Certificate resolvers.

Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>
2019-07-19 11:52:04 +02:00 · 2019-07-19 11:52:04 +02:00 · f75f73f3d2
commit f75f73f3d2
parent e3627e9cba
47 changed files with 1573 additions and 1249 deletions
--- a/integration/acme_test.go
+++ b/integration/acme_test.go
@ -11,6 +11,7 @@ import (
 	"time"

 	"github.com/containous/traefik/integration/try"
+	"github.com/containous/traefik/pkg/config/static"
 	"github.com/containous/traefik/pkg/provider/acme"
 	"github.com/containous/traefik/pkg/testhelpers"
 	"github.com/containous/traefik/pkg/types"
@ -26,17 +27,23 @@ type AcmeSuite struct {
 	fakeDNSServer *dns.Server
 }

+type subCases struct {
+	host               string
+	expectedCommonName string
+	expectedAlgorithm  x509.PublicKeyAlgorithm
+}
+
 type acmeTestCase struct {
 	template            templateModel
 	traefikConfFilePath string
-	expectedCommonName  string
-	expectedAlgorithm   x509.PublicKeyAlgorithm
+	subCases            []subCases
 }

 type templateModel struct {
+	Domains   []types.Domain
 	PortHTTP  string
 	PortHTTPS string
-	Acme      acme.Configuration
+	Acme      map[string]static.CertificateResolver
 }

 const (
@ -120,40 +127,48 @@ func (s *AcmeSuite) TearDownSuite(c *check.C) {
 	}
 }

-func (s *AcmeSuite) TestHTTP01DomainsAtStart(c *check.C) {
-	c.Skip("We need to fix DefaultCertificate at start")
+func (s *AcmeSuite) TestHTTP01Domains(c *check.C) {
 	testCase := acmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: acmeDomain,
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
-				Domains: types.Domains{types.Domain{
-					Main: "traefik.acme.wtf",
+			Domains: []types.Domain{{
+				Main: "traefik.acme.wtf",
+			}},
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 				}},
 			},
 		},
-		expectedCommonName: acmeDomain,
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
 }

-func (s *AcmeSuite) TestHTTP01DomainsInSANAtStart(c *check.C) {
-	c.Skip("We need to fix DefaultCertificate at start")
+func (s *AcmeSuite) TestHTTP01DomainsInSAN(c *check.C) {
 	testCase := acmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: "acme.wtf",
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
-				Domains: types.Domains{types.Domain{
-					Main: "acme.wtf",
-					SANs: []string{"traefik.acme.wtf"},
+			Domains: []types.Domain{{
+				Main: "acme.wtf",
+				SANs: []string{"traefik.acme.wtf"},
+			}},
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
 				}},
 			},
 		},
-		expectedCommonName: "acme.wtf",
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
@ -162,14 +177,49 @@ func (s *AcmeSuite) TestHTTP01DomainsInSANAtStart(c *check.C) {
 func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: acmeDomain,
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
-				OnHostRule:    true,
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
+				}},
+			},
+		},
+	}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+func (s *AcmeSuite) TestMultipleResolver(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_multiple_resolvers.toml",
+		subCases: []subCases{
+			{
+				host:               acmeDomain,
+				expectedCommonName: acmeDomain,
+				expectedAlgorithm:  x509.RSA,
+			},
+			{
+				host:               "tchouk.acme.wtf",
+				expectedCommonName: "tchouk.acme.wtf",
+				expectedAlgorithm:  x509.ECDSA,
+			},
+		},
+		template: templateModel{
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
+				}},
+				"tchouk": {ACME: &acme.Configuration{
+					TLSChallenge: &acme.TLSChallenge{},
+					KeyType:      "EC256",
+				}},
 			},
 		},
-		expectedCommonName: acmeDomain,
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
@ -178,15 +228,19 @@ func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
 func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: acmeDomain,
+			expectedAlgorithm:  x509.ECDSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
-				OnHostRule:    true,
-				KeyType:       "EC384",
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
+					KeyType:       "EC384",
+				}},
 			},
 		},
-		expectedCommonName: acmeDomain,
-		expectedAlgorithm:  x509.ECDSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
@ -195,31 +249,39 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
 func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo(c *check.C) {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: acmeDomain,
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
-				OnHostRule:    true,
-				KeyType:       "INVALID",
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
+					KeyType:       "INVALID",
+				}},
 			},
 		},
-		expectedCommonName: acmeDomain,
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
 }

