homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: allow configuration of ACME certificates duration

Browse source
This commit is contained in:
Pablo Montepagano 2021-11-10 08:06:09 -03:00 committed by GitHub
parent 1f17731369
commit 0a5c9095ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 183 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

50
docs/content/https/acme.md
View file

@ -140,7 +140,11 @@ Please check the [configuration examples below](#configuration-examples) for mor
Traefik automatically tracks the expiry date of ACME certificates it generates.
If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
By default, Traefik manages 90 days certificates,
and starts to renew certificates 30 days before their expiry.
When using a certificates resolver that issues certificates with custom durations,
one can configure the certificates' duration with the [`certificatesDuration`](#certificatesduration) option.
!!! info ""
Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
@ -533,6 +537,50 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
!!! warning
For concurrency reasons, this file cannot be shared across multiple instances of Traefik.
### `certificatesDuration`
_Optional, Default=2160_
The `certificatesDuration` option defines the certificates' duration in hours.
It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
!!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
certificatesDuration: 72
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
certificatesDuration=72
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.certificatesduration=72
# ...
```
`certificatesDuration` is used to calculate two durations:
- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
- `Renew Interval`: the interval between renew attempts.
| Certificate Duration | Renew Period | Renew Interval |
|----------------------|-------------------|-------------------------|
| >= 1 year | 4 months | 1 week |
| >= 90 days | 30 days | 1 day |
| >= 7 days | 1 day | 1 hour |
| >= 24 hours | 6 hours | 10 min |
| < 24 hours | 20 min | 1 min |
### `preferredChain`
_Optional, Default=""_

8
docs/content/https/ref-acme.toml
View file

@ -22,6 +22,14 @@
#
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# The certificates' duration in hours.
# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
#
# Optional
# Default: 2160
#
# certificatesDuration=2160
# Preferred chain to use.
#
# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

8
docs/content/https/ref-acme.txt
View file

@ -21,6 +21,14 @@
#
--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
# The certificates' duration in hours.
# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
#
# Optional
# Default: 2160
#
--certificatesresolvers.myresolver.acme.certificatesDuration=2160
# Preferred chain to use.
#
# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

8
docs/content/https/ref-acme.yaml
View file

@ -24,6 +24,14 @@ certificatesResolvers:
#
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
# The certificates' duration in hours.
# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
#
# Optional
# Default: 2160
#
# certificatesDuration: 2160
# Preferred chain to use.
#
# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

3
docs/content/reference/static-configuration/cli-ref.md
View file

@ -54,6 +54,9 @@ Certificates resolvers configuration. (Default: ```false```)
`--certificatesresolvers.<name>.acme.caserver`:
CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
`--certificatesresolvers.<name>.acme.certificatesduration`:
Certificates' duration in hours. (Default: ```2160```)
`--certificatesresolvers.<name>.acme.dnschallenge`:
Activate DNS-01 Challenge. (Default: ```false```)

3
docs/content/reference/static-configuration/env-ref.md
View file

@ -54,6 +54,9 @@ Certificates resolvers configuration. (Default: ```false```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CASERVER`:
CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CERTIFICATESDURATION`:
Certificates' duration in hours. (Default: ```2160```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:
Activate DNS-01 Challenge. (Default: ```false```)

2
docs/content/reference/static-configuration/file.toml
View file

@ -358,6 +358,7 @@
[certificatesResolvers.CertificateResolver0.acme]
email = "foobar"
caServer = "foobar"
certificatesDuration = 2160
preferredChain = "foobar"
storage = "foobar"
keyType = "foobar"
@ -376,6 +377,7 @@
[certificatesResolvers.CertificateResolver1.acme]
email = "foobar"
caServer = "foobar"
certificatesDuration = 2160
preferredChain = "foobar"
storage = "foobar"
keyType = "foobar"

2
docs/content/reference/static-configuration/file.yaml
View file

@ -376,6 +376,7 @@ certificatesResolvers:
acme:
email: foobar
caServer: foobar
certificatesDuration: 2160
preferredChain: foobar
storage: foobar
keyType: foobar
@ -396,6 +397,7 @@ certificatesResolvers:
acme:
email: foobar
caServer: foobar
certificatesDuration: 2160
preferredChain: foobar
storage: foobar
keyType: foobar