From 50b0d772e5c0edad8bdbdb8f4013121dbad9d10c Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Mon, 17 Mar 2025 10:00:07 +0100 Subject: [PATCH] Add acme.profile and acme.emailAddresses options --- docs/content/https/acme.md | 60 +++++++++++++++++++ .../reference/static-configuration/cli-ref.md | 6 ++ .../reference/static-configuration/env-ref.md | 6 ++ .../reference/static-configuration/file.toml | 4 ++ .../reference/static-configuration/file.yaml | 8 +++ pkg/provider/acme/provider.go | 20 ++++--- 6 files changed, 97 insertions(+), 7 deletions(-) diff --git a/docs/content/https/acme.md b/docs/content/https/acme.md index 62f091e08..0a662e373 100644 --- a/docs/content/https/acme.md +++ b/docs/content/https/acme.md @@ -832,6 +832,66 @@ certificatesResolvers: # ... ``` +### `profile` + +_Optional, Default=""_ + +Certificate profile to use. + +For more information, please check out the [Let's Encrypt blog post](https://letsencrypt.org/2025/01/09/acme-profiles/) about certificate profile selection. + +```yaml tab="File (YAML)" +certificatesResolvers: + myresolver: + acme: + # ... + profile: tlsserver + # ... +``` + +```toml tab="File (TOML)" +[certificatesResolvers.myresolver.acme] + # ... + profile = "tlsserver" + # ... +``` + +```bash tab="CLI" +# ... +--certificatesresolvers.myresolver.acme.profile=tlsserver +# ... +``` + +### `emailAddresses` + +_Optional, Default=""_ + +CSR email addresses to use. + +```yaml tab="File (YAML)" +certificatesResolvers: + myresolver: + acme: + # ... + emailAddresses: + - foo@example.com + - bar@example.org + # ... +``` + +```toml tab="File (TOML)" +[certificatesResolvers.myresolver.acme] + # ... + emailAddresses = ["foo@example.com", "bar@example.org"] + # ... +``` + +```bash tab="CLI" +# ... +--certificatesresolvers.myresolver.acme.emailaddresses=foo@example.com,bar@example.org +# ... +``` + ### `keyType` _Optional, Default="RSA4096"_ diff --git a/docs/content/reference/static-configuration/cli-ref.md b/docs/content/reference/static-configuration/cli-ref.md index e963cfb68..dac410d21 100644 --- a/docs/content/reference/static-configuration/cli-ref.md +++ b/docs/content/reference/static-configuration/cli-ref.md @@ -168,6 +168,9 @@ Key identifier from External CA. `--certificatesresolvers..acme.email`: Email address used for registration. +`--certificatesresolvers..acme.emailaddresses`: +CSR email addresses to use. + `--certificatesresolvers..acme.httpchallenge`: Activate HTTP-01 Challenge. (Default: ```false```) @@ -180,6 +183,9 @@ KeyType used for generating certificate private key. Allow value 'EC256', 'EC384 `--certificatesresolvers..acme.preferredchain`: Preferred chain to use. +`--certificatesresolvers..acme.profile`: +Certificate profile to use. + `--certificatesresolvers..acme.storage`: Storage to use. (Default: ```acme.json```) diff --git a/docs/content/reference/static-configuration/env-ref.md b/docs/content/reference/static-configuration/env-ref.md index b89a048e3..b67909baa 100644 --- a/docs/content/reference/static-configuration/env-ref.md +++ b/docs/content/reference/static-configuration/env-ref.md @@ -168,6 +168,9 @@ Key identifier from External CA. `TRAEFIK_CERTIFICATESRESOLVERS__ACME_EMAIL`: Email address used for registration. +`TRAEFIK_CERTIFICATESRESOLVERS__ACME_EMAILADDRESSES`: +CSR email addresses to use. + `TRAEFIK_CERTIFICATESRESOLVERS__ACME_HTTPCHALLENGE`: Activate HTTP-01 Challenge. (Default: ```false```) @@ -180,6 +183,9 @@ KeyType used for generating certificate private key. Allow value 'EC256', 'EC384 `TRAEFIK_CERTIFICATESRESOLVERS__ACME_PREFERREDCHAIN`: Preferred chain to use. +`TRAEFIK_CERTIFICATESRESOLVERS__ACME_PROFILE`: +Certificate profile to use. + `TRAEFIK_CERTIFICATESRESOLVERS__ACME_STORAGE`: Storage to use. (Default: ```acme.json```) diff --git a/docs/content/reference/static-configuration/file.toml b/docs/content/reference/static-configuration/file.toml index c379e0261..d35cf897d 100644 --- a/docs/content/reference/static-configuration/file.toml +++ b/docs/content/reference/static-configuration/file.toml @@ -505,6 +505,8 @@ email = "foobar" caServer = "foobar" preferredChain = "foobar" + profile = "foobar" + emailAddresses = ["foobar", "foobar"] storage = "foobar" keyType = "foobar" certificatesDuration = 42 @@ -533,6 +535,8 @@ email = "foobar" caServer = "foobar" preferredChain = "foobar" + profile = "foobar" + emailAddresses = ["foobar", "foobar"] storage = "foobar" keyType = "foobar" certificatesDuration = 42 diff --git a/docs/content/reference/static-configuration/file.yaml b/docs/content/reference/static-configuration/file.yaml index a0a9bbf68..5b8361e08 100644 --- a/docs/content/reference/static-configuration/file.yaml +++ b/docs/content/reference/static-configuration/file.yaml @@ -546,6 +546,10 @@ certificatesResolvers: email: foobar caServer: foobar preferredChain: foobar + profile: foobar + emailAddresses: + - foobar + - foobar storage: foobar keyType: foobar eab: @@ -578,6 +582,10 @@ certificatesResolvers: email: foobar caServer: foobar preferredChain: foobar + profile: foobar + emailAddresses: + - foobar + - foobar storage: foobar keyType: foobar eab: diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go index 9050b529c..9120ead27 100644 --- a/pkg/provider/acme/provider.go +++ b/pkg/provider/acme/provider.go @@ -39,13 +39,15 @@ const resolverSuffix = ".acme" // Configuration holds ACME configuration provided by users. type Configuration struct { - Email string `description:"Email address used for registration." json:"email,omitempty" toml:"email,omitempty" yaml:"email,omitempty"` - CAServer string `description:"CA server to use." json:"caServer,omitempty" toml:"caServer,omitempty" yaml:"caServer,omitempty"` - PreferredChain string `description:"Preferred chain to use." json:"preferredChain,omitempty" toml:"preferredChain,omitempty" yaml:"preferredChain,omitempty" export:"true"` - Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty" export:"true"` - KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty" export:"true"` - EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"` - CertificatesDuration int `description:"Certificates' duration in hours." json:"certificatesDuration,omitempty" toml:"certificatesDuration,omitempty" yaml:"certificatesDuration,omitempty" export:"true"` + Email string `description:"Email address used for registration." json:"email,omitempty" toml:"email,omitempty" yaml:"email,omitempty"` + CAServer string `description:"CA server to use." json:"caServer,omitempty" toml:"caServer,omitempty" yaml:"caServer,omitempty"` + PreferredChain string `description:"Preferred chain to use." json:"preferredChain,omitempty" toml:"preferredChain,omitempty" yaml:"preferredChain,omitempty" export:"true"` + Profile string `description:"Certificate profile to use." json:"profile,omitempty" toml:"profile,omitempty" yaml:"profile,omitempty" export:"true"` + EmailAddresses []string `description:"CSR email addresses to use." json:"emailAddresses,omitempty" toml:"emailAddresses,omitempty" yaml:"emailAddresses,omitempty"` + Storage string `description:"Storage to use." json:"storage,omitempty" toml:"storage,omitempty" yaml:"storage,omitempty" export:"true"` + KeyType string `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'." json:"keyType,omitempty" toml:"keyType,omitempty" yaml:"keyType,omitempty" export:"true"` + EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"` + CertificatesDuration int `description:"Certificates' duration in hours." json:"certificatesDuration,omitempty" toml:"certificatesDuration,omitempty" yaml:"certificatesDuration,omitempty" export:"true"` CACertificates []string `description:"Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caCertificates,omitempty" toml:"caCertificates,omitempty" yaml:"caCertificates,omitempty"` CASystemCertPool bool `description:"Define if the certificates pool must use a copy of the system cert pool." json:"caSystemCertPool,omitempty" toml:"caSystemCertPool,omitempty" yaml:"caSystemCertPool,omitempty" export:"true"` @@ -669,6 +671,8 @@ func (p *Provider) resolveDefaultCertificate(ctx context.Context, domains []stri request := certificate.ObtainRequest{ Domains: domains, Bundle: true, + EmailAddresses: p.EmailAddresses, + Profile: p.Profile, PreferredChain: p.PreferredChain, } @@ -713,6 +717,8 @@ func (p *Provider) resolveCertificate(ctx context.Context, domain types.Domain, request := certificate.ObtainRequest{ Domains: domains, Bundle: true, + EmailAddresses: p.EmailAddresses, + Profile: p.Profile, PreferredChain: p.PreferredChain, }