-func (s *AcmeSuite) TestHTTP01OnHostRuleStaticCertificatesWithWildcard(c *check.C) {
+func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard(c *check.C) {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_tls.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: wildcardDomain,
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
-				OnHostRule:    true,
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
+				}},
 			},
 		},
-		expectedCommonName: wildcardDomain,
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
@ -228,14 +290,38 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleStaticCertificatesWithWildcard(c *check.
 func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard(c *check.C) {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: wildcardDomain,
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
-				OnHostRule:    true,
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
+				}},
+			},
+		},
+	}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+func (s *AcmeSuite) TestTLSALPN01OnHostRuleTCP(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_tcp.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: acmeDomain,
+			expectedAlgorithm:  x509.RSA,
+		}},
+		template: templateModel{
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					TLSChallenge: &acme.TLSChallenge{},
+				}},
 			},
 		},
-		expectedCommonName: wildcardDomain,
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
@ -244,72 +330,65 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard(c *check
 func (s *AcmeSuite) TestTLSALPN01OnHostRule(c *check.C) {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: acmeDomain,
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				TLSChallenge: &acme.TLSChallenge{},
-				OnHostRule:   true,
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					TLSChallenge: &acme.TLSChallenge{},
+				}},
 			},
 		},
-		expectedCommonName: acmeDomain,
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
 }

-func (s *AcmeSuite) TestTLSALPN01DomainsAtStart(c *check.C) {
-	c.Skip("We need to fix DefaultCertificate at start")
+func (s *AcmeSuite) TestTLSALPN01Domains(c *check.C) {
 	testCase := acmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: acmeDomain,
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				TLSChallenge: &acme.TLSChallenge{},
-				Domains: types.Domains{types.Domain{
-					Main: "traefik.acme.wtf",
+			Domains: []types.Domain{{
+				Main: "traefik.acme.wtf",
+			}},
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					TLSChallenge: &acme.TLSChallenge{},
 				}},
 			},
 		},
-		expectedCommonName: acmeDomain,
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
 }

-func (s *AcmeSuite) TestTLSALPN01DomainsInSANAtStart(c *check.C) {
-	c.Skip("We need to fix DefaultCertificate at start")
+func (s *AcmeSuite) TestTLSALPN01DomainsInSAN(c *check.C) {
 	testCase := acmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
+		subCases: []subCases{{
+			host:               acmeDomain,
+			expectedCommonName: "acme.wtf",
+			expectedAlgorithm:  x509.RSA,
+		}},
 		template: templateModel{
-			Acme: acme.Configuration{
-				TLSChallenge: &acme.TLSChallenge{},
-				Domains: types.Domains{types.Domain{
-					Main: "acme.wtf",
-					SANs: []string{"traefik.acme.wtf"},
+			Domains: []types.Domain{{
+				Main: "acme.wtf",
+				SANs: []string{"traefik.acme.wtf"},
+			}},
+			Acme: map[string]static.CertificateResolver{
+				"default": {ACME: &acme.Configuration{
+					TLSChallenge: &acme.TLSChallenge{},
 				}},
 			},
 		},
-		expectedCommonName: "acme.wtf",
-		expectedAlgorithm:  x509.RSA,
-	}
-
-	s.retrieveAcmeCertificate(c, testCase)
-}
-
-func (s *AcmeSuite) TestTLSALPN01DomainsWithProvidedWildcardDomainAtStart(c *check.C) {
-	c.Skip("We need to fix DefaultCertificate at start")
-	testCase := acmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_tls.toml",
-		template: templateModel{
-			Acme: acme.Configuration{
-				TLSChallenge: &acme.TLSChallenge{},
-				Domains: types.Domains{types.Domain{
-					Main: acmeDomain,
-				}},
-			},
-		},
-		expectedCommonName: wildcardDomain,
-		expectedAlgorithm:  x509.RSA,
 	}

