ACME V2 Integration

2018-03-26 14:12:03 +02:00 · 2018-03-26 14:12:03 +02:00 · 16bb9b6836
commit 16bb9b6836
parent d2766b1b4f
72 changed files with 11401 additions and 403 deletions
--- a/docs/configuration/acme.md
+++ b/docs/configuration/acme.md
@ -82,11 +82,12 @@ entryPoint = "https"
 # - Leave comment to go to prod.
 #
 # Optional
-# Default: "https://acme-v01.api.letsencrypt.org/directory"
+# Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
-# caServer = "https://acme-staging.api.letsencrypt.org/directory"
+# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

 # Domains list.
+# Only domains defined here can generate wildcard certificates.
 #
 # [[acme.domains]]
 #   main = "local1.com"
@ -111,7 +112,8 @@ entryPoint = "https"
  #
  entryPoint = "http"

-# Use a DNS-01 acme challenge rather than HTTP-01 challenge.
+# Use a DNS-01/DNS-02 acme challenge rather than HTTP-01 challenge.
+# Note : Mandatory for wildcard certificates generation.
 #
 # Optional
 #
@ -137,6 +139,10 @@ entryPoint = "https"
    If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80.
    These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).

+!!! note
+    Wildcard certificates can be generated only if `acme.dnsChallenge`
+option is enable.
+
 ### Let's Encrypt downtime

 Let's Encrypt functionality will be limited until Træfik is restarted.
@ -215,7 +221,7 @@ Because KV stores (like Consul) have limited entries size, the certificates list
 !!! note
    It's possible to store up to approximately 100 ACME certificates in Consul.

-### `acme.httpChallenge`
+### `httpChallenge`

 Use `HTTP-01` challenge to generate/renew ACME certificates.

@ -256,9 +262,9 @@ defaultEntryPoints = ["http", "https"]
    `acme.httpChallenge.entryPoint` has to be reachable by Let's Encrypt through the port 80.
    It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).

-### `acme.dnsChallenge`
+### `dnsChallenge`

-Use `DNS-01` challenge to generate/renew ACME certificates.
+Use `DNS-01/DNS-02` challenge to generate/renew ACME certificates.

 ```toml
 [acme]
@ -269,6 +275,9 @@ Use `DNS-01` challenge to generate/renew ACME certificates.
 # ...
 ```

+!!! note
+    ACME wildcard certificates can only be generated thanks to a `DNS-02` challenge.
+
 #### `provider`

 Select the provider that matches the DNS domain that will host the challenge TXT record, and provide environment variables to enable setting it:
@ -348,12 +357,16 @@ This will request a certificate from Let's Encrypt for each frontend with a Host

 For example, a rule `Host:test1.traefik.io,test2.traefik.io` will request a certificate with main domain `test1.traefik.io` and SAN `test2.traefik.io`.

+!!! warning
+    `onHostRule` option can not be used to generate wildcard certificates.
+    Refer to [the wildcard generation section](/configuration/acme/#wildcard-domain) for more information.
+
 ### `caServer`

 ```toml
 [acme]
 # ...
-caServer = "https://acme-staging.api.letsencrypt.org/directory"
+caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 # ...
 ```

@ -362,7 +375,7 @@ CA server to use.
 - Uncomment the line to run on the staging Let's Encrypt server.
 - Leave comment to go to prod.

-### `acme.domains`
+### `domains`

 ```toml
 [acme]
@ -376,10 +389,22 @@ CA server to use.
 [[acme.domains]]
  main = "local3.com"
 [[acme.domains]]
-  main = "local4.com"
+  main = "*.local4.com"
 # ...
 ```

+#### Wildcard domains
+
+Wildcard domain has to be defined as a main domain **with no SANs** (alternative domains).
+All domains must have A/AAAA records pointing to Træfik.
+
+!!! warning
+    Note that Let's Encrypt has [rate limiting](https://letsencrypt.org/docs/rate-limits).
+
+Each domain & SANs will lead to a certificate request.
+
+#### Others domains
+
 You can provide SANs (alternative domains) to each main domain.
 All domains must have A/AAAA records pointing to Træfik.

