-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Let's Encrypt HTTP Challenge #2701
Conversation
46e264e
to
735d199
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job !
Few comments though ;)
acme/acme.go
Outdated
} | ||
|
||
type DNSChallenge struct { | ||
DNSProvider string `description:"Use a DNS based challenge provider rather than HTTPS."` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/DNSProvider/Provider
acme/acme.go
Outdated
} | ||
|
||
type HTTPChallenge struct { | ||
EntryPoint string `description: "HTTP EntryPoint for challenge to"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HTTP EntryPoint for challenge to
=> HTTP challenge EntryPoint
acme/acme.go
Outdated
router.Methods(http.MethodGet).Path(acme.HTTP01ChallengePath("{token}")).Handler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { | ||
vars := mux.Vars(req) | ||
if token, ok := vars["token"]; ok { | ||
domain, _, _ := net.SplitHostPort(req.Host) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
err
should not be ignored
acme/account.go
Outdated
@@ -24,6 +24,7 @@ type Account struct { | |||
PrivateKey []byte | |||
DomainsCertificate DomainsCertificates | |||
ChallengeCerts map[string]*ChallengeCert | |||
HttpChallenge map[string]map[string][]byte |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We really need to add an integration test to check that we support old acme.json.
acme/acme.go
Outdated
@@ -155,7 +196,8 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl | |||
} | |||
|
|||
a.store = datastore | |||
a.challengeProvider = &challengeProvider{store: a.store} | |||
a.challengeTLSProvider = &challengeTLSProvider{store: a.store} | |||
a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not in love with instantiating challengeTLSProvider
& challengeHTTPProvider
here.
acme/acme.go
Outdated
if a.OnDemand { | ||
log.Warn("ACME.OnDemand is deprecated") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would use SetEffectiveConfiguration()
to initialize the configuration correctly instead of init()
735d199
to
f06f528
Compare
3fe761c
to
0556b6b
Compare
Based on https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 I think you can change the default ... And a huge thanks for your reactivity to implement HTTP-01 |
bcef1c8
to
23ce35e
Compare
docs/user-guide/examples.md
Outdated
caServer = "http://172.18.0.1:4000/directory" | ||
entryPoint = "https" | ||
[acme.dsnChallenge] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo
This fix does not work for me. I get
is getting only the host without port and failing. So for now i'm stuck. I have no idea, why this is not working for me, but obviously works for others. My setup is quite basic: traefik on docker with no special thinks (i reduced the config mostly to the basic example). |
@markuslackner Could you go to the Traefik community Slack in the channel #support and give more information about your configuration. Edit: the problem is now fixed 🎉 |
6319c3d
to
6d91f55
Compare
f490f10
to
ad2c638
Compare
The official unofficial image. |
I'm still getting the |
@kruemelro Remember to download a new image and clear the cache. [acme.httpChallenge]
entryPoint = "http" to config file ( |
The documentation http://v1-5.archive.docs.traefik.io/configuration/acme/#acmehttpchallenge Please don't use |
@ldez Currently it is the only way because Docker has not yet released a new version of the official image. |
I know but we don't recommend the use of this image. |
The official image is available: |
@ldez When I try run |
@HUg0005 I think some images are still under construction, you need to wait. |
Hi, I'm following this PR since the beginning. Thanks all for the efforts. Can I still use the redirection to https entrypoint enabled on the http entrypoint or it won't work properly with the HTTP-01 validation? If no, how can I redirect anything besides the validation to https entrypoint? Thanks. |
@xalexslx you can still use the redirection. |
Just rebuilt my container with traefik:1.5 and the new acme config: works like a charm. |
Hi, i am getting 400/timeout when enabling HTTP-01, is there anything else i am supposed to do beside enabling the challenge?
|
@vrosales Can you come on the Traefik community Slack to give us more information about your configuration? |
Due to the number of question about redirection: The redirection is fully compatible with the HTTP-01 challenge. You can use redirection with HTTP-01 challenge without problem. Enjoy 🎉 |
What does this PR do?
Until now, Træfik only allowed
TLS-SNI-01
andDNS-01
challenges to generate/renew ACME certificates.This PR allows users to generate/renew ACME certificates thanks to the
HTTP-01
challenge.Motivation
Due to a security vulnerability, Let's Encrypt disabled
TLS-SNI-01
challenges.More information here and here.
Fixes #1832
More
Additional Notes
TLS-SNI-01
stays the default challenge in Træfik. If this challenge becomes definitively disabled, it will be removed from Træfik in future versions.HTTP-01
challenge requires anHTTP
entry point which can be accessed through the port80
by Let's Encrypt.acme
configuration has to evolve in Træfik, many fields will be deprecated by this PR.