 	s.retrieveAcmeCertificate(c, testCase)
@ -318,10 +397,11 @@ func (s *AcmeSuite) TestTLSALPN01DomainsWithProvidedWildcardDomainAtStart(c *che
 // Test Let's encrypt down
 func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
 	file := s.adaptFile(c, "fixtures/acme/acme_base.toml", templateModel{
-		Acme: acme.Configuration{
-			CAServer:      "http://wrongurl:4001/directory",
-			HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
-			OnHostRule:    true,
+		Acme: map[string]static.CertificateResolver{
+			"default": {ACME: &acme.Configuration{
+				CAServer:      "http://wrongurl:4001/directory",
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "web"},
+			}},
 		},
 	})
 	defer os.Remove(file)
@ -347,8 +427,10 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase acmeTestCase) {
 		testCase.template.PortHTTPS = ":5001"
 	}

-	if len(testCase.template.Acme.CAServer) == 0 {
-		testCase.template.Acme.CAServer = s.getAcmeURL()
+	for _, value := range testCase.template.Acme {
+		if len(value.ACME.CAServer) == 0 {
+			value.ACME.CAServer = s.getAcmeURL()
+		}
 	}

 	file := s.adaptFile(c, testCase.traefikConfFilePath, testCase.template)
@ -365,57 +447,59 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase acmeTestCase) {
 	backend := startTestServer("9010", http.StatusOK)
 	defer backend.Close()

-	client := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-		},
-	}
-
-	// wait for traefik (generating acme account take some seconds)
-	err = try.Do(90*time.Second, func() error {
-		_, errGet := client.Get("https://127.0.0.1:5001")
-		return errGet
-	})
-	c.Assert(err, checker.IsNil)
-
-	client = &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-				ServerName:         acmeDomain,
+	for _, sub := range testCase.subCases {
+		client := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
-		},
+		}
+
+		// wait for traefik (generating acme account take some seconds)
+		err = try.Do(60*time.Second, func() error {
+			_, errGet := client.Get("https://127.0.0.1:5001")
+			return errGet
+		})
+		c.Assert(err, checker.IsNil)
+
+		client = &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					InsecureSkipVerify: true,
+					ServerName:         sub.host,
+				},
+			},
+		}
+
+		req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
+		req.Host = sub.host
+		req.Header.Set("Host", sub.host)
+		req.Header.Set("Accept", "*/*")
+
+		var resp *http.Response
+
+		// Retry to send a Request which uses the LE generated certificate
+		err = try.Do(60*time.Second, func() error {
+			resp, err = client.Do(req)
+
+			// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
+			req.Close = true
+
+			if err != nil {
+				return err
+			}
+
+			cn := resp.TLS.PeerCertificates[0].Subject.CommonName
+			if cn != sub.expectedCommonName {
+				return fmt.Errorf("domain %s found instead of %s", cn, sub.expectedCommonName)
+			}
+
+			return nil
+		})
+
+		c.Assert(err, checker.IsNil)
+		c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+		// Check Domain into response certificate
+		c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, sub.expectedCommonName)
+		c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, sub.expectedAlgorithm)
 	}
-
-	req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
-	req.Host = acmeDomain
-	req.Header.Set("Host", acmeDomain)
-	req.Header.Set("Accept", "*/*")
-
-	var resp *http.Response
-
-	// Retry to send a Request which uses the LE generated certificate
-	err = try.Do(60*time.Second, func() error {
-		resp, err = client.Do(req)
-
-		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
-		req.Close = true
-
-		if err != nil {
-			return err
-		}
-
-		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
-		if cn != testCase.expectedCommonName {
-			return fmt.Errorf("domain %s found instead of %s", cn, testCase.expectedCommonName)
-		}
-
-		return nil
-	})
-
-	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
-	// Check Domain into response certificate
-	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, testCase.expectedCommonName)
-	c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, testCase.expectedAlgorithm)
 }
--- a/integration/fixtures/acme/acme_base.toml
+++ b/integration/fixtures/acme/acme_base.toml
@ -11,31 +11,24 @@
  [entryPoints.web-secure]
    address = "{{ .PortHTTPS }}"

-[acme]
+{{range $name, $resolvers := .Acme }}
+
+[certificatesResolvers.{{ $name }}.acme]
  email = "test@traefik.io"
  storage = "/tmp/acme.json"
-  # entryPoint = "https"
-  acmeLogging = true
-  onHostRule = {{ .Acme.OnHostRule }}
-  keyType = "{{ .Acme.KeyType }}"
-  caServer = "{{ .Acme.CAServer }}"
+  keyType = "{{ $resolvers.ACME.KeyType }}"
+  caServer = "{{ $resolvers.ACME.CAServer }}"

-  {{if .Acme.HTTPChallenge }}
-  [acme.httpChallenge]
-    entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
+  {{if $resolvers.ACME.HTTPChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.httpChallenge]
+    entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
  {{end}}

-  {{if .Acme.TLSChallenge }}
-  [acme.tlsChallenge]
+  {{if $resolvers.ACME.TLSChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.tlsChallenge]
  {{end}}

-  {{range .Acme.Domains}}
-  [[acme.domains]]
-    main = "{{ .Main }}"
-    sans = [{{range .SANs }}
-      "{{.}}",
-      {{end}}]
-  {{end}}
+{{end}}

 [api]

@ -55,3 +48,4 @@
    rule = "Host(`traefik.acme.wtf`)"
    service = "test"
    [http.routers.test.tls]
+      certResolver = "default"
--- a/integration/fixtures/acme/acme_domains.toml
+++ b/integration/fixtures/acme/acme_domains.toml
@ -0,0 +1,58 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+
+[entryPoints]
+  [entryPoints.web]
+    address = "{{ .PortHTTP }}"
+  [entryPoints.web-secure]
+    address = "{{ .PortHTTPS }}"
+
+{{range $name, $resolvers := .Acme }}
+
+[certificatesResolvers.{{ $name }}.acme]
+  email = "test@traefik.io"
+  storage = "/tmp/acme.json"
+  keyType = "{{ $resolvers.ACME.KeyType }}"
+  caServer = "{{ $resolvers.ACME.CAServer }}"
+
+  {{if $resolvers.ACME.HTTPChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.httpChallenge]
+    entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
+  {{end}}
+
+  {{if $resolvers.ACME.TLSChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.tlsChallenge]
+  {{end}}
+
+{{end}}
+
+[api]
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.services]
+  [http.services.test.loadBalancer]
+    [[http.services.test.loadBalancer.servers]]
+      url = "http://127.0.0.1:9010"
+
+[http.routers]
+  [http.routers.test]
+    entryPoints = ["web-secure"]
+    rule = "PathPrefix(`/`)"
+    service = "test"
+    [http.routers.test.tls]
+      certResolver = "default"
+{{range .Domains}}
+  [[http.routers.test.tls.domains]]
+    main = "{{ .Main }}"
+    sans = [{{range .SANs }}
+      "{{.}}",
+      {{end}}]
+{{end}}
--- a/integration/fixtures/acme/acme_multiple_resolvers.toml
+++ b/integration/fixtures/acme/acme_multiple_resolvers.toml
@ -0,0 +1,58 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+
+[entryPoints]
+  [entryPoints.web]
+    address = "{{ .PortHTTP }}"
+  [entryPoints.web-secure]
+    address = "{{ .PortHTTPS }}"
+
+{{range $name, $resolvers := .Acme }}
+
+[certificatesResolvers.{{ $name }}.acme]
+  email = "test@traefik.io"
+  storage = "/tmp/acme.json"
+  keyType = "{{ $resolvers.ACME.KeyType }}"
+  caServer = "{{ $resolvers.ACME.CAServer }}"
+
+  {{if $resolvers.ACME.HTTPChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.httpChallenge]
+    entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
+  {{end}}
+
+  {{if $resolvers.ACME.TLSChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.tlsChallenge]
+  {{end}}
+
+{{end}}
+
+[api]
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.services]
+  [http.services.test.loadBalancer]
+    [[http.services.test.loadBalancer.servers]]
+      url = "http://127.0.0.1:9010"
+
+[http.routers]
+  [http.routers.test]
+    entryPoints = ["web-secure"]
+    rule = "Host(`traefik.acme.wtf`)"
+    service = "test"
+    [http.routers.test.tls]
+      certResolver = "default"
+
+  [http.routers.tchouk]
+    entryPoints = ["web-secure"]
+    rule = "Host(`tchouk.acme.wtf`)"
+    service = "test"
+    [http.routers.tchouk.tls]
+      certResolver = "tchouk"
--- a/integration/fixtures/acme/acme_tcp.toml
+++ b/integration/fixtures/acme/acme_tcp.toml
@ -0,0 +1,51 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+
+[entryPoints]
+  [entryPoints.web]
+    address = "{{ .PortHTTP }}"
+  [entryPoints.web-secure]
+    address = "{{ .PortHTTPS }}"
+
+{{range $name, $resolvers := .Acme }}
+
+[certificatesResolvers.{{ $name }}.acme]
+  email = "test@traefik.io"
+  storage = "/tmp/acme.json"
+  keyType = "{{ $resolvers.ACME.KeyType }}"
+  caServer = "{{ $resolvers.ACME.CAServer }}"
+
+  {{if $resolvers.ACME.HTTPChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.httpChallenge]
+    entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
+  {{end}}
+
+  {{if $resolvers.ACME.TLSChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.tlsChallenge]
+  {{end}}
+
+{{end}}
+
+[api]
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[tcp.services]
+  [tcp.services.test.loadBalancer]
+    [[tcp.services.test.loadBalancer.servers]]
+      address = "127.0.0.1:9010"
+
+[tcp.routers]
+  [tcp.routers.test]
+    entryPoints = ["web-secure"]
+    rule = "HostSNI(`traefik.acme.wtf`)"
+    service = "test"
+    [tcp.routers.test.tls]
+      certResolver  = "default"
--- a/integration/fixtures/acme/acme_tls.toml
+++ b/integration/fixtures/acme/acme_tls.toml
@ -11,31 +11,24 @@
  [entryPoints.web-secure]
    address = "{{ .PortHTTPS }}"