@ -391,9 +416,47 @@ Each domain & SANs will lead to a certificate request.
 ### `dnsProvider` (Deprecated)

 !!! danger "DEPRECATED"
-    This option is deprecated, use [dnsChallenge.provider](/configuration/acme/#acmednschallenge) instead.
+    This option is deprecated, use [dnsChallenge.provider](/configuration/acme/#dnschallenge) instead.

 ### `delayDontCheckDNS` (Deprecated)

 !!! danger "DEPRECATED"
-    This option is deprecated, use [dnsChallenge.delayBeforeCheck](/configuration/acme/#acmednschallenge) instead.
+    This option is deprecated, use [dnsChallenge.delayBeforeCheck](/configuration/acme/#dnschallenge) instead.
+
+## Wildcard certificates
+
+[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) allows wildcard certificate support.
+However, this feature needs a specific configuration.
+
+### DNS-02 Challenge
+
+As described in [Let's Encrypt post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605), wildcard certificates can only be generated through a `DNS-02`Challenge.
+This challenge is linked to the Træfik option `acme.dnsChallenge`.
+
+```toml
+[acme]
+# ...
+[acme.dnsChallenge]
+  provider = "digitalocean"
+  delayBeforeCheck = 0
+# ...
+```
+
+For more information about this option, please refer to the [dnsChallenge section](/configuration/acme/#dnschallenge).
+
+### Wildcard domain
+
+Wildcard domains can currently be provided only by to the `acme.domains` option.
+Theses domains can not have SANs.
+
+```toml
+[acme]
+# ...
+[[acme.domains]]
+  main = "*local1.com"
+[[acme.domains]]
+  main = "*.local2.com"
+# ...
+```
+
+For more information about this option, please refer to the [domains section](/configuration/acme/#domains).
--- a/docs/index.md
+++ b/docs/index.md
@ -34,7 +34,7 @@ _(But if you'd rather configure some of your routes manually, Træfik supports t

 - Continuously updates its configuration (No restarts!)
 - Supports multiple load balancing algorithms
- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)
+- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
 - Circuit breakers, retry
 - High Availability with cluster mode (beta)
 - See the magic through its clean web UI
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@ -55,10 +55,6 @@ defaultEntryPoints = ["http", "https"]

 ## Let's Encrypt support

-!!! note
-    Even if `TLS-SNI-01` challenge is [disabled](https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188), for the moment, it stays the _by default_ ACME Challenge in Træfik but all the examples use the `HTTP-01` challenge (except DNS challenge examples).
-    If `TLS-SNI-01` challenge is not re-enabled in the future, it we will be removed from Træfik.
-
 ### Basic example with HTTP challenge

 ```toml
@ -190,10 +186,45 @@ entryPoint = "https"
 ```

 DNS challenge needs environment variables to be executed.
-These variables have to be set on the machine/container which host Træfik.
+These variables have to be set on the machine/container that host Træfik.

 These variables are described [in this section](/configuration/acme/#provider).

+### DNS challenge with wildcard domains
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
+[acme]
+email = "test@traefik.io"
+storage = "acme.json"
+caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+entryPoint = "https"
+  [acme.dnsChallenge]
+  provider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
+  delayBeforeCheck = 0
+
+[[acme.domains]]
+  main = "*.local1.com"
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2x.local2.com"]
+[[acme.domains]]
+  main = "*.local3.com"
+[[acme.domains]]
+  main = "*.local4.com"
+```
+
+DNS challenge needs environment variables to be executed.
+These variables have to be set on the machine/container that host Træfik.
+
+These variables are described [in this section](/configuration/acme/#provider).
+
+More information about wildcard certificates are available [in this section](/configuration/acme/#wildcard-domain).
+
 ### OnHostRule option and provided certificates (with HTTP challenge)

 ```toml