Add options to control ACME propagation checks
This commit is contained in:
Ludovic Fernandez
GitHub
parent
0ec12c7aa7
commit
33c1d700c0
9 changed files with 455 additions and 28 deletions
|
|
@ -496,7 +496,7 @@ certificatesResolvers:
|
|||
--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
|
||||
```
|
||||
|
||||
#### `delayBeforeCheck`
|
||||
#### `propagation.delayBeforeChecks`
|
||||
|
||||
By default, the `provider` verifies the TXT record _before_ letting ACME verify.
|
||||
|
||||
|
|
@ -511,7 +511,9 @@ certificatesResolvers:
|
|||
# ...
|
||||
dnsChallenge:
|
||||
# ...
|
||||
delayBeforeCheck: 2s
|
||||
propagation:
|
||||
# ...
|
||||
delayBeforeChecks: 2s
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
|
|
@ -519,19 +521,21 @@ certificatesResolvers:
|
|||
# ...
|
||||
[certificatesResolvers.myresolver.acme.dnsChallenge]
|
||||
# ...
|
||||
delayBeforeCheck = "2s"
|
||||
[certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
|
||||
# ...
|
||||
delayBeforeChecks = "2s"
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
# ...
|
||||
--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
|
||||
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
|
||||
```
|
||||
|
||||
#### `disablePropagationCheck`
|
||||
#### `propagation.disableChecks`
|
||||
|
||||
**Not recommended**
|
||||
Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready.
|
||||
|
||||
Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready.
|
||||
Please note that disabling checks can prevent the challenge to succeed.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
certificatesResolvers:
|
||||
|
|
@ -540,7 +544,9 @@ certificatesResolvers:
|
|||
# ...
|
||||
dnsChallenge:
|
||||
# ...
|
||||
disablePropagationCheck: true
|
||||
propagation:
|
||||
# ...
|
||||
disableChecks: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
|
|
@ -548,12 +554,90 @@ certificatesResolvers:
|
|||
# ...
|
||||
[certificatesResolvers.myresolver.acme.dnsChallenge]
|
||||
# ...
|
||||
disablePropagationCheck = true
|
||||
[certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
|
||||
# ...
|
||||
disableChecks = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
# ...
|
||||
--certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
|
||||
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
|
||||
```
|
||||
|
||||
#### `propagation.requireAllRNS`
|
||||
|
||||
Requires the challenge TXT record to be propagated to all recursive nameservers.
|
||||
|
||||
!!! note
|
||||
|
||||
If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
|
||||
it is recommended to check all recursive nameservers instead.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
certificatesResolvers:
|
||||
myresolver:
|
||||
acme:
|
||||
# ...
|
||||
dnsChallenge:
|
||||
# ...
|
||||
propagation:
|
||||
# ...
|
||||
requireAllRNS: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[certificatesResolvers.myresolver.acme]
|
||||
# ...
|
||||
[certificatesResolvers.myresolver.acme.dnsChallenge]
|
||||
# ...
|
||||
[certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
|
||||
# ...
|
||||
requireAllRNS = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
# ...
|
||||
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
|
||||
```
|
||||
|
||||
#### `propagation.disableANSChecks`
|
||||
|
||||
Disables the challenge TXT record propagation checks against authoritative nameservers.
|
||||
|
||||
This option will skip the propagation check against the nameservers of the authority (SOA).
|
||||
|
||||
It should be used only if the nameservers of the authority are not reachable.
|
||||
|
||||
!!! note
|
||||
|
||||
If you have disabled authoritative nameservers checks,
|
||||
it is recommended to check all recursive nameservers instead.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
certificatesResolvers:
|
||||
myresolver:
|
||||
acme:
|
||||
# ...
|
||||
dnsChallenge:
|
||||
# ...
|
||||
propagation:
|
||||
# ...
|
||||
disableANSChecks: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[certificatesResolvers.myresolver.acme]
|
||||
# ...
|
||||
[certificatesResolvers.myresolver.acme.dnsChallenge]
|
||||
# ...
|
||||
[certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
|
||||
# ...
|
||||
disableANSChecks = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
# ...
|
||||
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
|
||||
```
|
||||
|
||||
#### Wildcard Domains
|
||||
|
|
|
|||
|
|
@ -160,3 +160,10 @@ the `configmaps`, `backendtlspolicies` and `backendtlspolicies/status` rights ha
|
|||
|
||||
In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
|
||||
Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
|
||||
|
||||
## v3.2 to v3.3
|
||||
|
||||
### ACME DNS Certificate Resolver
|
||||
|
||||
In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated,
|
||||
please use respectively `acme.dnsChallenge.propagation.delayBeforeCheck` and `acme.dnsChallenge.propagation.disableAllChecks` options instead.