-[acme]
+{{range $name, $resolvers := .Acme }}
+
+[certificatesResolvers.{{ $name }}.acme]
  email = "test@traefik.io"
  storage = "/tmp/acme.json"
-#  entryPoint = "https"
-  acmeLogging = true
-  onHostRule = {{ .Acme.OnHostRule }}
-  keyType = "{{ .Acme.KeyType }}"
-  caServer = "{{ .Acme.CAServer }}"
+  keyType = "{{ $resolvers.ACME.KeyType }}"
+  caServer = "{{ $resolvers.ACME.CAServer }}"

-  {{if .Acme.HTTPChallenge }}
-  [acme.httpChallenge]
-    entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
+  {{if $resolvers.ACME.HTTPChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.httpChallenge]
+    entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
  {{end}}

-  {{if .Acme.TLSChallenge }}
-  [acme.tlsChallenge]
+  {{if $resolvers.ACME.TLSChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.tlsChallenge]
  {{end}}

-  {{range .Acme.Domains}}
-  [[acme.domains]]
-    main = "{{ .Main }}"
-    sans = [{{range .SANs }}
-      "{{.}}",
-      {{end}}]
-  {{end}}
+{{end}}

 [api]

--- a/integration/fixtures/acme/acme_tls_dynamic.toml
+++ b/integration/fixtures/acme/acme_tls_dynamic.toml
@ -7,32 +7,29 @@

 [entryPoints]
  [entryPoints.web]
-  address = "{{ .PortHTTP }}"
+    address = "{{ .PortHTTP }}"
  [entryPoints.web-secure]
-  address = "{{ .PortHTTPS }}"
+    address = "{{ .PortHTTPS }}"

-[acme]
+{{range $name, $resolvers := .Acme }}
+
+[certificatesResolvers.{{ $name }}.acme]
  email = "test@traefik.io"
  storage = "/tmp/acme.json"
-#  entryPoint = "https"
-  acmeLogging = true
-  onHostRule = {{ .Acme.OnHostRule }}
-  keyType = "{{ .Acme.KeyType }}"
-  caServer = "{{ .Acme.CAServer }}"
+  keyType = "{{ $resolvers.ACME.KeyType }}"
+  caServer = "{{ $resolvers.ACME.CAServer }}"

