Make the TLS certificates management dynamic.

integration/acme_test.go

@@ -92,6 +92,26 @@ func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c *check.C
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
+// Test OnDemand option with a wildcard provided certificate
+func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithDynamicWildcard(c *check.C) {
+	testCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_provided_dynamic.toml",
+		onDemand:            true,
+		domainToCheck:       wildcardDomain}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+// Test onHostRule option with a wildcard provided certificate
+func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithDynamicWildcard(c *check.C) {
+	testCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_provided_dynamic.toml",
+		onDemand:            false,
+		domainToCheck:       wildcardDomain}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
 // Doing an HTTPS request and test the response certificate
 func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
 	file := s.adaptFile(c, testCase.traefikConfFilePath, struct {

integration/fixtures/acme/acme_provided.toml

@@ -9,8 +9,8 @@ defaultEntryPoints = ["http", "https"]
   address = ":5001"
     [entryPoints.https.tls]
       [[entryPoints.https.tls.certificates]]
-      CertFile = "fixtures/acme/ssl/wildcard.crt"
-      KeyFile = "fixtures/acme/ssl/wildcard.key"
+      certFile = "fixtures/acme/ssl/wildcard.crt"
+      keyFile = "fixtures/acme/ssl/wildcard.key"
 
 [acme]
 email = "test@traefik.io"

integration/fixtures/acme/acme_provided_dynamic.toml

@@ -0,0 +1,23 @@
+logLevel = "DEBUG"
+
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":8080"
+  [entryPoints.https]
+  address = ":5001"
+    [entryPoints.https.tls]
+
+
+[acme]
+email = "test@traefik.io"
+storage = "/dev/null"
+entryPoint = "https"
+onDemand = {{.OnDemand}}
+OnHostRule = {{.OnHostRule}}
+caServer = "http://{{.BoulderHost}}:4000/directory"
+
+[file]
+filename = "fixtures/acme/certificates.toml"
+watch = true

integration/fixtures/acme/certificates.toml

@@ -0,0 +1,16 @@
+[backends]
+  [backends.backend]
+    [backends.backend.servers.server1]
+    url = "http://127.0.0.1:9010"
+
+[frontends]
+  [frontends.frontend]
+  backend = "backend"
+    [frontends.frontend.routes.test]
+    rule = "Host:traefik.acme.wtf"
+
+[[tlsConfiguration]]
+entryPoints = ["https"]
+    [tlsConfiguration.certificate]
+     certFile = "fixtures/acme/ssl/wildcard.crt"
+     keyFile = "fixtures/acme/ssl/wildcard.key"

integration/fixtures/grpc/config.toml

@@ -7,8 +7,8 @@ RootCAs = [ """{{ .CertContent }}""" ]
   address = ":4443"
     [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
-     CertFile = """{{ .CertContent }}"""
-     KeyFile  = """{{ .KeyContent }}"""
+     certFile = """{{ .CertContent }}"""
+     keyFile  = """{{ .KeyContent }}"""
 
 
 [web]

integration/fixtures/grpc/config_insecure.toml

@@ -7,8 +7,8 @@ InsecureSkipVerify = true
   address = ":4443"
     [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
-     CertFile = """{{ .CertContent }}"""
-     KeyFile  = """{{ .KeyContent }}"""
+     certFile = """{{ .CertContent }}"""
+     keyFile  = """{{ .KeyContent }}"""
 
 
 [web]

integration/fixtures/https/clientca/https_1ca1config.toml

@@ -8,11 +8,11 @@ defaultEntryPoints = ["https"]
     [entryPoints.https.tls]
     ClientCAFiles = ["fixtures/https/clientca/ca1.crt"]
       [[entryPoints.https.tls.certificates]]
-      CertFile = "fixtures/https/snitest.com.cert"
-      KeyFile = "fixtures/https/snitest.com.key"
+      certFile = "fixtures/https/snitest.com.cert"
+      keyFile = "fixtures/https/snitest.com.key"
       [[entryPoints.https.tls.certificates]]
-      CertFile = "fixtures/https/snitest.org.cert"
-      KeyFile = "fixtures/https/snitest.org.key"
+      certFile = "fixtures/https/snitest.org.cert"
+      keyFile = "fixtures/https/snitest.org.key"
 