|
||||
|
|
|
|||
|
|
@ -79,10 +79,25 @@ Certificates' duration in hours. (Default: ```2160```)
|
|||
Activate DNS-01 Challenge. (Default: ```false```)
|
||||
|
||||
`--certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck`:
|
||||
Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
|
||||
(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
|
||||
|
||||
`--certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck`:
|
||||
Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
|
||||
(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
|
||||
|
||||
`--certificatesresolvers.<name>.acme.dnschallenge.propagation`:
|
||||
DNS propagation checks configuration (Default: ```false```)
|
||||
|
||||
`--certificatesresolvers.<name>.acme.dnschallenge.propagation.delaybeforechecks`:
|
||||
Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
|
||||
|
||||
`--certificatesresolvers.<name>.acme.dnschallenge.propagation.disableanschecks`:
|
||||
Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
|
||||
|
||||
`--certificatesresolvers.<name>.acme.dnschallenge.propagation.disablechecks`:
|
||||
Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
|
||||
|
||||
`--certificatesresolvers.<name>.acme.dnschallenge.propagation.requireallrns`:
|
||||
Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)
|
||||
|
||||
`--certificatesresolvers.<name>.acme.dnschallenge.provider`:
|
||||
Use a DNS-01 based challenge provider rather than HTTPS.
|
||||
|
|
|
|||
|
|
@ -79,10 +79,25 @@ Certificates' duration in hours. (Default: ```2160```)
|
|||
Activate DNS-01 Challenge. (Default: ```false```)
|
||||
|
||||
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:
|
||||
Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
|
||||
(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
|
||||
|
||||
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:
|
||||
Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
|
||||
(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
|
||||
|
||||
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION`:
|
||||
DNS propagation checks configuration (Default: ```false```)
|
||||
|
||||
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DELAYBEFORECHECKS`:
|
||||
Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
|
||||
|
||||
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DISABLEANSCHECKS`:
|
||||
Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
|
||||
|
||||
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DISABLECHECKS`:
|
||||
Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
|
||||
|
||||
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_REQUIREALLRNS`:
|
||||
Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)
|
||||
|
||||
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROVIDER`:
|
||||
Use a DNS-01 based challenge provider rather than HTTPS.
|
||||
|
|
|
|||
|
|
@ -457,9 +457,14 @@
|
|||
hmacEncoded = "foobar"
|
||||
[certificatesResolvers.CertificateResolver0.acme.dnsChallenge]
|
||||
provider = "foobar"
|
||||
delayBeforeCheck = "42s"
|
||||
resolvers = ["foobar", "foobar"]
|
||||
delayBeforeCheck = "42s"
|
||||
disablePropagationCheck = true
|
||||
[certificatesResolvers.CertificateResolver0.acme.dnsChallenge.propagation]
|
||||
disableChecks = true
|
||||
disableANSChecks = true
|
||||
requireAllRNS = true
|
||||
delayBeforeChecks = "42s"
|
||||
[certificatesResolvers.CertificateResolver0.acme.httpChallenge]
|
||||
entryPoint = "foobar"
|
||||
[certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
|
||||
|
|
@ -480,9 +485,14 @@
|
|||
hmacEncoded = "foobar"
|
||||
[certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
|
||||
provider = "foobar"
|
||||
delayBeforeCheck = "42s"
|
||||
resolvers = ["foobar", "foobar"]
|
||||
delayBeforeCheck = "42s"
|
||||
disablePropagationCheck = true
|
||||
[certificatesResolvers.CertificateResolver1.acme.dnsChallenge.propagation]
|
||||
disableChecks = true
|
||||
disableANSChecks = true
|
||||
requireAllRNS = true
|
||||
delayBeforeChecks = "42s"
|
||||
[certificatesResolvers.CertificateResolver1.acme.httpChallenge]
|
||||
entryPoint = "foobar"
|
||||
[certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
|
||||
|
|
|
|||
|
|
@ -500,10 +500,15 @@ certificatesResolvers:
|
|||
caServerName: foobar
|
||||
dnsChallenge:
|
||||
provider: foobar
|
||||
delayBeforeCheck: 42s
|
||||
resolvers:
|
||||
- foobar
|
||||
- foobar
|
||||
propagation:
|
||||
disableChecks: true
|
||||
disableANSChecks: true
|
||||
requireAllRNS: true
|
||||
delayBeforeChecks: 42s
|
||||
delayBeforeCheck: 42s
|
||||
disablePropagationCheck: true
|
||||
httpChallenge:
|
||||
entryPoint: foobar
|
||||
|
|
@ -527,10 +532,15 @@ certificatesResolvers:
|
|||
caServerName: foobar
|
||||
dnsChallenge:
|
||||
provider: foobar
|
||||
delayBeforeCheck: 42s
|
||||
resolvers:
|
||||
- foobar
|
||||
- foobar
|
||||
propagation:
|
||||
disableChecks: true
|
||||
disableANSChecks: true
|
||||
requireAllRNS: true
|
||||
delayBeforeChecks: 42s
|
||||
delayBeforeCheck: 42s
|
||||
disablePropagationCheck: true
|
||||
httpChallenge:
|
||||
entryPoint: foobar
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue