Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More granular way to use ACME certs over default cert. #1197

Closed
CyrilPeponnet opened this issue Feb 27, 2017 · 3 comments
Closed

More granular way to use ACME certs over default cert. #1197

CyrilPeponnet opened this issue Feb 27, 2017 · 3 comments
Labels
area/acme kind/enhancement a new or improved feature. priority/P2 need to be fixed in the future status/5-frozen-due-to-age
Milestone
1.3

Comments

@CyrilPeponnet
Copy link

CyrilPeponnet commented Feb 27, 2017
edited

What version of Traefik are you using (traefik version)?

Version: 0247332
Codename: cheddar
Go version: go1.7.5
Built: 2017-02-01_11:13:06PM
OS/Arch: linux/amd64

What is your environment & configuration (arguments, toml...)?

version: "3"
services:
  traefik:
    image: cyrilpeponnet/traefik:latest
    deploy:
      update_config:
        parallelism: 1
        delay: 10s
      mode: global
      placement:
        constraints: [node.role == manager]
    environment:
      - "AWS_ACCESS_KEY_ID=BLA"
      - "AWS_SECRET_ACCESS_KEY=BLABLA"
      - "AWS_REGION=us-west-2"
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
      - backend
      - consul-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: |-
      -c /dev/null
      --web
      --consul
      --consul.endpoint=consul-cluster:8500
      --consul.watch=true
      --docker
      --docker.swarmmode
      --docker.domain=traefik
      --docker.watch
      --debug

  consul-cluster:
    image: consul:latest
    deploy:
      update_config:
        parallelism: 1
        delay: 10s
      mode: global
      placement:
        constraints: [node.role == manager]
    ports:
      - 8500:8500
    networks:
      - consul-net
    environment:
      - 'CONSUL_BIND_INTERFACE=eth2'
    command: agent -server -datacenter traefik -ui -retry-join=tasks.consul-cluster -retry-join=tasks.consul-cluster -bootstrap-expect=2 -client=0.0.0.0


volumes:
  consul-data:

networks:
  backend:
      driver: overlay
  consul-net:
      driver: overlay
defaultEntryPoints = ["http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = """-----BEGIN CERTIFICATE-----
MIIF...buw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHP...iW3Zt8=
-----END CERTIFICATE-----"""
      KeyFile = """-----BEGIN RSA PRIVATE KEY-----
MII...zob==
-----END RSA PRIVATE KEY-----"""


[consul]
  endpoint = "consul-cluster:8500"

[acme]
email = "myemail@domain.tld"
storage = "traefik/acme/account"
entryPoint = "https"
dnsProvider = "route53"
acmeLogging = true
OnHostRule = true
caServer = "https://acme-staging.api.letsencrypt.org/directory"

What did you do?

Spawned a container like:

  webssl:
    image: nginx
    deploy:
      replicas: 1
      labels:
        - "traefik.frontend.rule=Host:testssl.subdomain.domain.tld"
        - "traefik.domain=subdomain.domain.tld"
        - "traefik.port=80"
        - "traefik.frontend.entryPoints=https"
    networks:
      - traefik_backend

networks:
  traefik_backend:
    external:
      name: proxy_backend

I have a default wildcard self signed cert for https endpoint. If a acme cert is present, it will not be used as #1018 will check if a wildcard is present (but still requested).

What did you expect to see?

ACME cert to be used instead of the default cert.

What did you see instead?

Default cert is used despite of having a proper ACME cert requested.

NOTE: I can understand the opposite also:

  • If there is a valid wildcard cert, do not request a ACME cert for it (today even if there is a wildcard cert the ACME request is done and the cert not used).

I would love to able to choose the priority to give to the certs presented.

Something like:

certificatesPriority["default", "acme"]

or even better a way to asks certificates only for certain labels (others will use the default one) and use it like:

[acme]
email = "myemail@domain.tld"
storage = "traefik/acme/account"
entryPoint = "https"
dnsProvider = "route53"
acmeLogging = true
OnFlagOnly = true
caServer = "https://acme-staging.api.letsencrypt.org/directory"
webssl:
    image: nginx
    deploy:
      replicas: 1
      labels:
        - "traefik.frontend.rule=Host:testssl.subdomain.domain.tld"
        - "traefik.port=80"
        - "traefik.acme=true
        - "traefik.frontend.entryPoints=https"

Means the ability to requests ACME certs per "frontend" rules and not entrypoints, plus serve ACME cert if defined instead of default cert (if the flag is set).

What do you think?
@CyrilPeponnet
Copy link
Author

@dtomcej I would love to have the choice at some point to request/user ACME certificate even if a wildcard cert is available for that domain.

There is two use cases related to this:

1. I have a valid wildcard cert hence I don't need letsencrypt to provide them for my domain.
2. I have a self signed wildcard cert but I want to fetch/use letsencrypt cert for some of my frontends

@CyrilPeponnet
Copy link
Author

As a workaround for now, I could use constraints to route 'acme' aware traffic to a dedicated traefik without wildcard cert in place and let the other one with a reverse constraint to take care of wildcard one.

CyrilPeponnet added a commit to CyrilPeponnet/traefik that referenced this issue Apr 20, 2017
@CyrilPeponnet
Added IgnoreFilter for ACME domain cert generation Fix traefik#1197
84898b1
@ldez ldez added the area/acme label Apr 23, 2017
@CyrilPeponnet CyrilPeponnet mentioned this issue May 13, 2017
Closed
@ldez ldez added kind/enhancement a new or improved feature. priority/P2 need to be fixed in the future labels Jun 9, 2017
@nmengin
Copy link
Contributor

nmengin commented Oct 8, 2018

Fixed by #1772 in V1.3

@nmengin nmengin closed this as completed Oct 8, 2018
@ldez ldez added this to the 1.3 milestone Oct 8, 2018
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/acme kind/enhancement a new or improved feature. priority/P2 need to be fixed in the future status/5-frozen-due-to-age
Projects
None yet
Milestone
1.3
Development

Successfully merging a pull request may close this issue.

Added IgnoreFilter for ACME domain cert generation CyrilPeponnet/traefik
4 participants
@CyrilPeponnet @ldez @nmengin @traefiker