Traefik still start when Let's encrypt is down #2794
Conversation
docs/configuration/acme.md
Outdated
| @@ -144,6 +144,11 @@ entryPoint = "https" | |||
| If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80. | |||
| These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72). | |||
|
|
|||
| !!! note | |||
| If Let's Encrypt is down when Træfik is started, already generated certificates will be used, but certificates will not be renewed, and no new certificate will be generated. | |||
There was a problem hiding this comment.
Could you clarify this paragraph.
There was a problem hiding this comment.
If LetsEncrypt is unavailable when Træfik is started, previously generated certificates will be usable, but expired certificates will not be renewed, and new certificates will not be be generated. Træfik will need to be restarted when LetsEncrypt is available to re-enable certificate generation and renewal.
acme/acme.go
Outdated
| @@ -333,7 +334,8 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkO | |||
|
|
|||
| a.client, err = a.buildACMEClient(account) | |||
| if err != nil { | |||
| return err | |||
| log.Errorf("Failed to build ACME Client: %s", err) | |||
There was a problem hiding this comment.
Could we make this message more verbose?
"Failed to build ACME client" doesn't really tell a whole lot. Would make this message more like:
"Failed to build ACME client. LetsEncrypt functionality will be limited until traefik is restarted."
docs/configuration/acme.md
Outdated
| @@ -144,6 +144,11 @@ entryPoint = "https" | |||
| If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80. | |||
| These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72). | |||
|
|
|||
| !!! note | |||
| If Let's Encrypt is down when Træfik is started, already generated certificates will be used, but certificates will not be renewed, and no new certificate will be generated. | |||
There was a problem hiding this comment.
If LetsEncrypt is unavailable when Træfik is started, previously generated certificates will be usable, but expired certificates will not be renewed, and new certificates will not be be generated. Træfik will need to be restarted when LetsEncrypt is available to re-enable certificate generation and renewal.
docs/configuration/acme.md
Outdated
|
|
||
| If Let's Encrypt is not reachable, these certificates will be used : | ||
| - ACME certificates already generated before downtime, |
docs/configuration/acme.md
Outdated
|
|
||
| If Let's Encrypt is not reachable, these certificates will be used : | ||
| - ACME certificates already generated before downtime, | ||
| - Expired ACME certificates, |
docs/configuration/acme.md
Outdated
| If Let's Encrypt is not reachable, these certificates will be used : | ||
| - ACME certificates already generated before downtime, | ||
| - Expired ACME certificates, | ||
| - Provided certificates, |
What does this PR do?
Fix traefik crash when Let's Encrypt is down
Motivation
Be able to start traefik even if LE is down.
Fixes #791
More
The already generated certificates are still used.
If Traefik starts with LE down, you will need to restart Traefik in order to reconnect to LE and onHostRule certificates will generate error logs
In order to have this fix in 1.5.2 we don't change ACME too deeply, more deeply changes may come in 1.6.