Add option to select algorithm to generate ACME certificates

2018-05-16 11:44:03 +02:00 · 2018-05-16 11:44:03 +02:00 · 68cc826519
commit 68cc826519
parent e691168cdc
12 changed files with 179 additions and 23 deletions
--- a/acme/account.go
+++ b/acme/account.go
@ -14,6 +14,7 @@ import (
 	"time"

 	"github.com/containous/traefik/log"
+	acmeprovider "github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/types"
 	acme "github.com/xenolf/lego/acmev2"
 )
@ -23,6 +24,7 @@ type Account struct {
 	Email              string
 	Registration       *acme.RegistrationResource
 	PrivateKey         []byte
+	KeyType            acme.KeyType
 	DomainsCertificate DomainsCertificates
 	ChallengeCerts     map[string]*ChallengeCert
 	HTTPChallenge      map[string]map[string][]byte
@ -63,7 +65,9 @@ func (a *Account) Init() error {
 }

 // NewAccount creates an account
-func NewAccount(email string, certs []*DomainsCertificate) (*Account, error) {
+func NewAccount(email string, certs []*DomainsCertificate, keyTypeValue string) (*Account, error) {
+	keyType := acmeprovider.GetKeyType(keyTypeValue)
+
 	// Create a user. New accounts need an email and private key to start
 	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
@ -79,6 +83,7 @@ func NewAccount(email string, certs []*DomainsCertificate) (*Account, error) {
 	return &Account{
 		Email:              email,
 		PrivateKey:         x509.MarshalPKCS1PrivateKey(privateKey),
+		KeyType:            keyType,
 		DomainsCertificate: DomainsCertificates{Certs: domainsCerts.Certs},
 		ChallengeCerts:     map[string]*ChallengeCert{}}, nil
 }
--- a/acme/acme.go
+++ b/acme/acme.go
@ -46,6 +46,7 @@ type ACME struct {
 	OnHostRule            bool                        `description:"Enable certificate generation on frontends Host rules."`
 	CAServer              string                      `description:"CA server to use."`
 	EntryPoint            string                      `description:"Entrypoint to proxy acme challenge to."`
+	KeyType               string                      `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'"`
 	DNSChallenge          *acmeprovider.DNSChallenge  `description:"Activate DNS-01 Challenge"`
 	HTTPChallenge         *acmeprovider.HTTPChallenge `description:"Activate HTTP-01 Challenge"`
 	DNSProvider           string                      `description:"(Deprecated) Activate DNS-01 Challenge"`                                                                    // Deprecated
@ -186,7 +187,7 @@ func (a *ACME) leadershipListener(elected bool) error {
 				domainsCerts = account.DomainsCertificate
 			}

-			account, err = NewAccount(a.Email, domainsCerts.Certs)
+			account, err = NewAccount(a.Email, domainsCerts.Certs, a.KeyType)
 			if err != nil {
 				return err
 			}
@ -395,7 +396,7 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
 	if len(a.CAServer) > 0 {
 		caServer = a.CAServer
 	}
-	client, err := acme.NewClient(caServer, account, acme.RSA4096)
+	client, err := acme.NewClient(caServer, account, account.KeyType)
 	if err != nil {
 		return nil, err
 	}
--- a/acme/localStore.go
+++ b/acme/localStore.go
@ -64,6 +64,7 @@ func RemoveAccountV1Values(account *Account) error {
 			account.Email = ""
 			account.Registration = nil
 			account.PrivateKey = nil
+			account.KeyType = "RSA4096"
 		}
 	}
 	return nil
@ -113,6 +114,7 @@ func ConvertToNewFormat(fileName string) {
 				PrivateKey:   account.PrivateKey,
 				Registration: account.Registration,
 				Email:        account.Email,
+				KeyType:      account.KeyType,
 			}

 			var newCertificates []*acme.Certificate
@ -167,6 +169,7 @@ func FromNewToOldFormat(fileName string) (*Account, error) {
 			PrivateKey:         storeAccount.PrivateKey,
 			Registration:       storeAccount.Registration,
 			DomainsCertificate: DomainsCertificates{},
+			KeyType:            storeAccount.KeyType,
 		}
 	}