homelab/traefik
1
0
Fork 0
Code Activity

Add acme.httpChallenge.delay option

Browse source
This commit is contained in:
Ludovic Fernandez 2025-04-01 17:08:05 +02:00 committed by GitHub
parent 405be420c9
commit 6c3b099c25
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 64 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

28
docs/content/https/acme.md
View file

@ -250,6 +250,34 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
!!! info ""
Redirection is fully compatible with the `HTTP-01` challenge.
#### `Delay`
The delay between the creation of the challenge and the validation.
A value lower than or equal to zero means no delay.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
httpChallenge:
# ...
delay: 12
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.httpChallenge]
# ...
delay = 12
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.httpchallenge.delay=12
```
### `dnsChallenge`
Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.

3
docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
View file

@ -74,7 +74,7 @@ certificatesResolvers:
ACME certificate resolvers have the following configuration options:
| Field | Description | Default | Required |
|:------------------|:--------------------|:-----------------------------------------------|:---------|
|:--------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
| `acme.email` | Email address used for registration. | "" | Yes |
| `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
| `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
@ -92,6 +92,7 @@ ACME certificate resolvers have the following configuration options:
| `acme.dnsChallenge.propagation.disableANSChecks` | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No |
| `acme.httpChallenge` | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No |
| `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
| `acme.httpChallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
| `acme.storage` | File path used for certificates storage. | "acme.json" | Yes |

3
docs/content/reference/static-configuration/cli-ref.md
View file

@ -174,6 +174,9 @@ CSR email addresses to use.
`--certificatesresolvers.<name>.acme.httpchallenge`:
Activate HTTP-01 Challenge. (Default: ```false```)
`--certificatesresolvers.<name>.acme.httpchallenge.delay`:
Delay between the creation of the challenge and the validation. (Default: ```0```)
`--certificatesresolvers.<name>.acme.httpchallenge.entrypoint`:
HTTP challenge EntryPoint

3
docs/content/reference/static-configuration/env-ref.md
View file

@ -174,6 +174,9 @@ CSR email addresses to use.
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE`:
Activate HTTP-01 Challenge. (Default: ```false```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_DELAY`:
Delay between the creation of the challenge and the validation. (Default: ```0```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_ENTRYPOINT`:
HTTP challenge EntryPoint

2
docs/content/reference/static-configuration/file.toml
View file

@ -528,6 +528,7 @@
delayBeforeChecks = "42s"
[certificatesResolvers.CertificateResolver0.acme.httpChallenge]
entryPoint = "foobar"
delay = "42s"
[certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
[certificatesResolvers.CertificateResolver0.tailscale]
[certificatesResolvers.CertificateResolver1]
@ -558,6 +559,7 @@
delayBeforeChecks = "42s"
[certificatesResolvers.CertificateResolver1.acme.httpChallenge]
entryPoint = "foobar"
delay = "42s"
[certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
[certificatesResolvers.CertificateResolver1.tailscale]

2
docs/content/reference/static-configuration/file.yaml
View file

@ -575,6 +575,7 @@ certificatesResolvers:
disablePropagationCheck: true
httpChallenge:
entryPoint: foobar
delay: 42s
tlsChallenge: {}
tailscale: {}
CertificateResolver1:
@ -611,6 +612,7 @@ certificatesResolvers:
disablePropagationCheck: true
httpChallenge:
entryPoint: foobar
delay: 42s
tlsChallenge: {}
tailscale: {}
experimental:

4
pkg/provider/acme/provider.go
View file

@ -20,6 +20,7 @@ import (
"github.com/go-acme/lego/v4/certificate"
"github.com/go-acme/lego/v4/challenge"
"github.com/go-acme/lego/v4/challenge/dns01"
"github.com/go-acme/lego/v4/challenge/http01"
"github.com/go-acme/lego/v4/lego"
"github.com/go-acme/lego/v4/providers/dns"
"github.com/go-acme/lego/v4/registration"
@ -107,6 +108,7 @@ type Propagation struct {
// HTTPChallenge contains HTTP challenge configuration.
type HTTPChallenge struct {
EntryPoint string `description:"HTTP challenge EntryPoint" json:"entryPoint,omitempty" toml:"entryPoint,omitempty" yaml:"entryPoint,omitempty" export:"true"`
Delay ptypes.Duration `description:"Delay between the creation of the challenge and the validation." json:"delay,omitempty" toml:"delay,omitempty" yaml:"delay,omitempty" export:"true"`
}
// TLSChallenge contains TLS challenge configuration.
@ -351,7 +353,7 @@ func (p *Provider) getClient() (*lego.Client, error) {
if p.HTTPChallenge != nil && len(p.HTTPChallenge.EntryPoint) > 0 {
logger.Debug().Msg("Using HTTP Challenge provider.")
err = client.Challenge.SetHTTP01Provider(p.HTTPChallengeProvider)
err = client.Challenge.SetHTTP01Provider(p.HTTPChallengeProvider, http01.SetDelay(time.Duration(p.HTTPChallenge.Delay)))
if err != nil {
return nil, err
}