 [web]
   address = ":8080"

integration/fixtures/https/clientca/https_2ca1config.toml

@@ -8,11 +8,11 @@ defaultEntryPoints = ["https"]
     [entryPoints.https.tls]
     ClientCAFiles = ["fixtures/https/clientca/ca1and2.crt"]
       [[entryPoints.https.tls.certificates]]
-      CertFile = "fixtures/https/snitest.com.cert"
-      KeyFile = "fixtures/https/snitest.com.key"
+      certFile = "fixtures/https/snitest.com.cert"
+      keyFile = "fixtures/https/snitest.com.key"
       [[entryPoints.https.tls.certificates]]
-      CertFile = "fixtures/https/snitest.org.cert"
-      KeyFile = "fixtures/https/snitest.org.key"
+      certFile = "fixtures/https/snitest.org.cert"
+      keyFile = "fixtures/https/snitest.org.key"
 
 [web]
   address = ":8080"

integration/fixtures/https/clientca/https_2ca2config.toml

@@ -8,11 +8,11 @@ defaultEntryPoints = ["https"]
     [entryPoints.https.tls]
     ClientCAFiles = ["fixtures/https/clientca/ca1.crt", "fixtures/https/clientca/ca2.crt"]
       [[entryPoints.https.tls.certificates]]
-      CertFile = "fixtures/https/snitest.com.cert"
-      KeyFile = "fixtures/https/snitest.com.key"
+      certFile = "fixtures/https/snitest.com.cert"
+      keyFile = "fixtures/https/snitest.com.key"
       [[entryPoints.https.tls.certificates]]
-      CertFile = "fixtures/https/snitest.org.cert"
-      KeyFile = "fixtures/https/snitest.org.key"
+      certFile = "fixtures/https/snitest.org.cert"
+      keyFile = "fixtures/https/snitest.org.key"
 
 [web]
   address = ":8080"

integration/fixtures/https/dynamic_https.toml

@@ -0,0 +1,67 @@
+[backends]
+  [backends.backend1]
+    [backends.backend1.servers.server1]
+    url = "http://127.0.0.1:9010"
+  [backends.backend2]
+    [backends.backend2.servers.server1]
+    url = "http://127.0.0.1:9020"
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:snitest.com"
+  [frontends.frontend2]
+  backend = "backend2"
+    [frontends.frontend2.routes.test_2]
+    rule = "Host:snitest.org"
+
+[[tlsConfiguration]]
+entryPoints = ["https"]
+  [tlsConfiguration.certificate]
+    certFile = """-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIJALAYHG/vGqWEMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV
+BAMMC3NuaXRlc3Qub3JnMB4XDTE1MTEyMzIyMDU0NFoXDTI1MTEyMDIyMDU0NFow
+FjEUMBIGA1UEAwwLc25pdGVzdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC8b2Qv68Xnv4wgJ6HNupxABSUA5KXmv9g7pwwsFMSOK15o2qGFzx/x
+9loIi5pMIYIy4SVwJNrYUi772nCYMqSIVXlwct/CE70j2Jb2geIHu3jHbFWXruWb
+W1tGGUYzvnsOUziPE3rLWa/NObNYLLlUKJaxfHrxnpuKpQUsXzoLl25cJEVr4jg2
+ZITpdraxaBLisdlWY7EwwHBLu2nxH5Rn+nIjenFfdUwKF9s5dGy63tfBc8LX9yJk
++kOwy1al/Wxa0DUb6rSt0QDCcD+rXnjk2zWPtsHz1btwtqM+FLtN5z0Lmnx7DF3C
+tCf1TMzduzZ6aeHk77zc664ZQun5cH33AgMBAAGjUDBOMB0GA1UdDgQWBBRn/nNz
+PUsmDKmKv3GGo3km5KKvUDAfBgNVHSMEGDAWgBRn/nNzPUsmDKmKv3GGo3km5KKv
+UDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBkuutIcbBdESgvNLLr
+k/8HUDuFm72lYHZFE+c76CxqYN52w02NCTiq1InoDUvqZXb/StATBwRRduTUPCj9
+KUkC7pOjAFxjzjExsHrtZSq01WinrxNI+qSKvI8jFngMHnwN1omTt7/D7nxeW5Of
+FJTkElnxtELAGHoIwZ+bKprnexefpn9UW84VJvJ2crSR63vBvdTrgsrEGW6kQj1I
+62laDpax4+x8t2h+sfG6uNIA1cFrG8Sk+O2Bi3ogB7Y/4e8r6WA23IRP+aSv0J2b
+k5fvuuXbIc979pQOoO03zG0S7Wpmpsw+9dQB9TOxGITOLfCZwEuIhnv+M9lLqCks
+7H2A
+-----END CERTIFICATE-----"""
+   keyFile = """-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAvG9kL+vF57+MICehzbqcQAUlAOSl5r/YO6cMLBTEjiteaNqh
+hc8f8fZaCIuaTCGCMuElcCTa2FIu+9pwmDKkiFV5cHLfwhO9I9iW9oHiB7t4x2xV
+l67lm1tbRhlGM757DlM4jxN6y1mvzTmzWCy5VCiWsXx68Z6biqUFLF86C5duXCRF
+a+I4NmSE6Xa2sWgS4rHZVmOxMMBwS7tp8R+UZ/pyI3pxX3VMChfbOXRsut7XwXPC
+1/ciZPpDsMtWpf1sWtA1G+q0rdEAwnA/q1545Ns1j7bB89W7cLajPhS7Tec9C5p8
+ewxdwrQn9UzM3bs2emnh5O+83OuuGULp+XB99wIDAQABAoIBAGOn9bByXQQnhZAr
+5aLMIn6pOdyzEBptM4q42fMmOJ2HyjJiDjKaTCbHRu5mBoBk6FrIP+iDVUo6jKad
+7BZSEjoYGlWiKzyU+97NWWmdX1D/kOzHGq1RzhTPyAHWtA4Bm0sEMFFa2AJbuGIt
+NfBYFtuva6MKVmsamuBETewdoLEnxzzDFcuOaxXRfTC/ikWcYyB4KEWA5fjroUQC
+Llo9/UTGTkh1Hynv9AXY6Qia/RbrIQjKveKCRj6PjxyE/qN9qfmngczz2pK0hRhL
+Z+K06y8G+Yj1I1zm5jNg1kakVQKoBsnaYkmIUBUSmWv6ERotedOWtOAMlOKa+0l2
+DS7Ou2ECgYEA91doi+3XrMVsgyTEm/ArzEyRUfM5dCSvBCRFhO7QQp2OYAbjJk5S
+pmdpqmwTsXNNMU+XNkWCLug5pk0PTJwP0mVLE2fLYqCCXoyaMltQ0Yk2gaun/RwE
+w5EfyMwOQakLFY/ODvduQfyNpaoWgFz4/WPNTVNCGs04LepSGKaFNy0CgYEAwwgV
+jKeFA+QZGooTInyk07ZlAbenEPu/c2y3UUFxclP0CjP2/VBOpz9B62vhzCKbjD1c
+/L3x1CKC4n4lbeyHi4vrF69LX9SHr1Jm0SUtyKeV3g0EAzIWI0HFhVUkMvtbibQ4
+HXrLVCJO77xetQ7RQszss1z9g3WotAAiBMiQgDMCgYBTLjoilOIrYFmV4Q+dwa95
+DWbxwHJZ9NxG8EvQ4N95B7OR578Matqwy6ZlgeM9kiErrDCWN9oIHGEG5HN4uCM6
+BoaxB/8GNCSj13Uj6kHLtfF2ulvMa1fOzUd7J+TDgC4SGkKaFewmlOCuDf1zPdEe
+pimtD4rzqIB0MJFbaOT0IQKBgDBPjlb7IB3ooLdMQJUoXwP6iGa2gXHZioEjCv3b
+wihZ13e3i5UQEYuoRcH1RUd1wyYoBSKuQnsT2WwVZ1wlXSYaELAbQgaI9NtfBA0G
+sqKjsKICg13vSECPiEgQ4Rin3vLra4MR6c/7d6Y2+RbMhtWPQYrkm/+2Y4XDCqo4
+rGK1AoGAOFZ3RVhuwXzFdKNe32LM1wm1eZ7waxjI4bQS2xUN/3C/uWS7A3LaSlc3
+eRG3DaVpez4DQVupZDHMgxJUYqqKynUj6GD1YiaxGROj3TYCu6e7OxyhalhCllSu
+w/X5M802XqzLjeec5zHoZDfknnAkgR9MsxZYmZPFaDyL6GOKUB8=
+-----END RSA PRIVATE KEY-----"""

integration/fixtures/https/dynamic_https_sni.toml

@@ -0,0 +1,16 @@
+logLevel = "DEBUG"
+
+defaultEntryPoints = ["https"]
+
+[entryPoints]
+  [entryPoints.https]
+  address = ":4443"
+  [entryPoints.https.tls]
+
+[web]
+  address = ":8080"
+
+[file]
+
+fileName = "{{.DynamicConfFileName}}"
+watch = true

