Add options to control ACME propagation checks

2024-11-26 09:08:04 +01:00 · 2024-11-26 09:08:04 +01:00 · 33c1d700c0
commit 33c1d700c0
parent 0ec12c7aa7
9 changed files with 455 additions and 28 deletions
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -79,10 +79,25 @@ Certificates' duration in hours. (Default: ```2160```)
 Activate DNS-01 Challenge. (Default: ```false```)

 `--certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck`:  
-Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)

 `--certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck`:  
-Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation`:  
+DNS propagation checks configuration (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation.delaybeforechecks`:  
+Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation.disableanschecks`:  
+Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation.disablechecks`:  
+Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation.requireallrns`:  
+Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)

 `--certificatesresolvers.<name>.acme.dnschallenge.provider`:  
 Use a DNS-01 based challenge provider rather than HTTPS.
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -79,10 +79,25 @@ Certificates' duration in hours. (Default: ```2160```)
 Activate DNS-01 Challenge. (Default: ```false```)

 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:  
-Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)

 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:  
-Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION`:  
+DNS propagation checks configuration (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DELAYBEFORECHECKS`:  
+Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DISABLEANSCHECKS`:  
+Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DISABLECHECKS`:  
+Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_REQUIREALLRNS`:  
+Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)

 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROVIDER`:  
 Use a DNS-01 based challenge provider rather than HTTPS.
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@ -457,9 +457,14 @@
        hmacEncoded = "foobar"
      [certificatesResolvers.CertificateResolver0.acme.dnsChallenge]
        provider = "foobar"
-        delayBeforeCheck = "42s"
        resolvers = ["foobar", "foobar"]
+        delayBeforeCheck = "42s"
        disablePropagationCheck = true
+        [certificatesResolvers.CertificateResolver0.acme.dnsChallenge.propagation]
+          disableChecks = true
+          disableANSChecks = true
+          requireAllRNS = true
+          delayBeforeChecks = "42s"
      [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
        entryPoint = "foobar"
      [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
@ -480,9 +485,14 @@
        hmacEncoded = "foobar"
      [certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
        provider = "foobar"
-        delayBeforeCheck = "42s"
        resolvers = ["foobar", "foobar"]
+        delayBeforeCheck = "42s"
        disablePropagationCheck = true
+        [certificatesResolvers.CertificateResolver1.acme.dnsChallenge.propagation]
+          disableChecks = true
+          disableANSChecks = true
+          requireAllRNS = true
+          delayBeforeChecks = "42s"
      [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
        entryPoint = "foobar"
      [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@ -500,10 +500,15 @@ certificatesResolvers:
      caServerName: foobar
      dnsChallenge:
        provider: foobar
-        delayBeforeCheck: 42s
        resolvers:
          - foobar
          - foobar
+        propagation:
+          disableChecks: true
+          disableANSChecks: true
+          requireAllRNS: true
+          delayBeforeChecks: 42s
+        delayBeforeCheck: 42s
        disablePropagationCheck: true
      httpChallenge:
        entryPoint: foobar
@ -527,10 +532,15 @@ certificatesResolvers:
      caServerName: foobar
      dnsChallenge:
        provider: foobar
-        delayBeforeCheck: 42s
        resolvers:
          - foobar
          - foobar
+        propagation:
+          disableChecks: true
+          disableANSChecks: true
+          requireAllRNS: true
+          delayBeforeChecks: 42s
+        delayBeforeCheck: 42s
        disablePropagationCheck: true
      httpChallenge:
        entryPoint: foobar