Add Let's Encrypt HTTP Challenge

2018-01-15 16:04:05 +01:00 · 2018-01-15 16:04:05 +01:00 · 3e439cc39b
commit 3e439cc39b
parent 56c0634918
22 changed files with 598 additions and 157 deletions
--- a/docs/user-guide/cluster-docker-consul.md
+++ b/docs/user-guide/cluster-docker-consul.md
@ -56,15 +56,18 @@ $ traefik \
    --acme \
    --acme.storage=/etc/traefik/acme/acme.json \
    --acme.entryPoint=https \
+    --acme.httpChallenge.entryPoint=http \
    --acme.email=contact@mydomain.ca
 ```

-Let's Encrypt needs 3 parameters: an entry point to listen to, a storage for certificates, and an email for the registration.
+Let's Encrypt needs 4 parameters: an TLS entry point to listen to, a non-TLS entry point to allow HTTP challenges, a storage for certificates, and an email for the registration.

 To enable Let's Encrypt support, you need to add `--acme` flag.

 Now, Træfik needs to know where to store the certificates, we can choose between a key in a Key-Value store, or a file path: `--acme.storage=my/key` or `--acme.storage=/path/to/acme.json`.

+The `acme.httpChallenge.entryPoint` flag enables the `HTTP-01` challenge and specifies the entryPoint to use during the challenges.
+
 For your email and the entry point, it's `--acme.entryPoint` and `--acme.email` flags.

 ### Docker configuration
@ -97,6 +100,7 @@ services:
      - "--acme"
      - "--acme.storage=/etc/traefik/acme/acme.json"
      - "--acme.entryPoint=https"
+      - "--acme.httpChallenge.entryPoint=http"
      - "--acme.OnHostRule=true"
      - "--acme.onDemand=false"
      - "--acme.email=contact@mydomain.ca"
@ -206,12 +210,13 @@ services:
      - "--acme"
      - "--acme.storage=traefik/acme/account"
      - "--acme.entryPoint=https"
+      - "--acme.httpChallenge.entryPoint=http"
      - "--acme.OnHostRule=true"
      - "--acme.onDemand=false"
-      - "--acme.email=contact@jmaitrehenry.ca"
+      - "--acme.email=foobar@example.com"
      - "--docker"
      - "--docker.swarmmode"
-      - "--docker.domain=jmaitrehenry.ca"
+      - "--docker.domain=example.com"
      - "--docker.watch"
      - "--consul"
      - "--consul.endpoint=consul:8500"
--- a/docs/user-guide/docker-and-lets-encrypt.md
+++ b/docs/user-guide/docker-and-lets-encrypt.md
@ -104,6 +104,8 @@ email = "your-email-here@my-awesome-app.org"
 storage = "acme.json"
 entryPoint = "https"
 OnHostRule = true
+[acme.httpChallenge]
+entryPoint = "http"
 ```

 This is the minimum configuration required to do the following:
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@ -6,6 +6,7 @@ You will find here some configuration examples of Træfik.

 ```toml
 defaultEntryPoints = ["http"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@ -15,6 +16,7 @@ defaultEntryPoints = ["http"]

 ```toml
 defaultEntryPoints = ["http", "https"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@ -34,6 +36,7 @@ Note that we can either give path to certificate file or directly the file conte

 ```toml
 defaultEntryPoints = ["http", "https"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@ -52,10 +55,16 @@ defaultEntryPoints = ["http", "https"]

 ## Let's Encrypt support

-### Basic example
+!!! note
+    Even if `TLS-SNI-01` challenge is [disabled](https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188), for the moment, it stays the _by default_ ACME Challenge in Træfik but all the examples use the `HTTP-01` challenge (except DNS challenge examples).
+    If `TLS-SNI-01` challenge is not re-enabled in the future, it we will be removed from Træfik.
+
+### Basic example with HTTP challenge

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@ -65,6 +74,8 @@ email = "test@traefik.io"
 storage = "acme.json"
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
+  [acme.httpChallenge]
+  entryPoint = "http"

 [[acme.domains]]
  main = "local1.com"
@ -78,14 +89,16 @@ entryPoint = "https"
  main = "local4.com"
 ```

-This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com` with described SANs.
+This configuration allows generating Let's Encrypt certificates (thanks to `HTTP-01` challenge) for the four domains `local[1-4].com` with described SANs.