integration/fixtures/https/https_sni.toml

@@ -7,11 +7,11 @@ defaultEntryPoints = ["https"]
   address = ":4443"
     [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
-     CertFile = "fixtures/https/snitest.com.cert"
-     KeyFile = "fixtures/https/snitest.com.key"
+     certFile = "fixtures/https/snitest.com.cert"
+     keyFile = "fixtures/https/snitest.com.key"
      [[entryPoints.https.tls.certificates]]
-     CertFile = "fixtures/https/snitest.org.cert"
-     KeyFile = "fixtures/https/snitest.org.key"
+     certFile = "fixtures/https/snitest.org.cert"
+     keyFile = "fixtures/https/snitest.org.key"
 
 [web]
   address = ":8080"

integration/fixtures/websocket/config_https.toml

@@ -8,8 +8,8 @@ InsecureSkipVerify=true
   address = ":8000"
   [entryPoints.wss.tls]
   [[entryPoints.wss.tls.certificates]]
-    CertFile = "resources/tls/local.cert"
-    KeyFile = "resources/tls/local.key"
+    certFile = "resources/tls/local.cert"
+    keyFile = "resources/tls/local.key"
 
 [web]
   address = ":8080"

integration/https_test.go

@@ -1,14 +1,19 @@
 package integration
 
 import (
+	"bytes"
 	"crypto/tls"
+	"fmt"
 	"net"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"time"
 
+	"github.com/BurntSushi/toml"
 	"github.com/containous/traefik/integration/try"
+	traefikTls "github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
 	"github.com/go-check/check"
 	checker "github.com/vdemeester/shakers"
 )
@@ -293,10 +298,10 @@ func (s *HTTPSSuite) TestWithRootCAsContentForHTTPSOnBackend(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1000*time.Millisecond, try.BodyContains(backend.URL))
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains(backend.URL))
 	c.Assert(err, checker.IsNil)
 
-	err = try.GetRequest("http://127.0.0.1:8081/ping", 1000*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+	err = try.GetRequest("http://127.0.0.1:8081/ping", 1*time.Second, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
 }
 
@@ -315,10 +320,10 @@ func (s *HTTPSSuite) TestWithRootCAsFileForHTTPSOnBackend(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1000*time.Millisecond, try.BodyContains(backend.URL))
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains(backend.URL))
 	c.Assert(err, checker.IsNil)
 
-	err = try.GetRequest("http://127.0.0.1:8081/ping", 1000*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+	err = try.GetRequest("http://127.0.0.1:8081/ping", 1*time.Second, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
 }
 