-  {{if .Acme.HTTPChallenge }}
-  [acme.httpChallenge]
-    entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
+  {{if $resolvers.ACME.HTTPChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.httpChallenge]
+    entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
  {{end}}

-  {{range .Acme.Domains}}
-  [[acme.domains]]
-    main = "{{ .Main }}"
-    sans = [{{range .SANs }}
-      "{{.}}",
-      {{end}}]
+  {{if $resolvers.ACME.TLSChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.tlsChallenge]
  {{end}}

+{{end}}
+
 [api]

 [providers]
--- a/integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
+++ b/integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
@ -8,42 +8,29 @@
 [entryPoints]
  [entryPoints.web]
    address = "{{ .PortHTTP }}"
-
  [entryPoints.web-secure]
    address = "{{ .PortHTTPS }}"

  [entryPoints.traefik]
    address = ":9000"
-#       FIXME
-#      [entryPoints.traefik.tls]
-#        [entryPoints.traefik.tls.defaultCertificate]
-#        certFile = "fixtures/acme/ssl/wildcard.crt"
-#        keyFile = "fixtures/acme/ssl/wildcard.key"

-[acme]
+{{range $name, $resolvers := .Acme }}
+
+[certificatesResolvers.{{ $name }}.acme]
  email = "test@traefik.io"
  storage = "/tmp/acme.json"
-#  entryPoint = "https"
-  acmeLogging = true
-  onHostRule = {{ .Acme.OnHostRule }}
-  keyType = "{{ .Acme.KeyType }}"
-  caServer = "{{ .Acme.CAServer }}"
+  keyType = "{{ $resolvers.ACME.KeyType }}"
+  caServer = "{{ $resolvers.ACME.CAServer }}"

-  {{if .Acme.HTTPChallenge }}
-  [acme.httpChallenge]
-    entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
+  {{if $resolvers.ACME.HTTPChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.httpChallenge]
+    entryPoint = "{{ $resolvers.ACME.HTTPChallenge.EntryPoint }}"
  {{end}}

-  {{if .Acme.TLSChallenge }}
-  [acme.tlsChallenge]
+  {{if $resolvers.ACME.TLSChallenge }}
+  [certificatesResolvers.{{ $name }}.acme.tlsChallenge]
  {{end}}

-  {{range .Acme.Domains}}
-  [[acme.domains]]
-    main = "{{ .Main }}"
-    sans = [{{range .SANs }}
-      "{{.}}",
-      {{end}}]
-  {{end}}
+{{end}}

 [api]
--- a/integration/https_test.go
+++ b/integration/https_test.go
@ -265,7 +265,7 @@ func (s *HTTPSSuite) TestWithConflictingTLSOptions(c *check.C) {
 	c.Assert(err.Error(), checker.Contains, "protocol version not supported")

 	// with unknown tls option
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains(fmt.Sprintf("found different TLS options for routers on the same host %v, so using the default TLS option instead", tr4.TLSClientConfig.ServerName)))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains(fmt.Sprintf("found different TLS options for routers on the same host %v, so using the default TLS options instead", tr4.TLSClientConfig.ServerName)))
 	c.Assert(err, checker.IsNil)
 }

--- a/integration/simple_test.go
+++ b/integration/simple_test.go
@ -537,7 +537,7 @@ func (s *SimpleSuite) TestRouterConfigErrors(c *check.C) {
 	defer cmd.Process.Kill()

 	// All errors
-	err = try.GetRequest("http://127.0.0.1:8080/api/http/routers", 1000*time.Millisecond, try.BodyContains(`["middleware \"unknown@file\" does not exist","found different TLS options for routers on the same host snitest.net, so using the default TLS option instead"]`))
+	err = try.GetRequest("http://127.0.0.1:8080/api/http/routers", 1000*time.Millisecond, try.BodyContains(`["middleware \"unknown@file\" does not exist","found different TLS options for routers on the same host snitest.net, so using the default TLS options instead"]`))
 	c.Assert(err, checker.IsNil)

 	// router4 is enabled, but in warning state because its tls options conf was messed up