certificatesResolvers:
httpChallenge: httpChallenge:
entryPoint: foobar entryPoint: foobar
delay: 42s delay: 42s
tlsChallenge: {} tlsChallenge:
delay: 42s
tailscale: {} tailscale: {}
CertificateResolver1: CertificateResolver1:
acme: acme:
@ -612,6 +614,7 @@ certificatesResolvers:
emailAddresses: emailAddresses:
- foobar - foobar
- foobar - foobar
disableCommonName: true
storage: foobar storage: foobar
keyType: foobar keyType: foobar
eab: eab:
@ -640,7 +643,8 @@ certificatesResolvers:
httpChallenge: httpChallenge:
entryPoint: foobar entryPoint: foobar
delay: 42s delay: 42s
tlsChallenge: {} tlsChallenge:
delay: 42s
tailscale: {} tailscale: {}
experimental: experimental:
plugins: plugins:

9
pkg/provider/acme/provider.go
View File

@ -21,6 +21,7 @@ import (
"github.com/go-acme/lego/v4/challenge" "github.com/go-acme/lego/v4/challenge"
"github.com/go-acme/lego/v4/challenge/dns01" "github.com/go-acme/lego/v4/challenge/dns01"
"github.com/go-acme/lego/v4/challenge/http01" "github.com/go-acme/lego/v4/challenge/http01"
"github.com/go-acme/lego/v4/challenge/tlsalpn01"
"github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/lego"
"github.com/go-acme/lego/v4/providers/dns" "github.com/go-acme/lego/v4/providers/dns"
"github.com/go-acme/lego/v4/registration" "github.com/go-acme/lego/v4/registration"
@ -45,6 +46,7 @@ type Configuration struct {
PreferredChain string `description:"Preferred chain to use." json:"preferredChain,omitempty" toml:"preferredChain,omitempty" yaml:"preferredChain,omitempty" export:"true"` PreferredChain string `description:"Preferred chain to use." json:"preferredChain,omitempty" toml:"preferredChain,omitempty" yaml:"preferredChain,omitempty" export:"true"`
Profile string `description:"Certificate profile to use." json:"profile,omitempty" toml:"profile,omitempty" yaml:"profile,omitempty" export:"true"` Profile string `description:"Certificate profile to use." json:"profile,omitempty" toml:"profile,omitempty" yaml:"profile,omitempty" export:"true"`
EmailAddresses []string `description:"CSR email addresses to use." json:"emailAddresses,omitempty" toml:"emailAddresses,omitempty" yaml:"emailAddresses,omitempty"` EmailAddresses []string `description:"CSR email addresses to use." json:"emailAddresses,omitempty" toml:"emailAddresses,omitempty" yaml:"emailAddresses,omitempty"`
DisableCommonName bool `description:"Disable the common name in the CSR." json:"disableCommonName,omitempty" toml:"disableCommonName,omitempty" yaml:"disableCommonName,omitempty" export:"true"`
Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty" export:"true"` Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty" export:"true"`
KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty" export:"true"` KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty" export:"true"`
EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"` EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"`
@ -117,7 +119,9 @@ type HTTPChallenge struct {
} }
// TLSChallenge contains TLS challenge configuration. // TLSChallenge contains TLS challenge configuration.
type TLSChallenge struct{} type TLSChallenge struct {
Delay ptypes.Duration `description:"Delay between the creation of the challenge and the validation." json:"delay,omitempty" toml:"delay,omitempty" yaml:"delay,omitempty" export:"true"`
}
// Provider holds configurations of the provider. // Provider holds configurations of the provider.
type Provider struct { type Provider struct {
@ -292,6 +296,7 @@ func (p *Provider) getClient() (*lego.Client, error) {
config.CADirURL = caServer config.CADirURL = caServer
config.Certificate.KeyType = GetKeyType(ctx, p.KeyType) config.Certificate.KeyType = GetKeyType(ctx, p.KeyType)
config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version) config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)
config.Certificate.DisableCommonName = p.DisableCommonName
config.HTTPClient, err = p.createHTTPClient() config.HTTPClient, err = p.createHTTPClient()
if err != nil { if err != nil {
@ -371,7 +376,7 @@ func (p *Provider) getClient() (*lego.Client, error) {
if p.TLSChallenge != nil { if p.TLSChallenge != nil {
logger.Debug().Msg("Using TLS Challenge provider.") logger.Debug().Msg("Using TLS Challenge provider.")
err = client.Challenge.SetTLSALPN01Provider(p.TLSChallengeProvider) err = client.Challenge.SetTLSALPN01Provider(p.TLSChallengeProvider, tlsalpn01.SetDelay(time.Duration(p.TLSChallenge.Delay)))
if err != nil { if err != nil {
return nil, err return nil, err
} }