Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Feature Request: Implement delay on ACME registration (TLS Provider) #2174
I'm using Kubernetes external-dns with Traefik as an Ingress controller + ACME, and I'm running into an issue where the external-DNS has not created the DNS record before traefik tries to create the ACME cert.
I'm wary of using
Even though I could use a DNS based challenge, I still have the possibility of the domain not yet being created. I could set
My current workaround is to:
Do you want to request a feature or report a bug?
What did you do?
I created an ingress rule with ACME turned on.
What did you expect to see?
Traefik retry or wait until my new domain name propagates.
What did you see instead?
time="2017-09-15T20:21:02Z" level=error msg="map[coffee.skuid.com:acme: Error 400 - urn:acme:error:unknownHost - No valid IP addresses found for coffee.skuid.com Error Detail: Validation for coffee.skuid.com:443 Resolved to: Used: ]" time="2017-09-15T20:21:02Z" level=error msg="Error getting ACME certificates [coffee.skuid.com] : Cannot obtain certificates map[coffee.skuid.com:acme: Error 400 - urn:acme:error:unknownHost - No valid IP addresses found for coffee.skuid.com Error Detail: Validation for coffee.skuid.com:443 Resolved to: Used: ]+v"
Same situation on docker-for-azure when provisioning by stacks
With a config like this:
traefikedge: image: traefik:1.4.3-alpine command: "--acme.domains='www.domain.com,static.domain.com'" ports: - "80:80" - "443:443"
Its takes 10-30s for the exposed ports to be regsitered with the azure load balancer.
Sometimes the ACME challenge works
My current workaround is to initally provision the service with zero replicas
deploy: mode: replicated replicas: 0
Then wait for azure to provision the port mappings
A configurable delay similar to delayDontCheckDNS would be quite helpful
Has any progress been made on this? I have also hit this case when spinning up traefik instances on VMs behind an AWS ELB. The ELB needs to healthcheck that traefik is listening but this often takes
Update: the idea below doesn't work because
I'm spinning up a service that would be helped by this. It might be sufficient to create a configuration knob that tells Traefik to check for the existence of a DNS record first (A/CNAME?) prior to trying the challenge. This would be limiting in environments where external DNS cannot be queried (not my case).
I'm guessing that a workaround for me will be to deploy the service with a k8s annotation... wait 1-2 minutes, then deploy the ingress with the host rule. I'm using k8s+external-dns+traefik, with external-dns defaulting to creating DNS entries by searching the traefik ingress for host rules. But it can also search for service annotations.
and waiting 2 min to deploy the ingress with the host rule that will be triggered via traefik configured with
and also have configured traefik with (Helm values):
Yup exactly the same issue I am having with ELB (NLB), traefik starts instantly but nothing is routed to the new backends for up to 90s.
The way I read the code is that the HTTP Challenge (and TLS challenge) could be modified to have an
Just a starting point if anyone wants to slap together a PR.