@@ -338,3 +343,203 @@ func startTestServer(port string, statusCode int) (ts *httptest.Server) {
 	ts.Start()
 	return ts
 }
+
+// TestWithSNIConfigRoute involves a client sending HTTPS requests with
+// SNI hostnames of "snitest.org" and "snitest.com". The test verifies
+// that traefik routes the requests to the expected backends thanks to given certificate if possible
+// otherwise thanks to the default one.
+func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithNoChange(c *check.C) {
+	dynamicConfFileName := s.adaptFile(c, "fixtures/https/dynamic_https.toml", struct{}{})
+	defer os.Remove(dynamicConfFileName)
+	confFileName := s.adaptFile(c, "fixtures/https/dynamic_https_sni.toml", struct {
+		DynamicConfFileName string
+	}{
+		DynamicConfFileName: dynamicConfFileName,
+	})
+	defer os.Remove(confFileName)
+	cmd, display := s.traefikCmd(withConfigFile(confFileName))
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	tr1 := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			ServerName:         "snitest.org",
+		},
+	}
+
+	tr2 := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			ServerName:         "snitest.com",
+		},
+	}
+
+	// wait for Traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains("Host:"+tr1.TLSClientConfig.ServerName))
+	c.Assert(err, checker.IsNil)
+
+	backend1 := startTestServer("9010", http.StatusNoContent)
+	backend2 := startTestServer("9020", http.StatusResetContent)
+	defer backend1.Close()
+	defer backend2.Close()
+
+	err = try.GetRequest(backend1.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusNoContent))
+	c.Assert(err, checker.IsNil)
+	err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent))
+	c.Assert(err, checker.IsNil)
+
+	client := &http.Client{Transport: tr1}
+	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = tr1.TLSClientConfig.ServerName
+	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
+	req.Header.Set("Accept", "*/*")
+	resp, err := client.Do(req)
+	c.Assert(err, checker.IsNil)
+	// snitest.org certificate must be used yet
+	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, check.Equals, tr1.TLSClientConfig.ServerName)
+	// Expected a 204 (from backend1)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent)
+
+	client = &http.Client{Transport: tr2}
+	req.Host = tr2.TLSClientConfig.ServerName
+	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
+	resp, err = client.Do(req)
+	c.Assert(err, checker.IsNil)
+	// snitest.com certificate does not exist, default certificate has to be used
+	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Not(check.Equals), tr2.TLSClientConfig.ServerName)
+	// Expected a 205 (from backend2)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent)
+}
+
+// TestWithSNIConfigRoute involves a client sending HTTPS requests with
+// SNI hostnames of "snitest.org" and "snitest.com". The test verifies
+// that traefik updates its configuration when the HTTPS configuration is modified and
+// it routes the requests to the expected backends thanks to given certificate if possible
+// otherwise thanks to the default one.
+func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithChange(c *check.C) {
+	dynamicConfFileName := s.adaptFile(c, "fixtures/https/dynamic_https.toml", struct{}{})
+	defer os.Remove(dynamicConfFileName)
+	confFileName := s.adaptFile(c, "fixtures/https/dynamic_https_sni.toml", struct {
+		DynamicConfFileName string
+	}{
+		DynamicConfFileName: dynamicConfFileName,
+	})
+	defer os.Remove(confFileName)
+	cmd, display := s.traefikCmd(withConfigFile(confFileName))
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	tr1 := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			ServerName:         "snitest.com",
+		},
+	}
+
+	tr2 := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			ServerName:         "snitest.org",
+		},
+	}
+
+	// wait for Traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains("Host:"+tr2.TLSClientConfig.ServerName))
+	c.Assert(err, checker.IsNil)
+
+	backend1 := startTestServer("9010", http.StatusNoContent)
+	backend2 := startTestServer("9020", http.StatusResetContent)
+	defer backend1.Close()
+	defer backend2.Close()
+
+	err = try.GetRequest(backend1.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusNoContent))
+	c.Assert(err, checker.IsNil)
+	err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent))
+	c.Assert(err, checker.IsNil)
+
+	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
+	client := &http.Client{Transport: tr1}
+	req.Host = tr1.TLSClientConfig.ServerName
+	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
+	req.Header.Set("Accept", "*/*")
+
+	// Change certificates configuration file content
+	modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName)
+	var resp *http.Response
+	err = try.Do(30*time.Second, func() error {
+		resp, err = client.Do(req)
+
+		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
+		req.Close = true
+
+		if err != nil {
+			return err
+		}
+
+		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
+		if cn != tr1.TLSClientConfig.ServerName {
+			return fmt.Errorf("domain %s found in place of %s", cn, tr1.TLSClientConfig.ServerName)
+		}
+
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
+	client = &http.Client{Transport: tr2}
+	req.Host = tr2.TLSClientConfig.ServerName
+	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
+
+	err = try.Do(60*time.Second, func() error {
+		resp, err = client.Do(req)
+
+		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
+		req.Close = true
+
+		if err != nil {
+			return err
+		}
+
+		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
+		if cn == tr2.TLSClientConfig.ServerName {
+			return fmt.Errorf("domain %s found in place of default one", tr2.TLSClientConfig.ServerName)
+		}
+
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
+}
+
+// modifyCertificateConfFileContent replaces the content of a HTTPS configuration file.
+func modifyCertificateConfFileContent(c *check.C, certFileName, confFileName string) {
+	tlsConf := types.Configuration{
+		TLSConfiguration: []*traefikTls.Configuration{
+			{
+				Certificate: &traefikTls.Certificate{
+					CertFile: traefikTls.FileOrContent("fixtures/https/" + certFileName + ".cert"),
+					KeyFile:  traefikTls.FileOrContent("fixtures/https/" + certFileName + ".key"),
+				},
+				EntryPoints: []string{"https"},
+			},
+		},
+	}
+	var confBuffer bytes.Buffer
+	e := toml.NewEncoder(&confBuffer)
+	err := e.Encode(tlsConf)
+	c.Assert(err, checker.IsNil)
+
+	f, err := os.OpenFile("./"+confFileName, os.O_WRONLY, os.ModeExclusive)
+	c.Assert(err, checker.IsNil)
+	defer func() {
+		f.Close()
+	}()
+	f.Truncate(0)
+	_, err = f.Write(confBuffer.Bytes())
+	c.Assert(err, checker.IsNil)
+}