homelab/traefik
1
0
Fork 0
Code Activity

Add acme.httpChallenge.delay option

Browse source
This commit is contained in:
Ludovic Fernandez 2025-04-01 17:08:05 +02:00 committed by GitHub
parent 405be420c9
commit 6c3b099c25
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 64 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

28
docs/content/https/acme.md
View file

@ -250,6 +250,34 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
!!! info "" !!! info ""
Redirection is fully compatible with the `HTTP-01` challenge. Redirection is fully compatible with the `HTTP-01` challenge.
#### `Delay`
The delay between the creation of the challenge and the validation.
A value lower than or equal to zero means no delay.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
httpChallenge:
# ...
delay: 12
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.httpChallenge]
# ...
delay = 12
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.httpchallenge.delay=12
```
### `dnsChallenge` ### `dnsChallenge`
Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record. Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.

3
docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
View file

@ -74,7 +74,7 @@ certificatesResolvers:
ACME certificate resolvers have the following configuration options: ACME certificate resolvers have the following configuration options:
| Field | Description | Default | Required | | Field | Description | Default | Required |
|:------------------|:--------------------|:-----------------------------------------------|:---------| |:--------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
| `acme.email` | Email address used for registration. | "" | Yes | | `acme.email` | Email address used for registration. | "" | Yes |
| `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No | | `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
| `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No | | `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
@ -92,6 +92,7 @@ ACME certificate resolvers have the following configuration options:
| `acme.dnsChallenge.propagation.disableANSChecks` | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No | | `acme.dnsChallenge.propagation.disableANSChecks` | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No |
| `acme.httpChallenge` | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No | | `acme.httpChallenge` | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No |
| `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes | | `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
| `acme.httpChallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No | | `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
| `acme.storage` | File path used for certificates storage. | "acme.json" | Yes | | `acme.storage` | File path used for certificates storage. | "acme.json" | Yes |

3
docs/content/reference/static-configuration/cli-ref.md
View file

@ -174,6 +174,9 @@ CSR email addresses to use.
`--certificatesresolvers.<name>.acme.httpchallenge`: `--certificatesresolvers.<name>.acme.httpchallenge`:
Activate HTTP-01 Challenge. (Default: ```false```) Activate HTTP-01 Challenge. (Default: ```false```)
`--certificatesresolvers.<name>.acme.httpchallenge.delay`:
Delay between the creation of the challenge and the validation. (Default: ```0```)
`--certificatesresolvers.<name>.acme.httpchallenge.entrypoint`: `--certificatesresolvers.<name>.acme.httpchallenge.entrypoint`:
HTTP challenge EntryPoint HTTP challenge EntryPoint

3
docs/content/reference/static-configuration/env-ref.md
View file

@ -174,6 +174,9 @@ CSR email addresses to use.
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE`:
Activate HTTP-01 Challenge. (Default: ```false```) Activate HTTP-01 Challenge. (Default: ```false```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_DELAY`:
Delay between the creation of the challenge and the validation. (Default: ```0```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_ENTRYPOINT`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_ENTRYPOINT`:
HTTP challenge EntryPoint HTTP challenge EntryPoint

2
docs/content/reference/static-configuration/file.toml
View file

@ -528,6 +528,7 @@
delayBeforeChecks = "42s" delayBeforeChecks = "42s"
[certificatesResolvers.CertificateResolver0.acme.httpChallenge] [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
entryPoint = "foobar" entryPoint = "foobar"
delay = "42s"
[certificatesResolvers.CertificateResolver0.acme.tlsChallenge] [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
[certificatesResolvers.CertificateResolver0.tailscale] [certificatesResolvers.CertificateResolver0.tailscale]
[certificatesResolvers.CertificateResolver1] [certificatesResolvers.CertificateResolver1]
@ -558,6 +559,7 @@
delayBeforeChecks = "42s" delayBeforeChecks = "42s"
[certificatesResolvers.CertificateResolver1.acme.httpChallenge] [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
entryPoint = "foobar" entryPoint = "foobar"
delay = "42s"
[certificatesResolvers.CertificateResolver1.acme.tlsChallenge] [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
[certificatesResolvers.CertificateResolver1.tailscale] [certificatesResolvers.CertificateResolver1.tailscale]

2
docs/content/reference/static-configuration/file.yaml
View file

@ -575,6 +575,7 @@ certificatesResolvers:
disablePropagationCheck: true disablePropagationCheck: true
httpChallenge: httpChallenge:
entryPoint: foobar entryPoint: foobar
delay: 42s
tlsChallenge: {} tlsChallenge: {}
tailscale: {} tailscale: {}
CertificateResolver1: CertificateResolver1:
@ -611,6 +612,7 @@ certificatesResolvers:
disablePropagationCheck: true disablePropagationCheck: true
httpChallenge: httpChallenge:
entryPoint: foobar entryPoint: foobar
delay: 42s
tlsChallenge: {} tlsChallenge: {}
tailscale: {} tailscale: {}
experimental: experimental:

4
pkg/provider/acme/provider.go
View file

@ -20,6 +20,7 @@ import (
"github.com/go-acme/lego/v4/certificate" "github.com/go-acme/lego/v4/certificate"
"github.com/go-acme/lego/v4/challenge" "github.com/go-acme/lego/v4/challenge"
"github.com/go-acme/lego/v4/challenge/dns01" "github.com/go-acme/lego/v4/challenge/dns01"
"github.com/go-acme/lego/v4/challenge/http01"
"github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/lego"
"github.com/go-acme/lego/v4/providers/dns" "github.com/go-acme/lego/v4/providers/dns"
"github.com/go-acme/lego/v4/registration" "github.com/go-acme/lego/v4/registration"
@ -107,6 +108,7 @@ type Propagation struct {
// HTTPChallenge contains HTTP challenge configuration. // HTTPChallenge contains HTTP challenge configuration.
type HTTPChallenge struct { type HTTPChallenge struct {
EntryPoint string `description:"HTTP challenge EntryPoint" json:"entryPoint,omitempty" toml:"entryPoint,omitempty" yaml:"entryPoint,omitempty" export:"true"` EntryPoint string `description:"HTTP challenge EntryPoint" json:"entryPoint,omitempty" toml:"entryPoint,omitempty" yaml:"entryPoint,omitempty" export:"true"`
Delay ptypes.Duration `description:"Delay between the creation of the challenge and the validation." json:"delay,omitempty" toml:"delay,omitempty" yaml:"delay,omitempty" export:"true"`
} }
// TLSChallenge contains TLS challenge configuration. // TLSChallenge contains TLS challenge configuration.
@ -351,7 +353,7 @@ func (p *Provider) getClient() (*lego.Client, error) {
if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 { if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 {
logger.Debug().Msg("Using HTTP Challenge provider.") logger.Debug().Msg("Using HTTP Challenge provider.")
err = client.Challenge.SetHTTP01Provider(p.HTTPChallengeProvider) err = client.Challenge.SetHTTP01Provider(p.HTTPChallengeProvider, http01.SetDelay(time.Duration(p.HTTPChallenge.Delay)))
if err != nil { if err != nil {
return nil, err return nil, err
} }