ACME V2 Integration #3063
ACME V2 Integration #3063
Conversation
ldez
added
kind/enhancement
nmengin
force-pushed
the
feature/acmev2-study
branch
from
5c4092f to
7796017
Compare
acme/acme.go
Outdated
| return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME needs a DNSChallenge", strings.Join(domains, ",")) | ||
| } | ||
| if len(domains) > 1 { | ||
| return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : SANs are nor allowed", strings.Join(domains, ",")) |
acme/localStore.go
Outdated
|
|
||
| // Check if ACME Account is in ACME V1 format | ||
| if account != nil && account.Registration != nil { | ||
| isOldRegistration, err := regexp.MatchString(acme.OldRegistrationUrlPath, account.Registration.URI) |
There was a problem hiding this comment.
s/OldRegistration/ACMEv1Registration may be more explicit
acme/acme.go
Outdated
| return nil, errors.New("unable to generate a certificate when no domain is given") | ||
| } | ||
| if strings.HasPrefix(domains[0], "*") { | ||
| if a.DNSChallenge == nil && len(a.DNSProvider) == 0 { |
There was a problem hiding this comment.
I think there is an issue in this test
acme/acme.go
Outdated
| @@ -459,7 +459,7 @@ func (a *ACME) LoadCertificateForDomains(domains []string) { | |||
| a.jobs.In() <- func() { | |||
| log.Debugf("LoadCertificateForDomains %v...", domains) | |||
|
|
|||
| domains, err := a.getValidDomain(domains) | |||
| domains, err := a.getValidDomain(domains, false) | |||
There was a problem hiding this comment.
s/getValidDomain/getValidDomains
| @@ -1214,10 +1214,11 @@ | |||
| revision = "0c8571ac0ce161a5feb57375a9cdf148c98c0f70" | |||
|
|
|||
| [[projects]] | |||
| branch = "master" | |||
| branch = "acmev2" | |||
There was a problem hiding this comment.
Are there any intentions to fork this for stability? Not really excited to use a feature branch on a third party repo as a basis for prod use...
There was a problem hiding this comment.
Hello @dtomcej.
We are not enthusiastic either but, for the moment it's the only way we have if we want to integrate ACME V2.
Moreover, I tested a lot and the branch seems to be stable.
We are following the LEGO repo and, if a big problem appears, we will be able to fork the repo with a stable version thanks to the vendoring.
| @@ -395,7 +387,7 @@ func dnsOverrideDelay(delay flaeg.Duration) error { | |||
|
|
|||
| func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) { | |||
| log.Debug("Building ACME client...") | |||
| caServer := "https://acme-v01.api.letsencrypt.org/directory" | |||
| caServer := "https://acme-v02.api.letsencrypt.org/directory" | |||
There was a problem hiding this comment.
Is this fully backwards compatible? Is it something that we should be defaulting back to v1 somehow?
There was a problem hiding this comment.
@dtomcej It's not backward compatible.
That's why getAccount methods have been modified.
They can detect V1 Account format and delete is from the ACME structure.
Thus, Træfik reads the new configuration and create a new V2 ACME Account.
However, of course, ACME certificates generated in V1 are compatibles
nmengin
force-pushed
the
feature/acmev2-study
branch
3 times, most recently
from
65e605e to
89478ab
Compare
docs/user-guide/examples.md
Outdated
|
|
||
| [[acme.domains]] | ||
| main = "*.local1.com" | ||
| sans = ["test1.local1.com", "test2.local1.com"] |
There was a problem hiding this comment.
You can't do that (wildcard with sans) ?
There was a problem hiding this comment.
No you can't do it for the moment!
acme/acme_test.go
Outdated
| for _, test := range tests { | ||
| test := test | ||
| t.Run(test.desc, func(t *testing.T) { | ||
| t.Parallel() |
docs/configuration/acme.md
Outdated
|
|
||
| ### DNS-02 Challenge | ||
|
|
||
| As described in [Let's Encrypt post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605), wildcard certificates can only be generated thanks to a `DNS-02`Challenge. |
There was a problem hiding this comment.
Space missing between DNS-02 and Challenge
acme/localStore.go
Outdated
| } | ||
|
|
||
| // Store the data in new format into the file ven if account is nil |
docs/configuration/acme.md
Outdated
| @@ -137,6 +139,10 @@ entryPoint = "https" | |||
| If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80. | |||
| These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72). | |||
|
|
|||
| !!!note | |||
| Wildcard certificates can be generated only if `acme.dnsChallenge` | |||
| option is enable. | |||
There was a problem hiding this comment.
Why a new line for this part ? The note in the documentation is broken
There was a problem hiding this comment.
It's another note but a space is missing I add it.
docs/user-guide/examples.md
Outdated
| [acme] | ||
| email = "[email protected]" | ||
| storage = "acme.json" | ||
| caServer = "http://172.18.0.1:4000/directory" |
There was a problem hiding this comment.
You should maybe use "https://acme-staging-v02.api.letsencrypt.org/directory instead of http://172.18.0.1:4000/directory
docs/user-guide/examples.md
Outdated
|
|
||
| [[acme.domains]] | ||
| main = "*.local1.com" | ||
| sans = ["test1.local1.com", "test2.local1.com"] |
There was a problem hiding this comment.
You can not do that. If main domain is a wildcard you can not use sans
provider/acme/provider_test.go
Outdated
| for _, test := range tests { | ||
| test := test | ||
| t.Run(test.desc, func(t *testing.T) { | ||
|
|
There was a problem hiding this comment.
Could you please remove this line
nmengin
force-pushed
the
feature/acmev2-study
branch
from
fae09e6 to
8dbfd5a
Compare
acme/acme.go
Outdated
| // - Duplicated domains | ||
| // - Domains which are checked by wildcard domain | ||
| func (a *ACME) deleteUnecessariesDomains() { | ||
| var newDomains []types.Domain |
There was a problem hiding this comment.
deleteUnnecessariesDomains instead of deleteUnecessariesDomains
nmengin
force-pushed
the
feature/acmev2-study
branch
from
8dbfd5a to
fb1417e
Compare
|
thanks! literally much awaited feature in my project! [[acme.domains]]
main = "mydomain.com"
sans = ["*.mydomain.com"]and getting error so who then should I define wildcard? |
|
Hello @sarkistlt , Many thanks for your feedback. For the moment, we do not support wildcard certificates with/in SANs. You can use the configuration described below : If you still have problems, I suggest you to open an issue or to join our Slack workspace for more community #support. |
|
thanks for response, I just downloaded source code of traefik and it still uses |
|
actually just saw version |
|
getting another error |
|
You can find info on how to configure the wildcard certs here: https://docs.traefik.io/v1.6/configuration/acme/. Let's Encrypt uses a DNS challenge for issuing wildcard certificates, which requires setting a DNS TXT record. Traefik can automate this via the API of your DNS provider (if it is supported), for which it requires an API key. |
|
You can also join our Slack workspace for more community #support. Remember, we dedicate the issue tracker to bug reports and feature requests only |
| [acme] | ||
| # ... | ||
| [[acme.domains]] | ||
| main = "*local1.com" |
There was a problem hiding this comment.
What does this PR do?
This PR allows Træfik to use the new ACME version.
It uses the new lego branch to access to the ACME V2 API.
ACME V2 API main features :
TLS-SNI-01challengeDNS-02challengeMotivation
Fix #2674
Allowing users to do ACME wildcard certificates
More
Additional Notes