 Traefik generates these certificates when it starts and it needs to be restart if new domains are added.

-### OnHostRule option
+### OnHostRule option (with HTTP challenge)

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@ -96,6 +109,8 @@ storage = "acme.json"
 onHostRule = true
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
+  [acme.httpChallenge]
+  entryPoint = "http"

 [[acme.domains]]
  main = "local1.com"
@ -109,16 +124,18 @@ entryPoint = "https"
  main = "local4.com"
 ```

-This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com`.
+This configuration allows generating Let's Encrypt certificates (thanks to `HTTP-01` challenge) for the four domains `local[1-4].com`.

 Traefik generates these certificates when it starts.

 If a backend is added with a `onHost` rule, Traefik will automatically generate the Let's Encrypt certificate for the new domain.

-### OnDemand option
+### OnDemand option (with HTTP challenge)

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@ -129,9 +146,11 @@ storage = "acme.json"
 onDemand = true
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
+  [acme.httpChallenge]
+  entryPoint = "http"
 ```

-This configuration allows generating a Let's Encrypt certificate during the first HTTPS request on a new domain.
+This configuration allows generating a Let's Encrypt certificate (thanks to `HTTP-01` challenge) during the first HTTPS request on a new domain.


 !!! note
@ -153,10 +172,11 @@ This configuration allows generating a Let's Encrypt certificate during the firs
 [acme]
 email = "test@traefik.io"
 storage = "acme.json"
-dnsProvider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
-delayDontCheckDNS = 0
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
+  [acme.dnsChallenge]
+  provider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
+  delayBeforeCheck = 0

 [[acme.domains]]
  main = "local1.com"
@ -173,12 +193,14 @@ entryPoint = "https"
 DNS challenge needs environment variables to be executed.
 This variables have to be set on the machine/container which host Traefik.

-These variables are described [in this section](/configuration/acme/#dnsprovider).
+These variables are described [in this section](/configuration/acme/#provider).

-### OnHostRule option and provided certificates
+### OnHostRule option and provided certificates (with HTTP challenge)

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@ -192,10 +214,11 @@ storage = "acme.json"
 onHostRule = true
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
-
+  [acme.httpChallenge]
+  entryPoint = "http"
 ```

-Traefik will only try to generate a Let's encrypt certificate if the domain cannot be checked by the provided certificates.
+Traefik will only try to generate a Let's encrypt certificate (thanks to `HTTP-01` challenge) if the domain cannot be checked by the provided certificates.

 ### Cluster mode

@ -207,6 +230,8 @@ Before you use Let's Encrypt in a Traefik cluster, take a look to [the key-value

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@ -217,6 +242,9 @@ storage = "traefik/acme/account"
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"

+[acme.httpChallenge]
+    entryPoint = "http"
+
 [[acme.domains]]
  main = "local1.com"
  sans = ["test1.local1.com", "test2.local1.com"]
@ -244,10 +272,12 @@ The `consul` provider contains the configuration.

 ```toml
 [frontends]
+
  [frontends.frontend1]
  backend = "backend2"
    [frontends.frontend1.routes.test_1]
    rule = "Host:test.localhost"
+
  [frontends.frontend2]
  backend = "backend1"
  passHostHeader = true
@ -255,10 +285,11 @@ The `consul` provider contains the configuration.
  entrypoints = ["https"] # overrides defaultEntryPoints
    [frontends.frontend2.routes.test_1]
    rule = "Host:{subdomain:[a-z]+}.localhost"
+
  [frontends.frontend3]
  entrypoints = ["http", "https"] # overrides defaultEntryPoints
  backend = "backend2"
-    rule = "Path:/test"
+  rule = "Path:/test"
 ```

 ## Enable Basic authentication in an entrypoint
@ -272,6 +303,7 @@ Passwords are encoded in MD5: you can use htpasswd to generate those ones.

 ```toml
 defaultEntryPoints = ["http"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@ -286,6 +318,7 @@ via a configurable header value.

 ```toml
 defaultEntryPoints = ["http"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"