-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multiple ACME challenge types at the same time #3378
Comments
It should be also possible to specify challenge type in docker label. |
This comment has been minimized.
This comment has been minimized.
Any update on this topic please as this has become a crucial feature in our application. |
Meet same issue need to have both could be |
In my case, this is needed for 1) a wildcard cert, |
I'm working on that, so stay tuned 😉 |
I'm in the same boat as you |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@ldez any progress on this? It's been a while. I bumped into this same issue and since I'm using kubernetes I ended up creating a separate ingress controller (nginx one) for the wildcard domains. |
Another problem I found that I think should be taken into account when allowing for multiple challenge types: it should be possible to use multiple DNS challenges (or generally multiple challenges of the same type for different domains), and especially multiple DNS challenges on the same provider (so, the environment variables would have to be specified in the configuration file). This is especially needed for providers like |
I'm also in the same boat, and I found a temporary hacky workaround until @ldez finishes his feature: Start Traefik with the following config :
and let it generate the acme.json file for the wildcard domain. Once the file gets generated, comment out the following code:
and restart traefik. You will get the expected behaviour, but you might have issues with renewal 3 months later (can anyone confirm?) I suppose reverting to dnsChallenge every 3 month to renew the wildcard will work. Until the feature is released, I'll just just create an iPhone notification to renew the certificate every 88 days. |
Fix traefik#2773 and traefik#3378, and make environment variables for the providers configurable from the configuration provider Example: [acme.dnsChallenge] provider = "route53" environment = ["AWS_ACCESS_KEY_ID=abcd", "AWS_SECRET_ACCESS_KEY=efgh"] [[acme.domains]] main = "*.example.org" sans = ["example.org"] challenge = "dns" # dns/http/tls dnsProvider = "cloudflare" dnsEnvironment = ["CF_API_EMAIL=mail@example.org", "CT_API_KEY=1234"]
Close in favor of #4872 - Feel free to subscribe there for updates. |
What did you expect to see?
I tried to use both ACME challenge types,
dns-01
andhttp
to cover the following needs:The traefik instance maintains several different domains, from which some:
a) are not controlled by our DNS ( and cannot be controlled by our DNS ):
http
onlyb_ most are part of our DNS:
http
ordns-01
could be doneNo, one could argue i can simply use
http
for both cases - solved. The problem is, most of the domains in b) are used internally ( public tld ) and have no public DNS entry, sohttp
would not be possible.I end up being in a deadlock where i can either validate a) or b) - not both. I used some trickery and created more traefik instances to cover with only that - different ACME challenges.
It would be really great to actually handle both.
Propsal
To simplify the development and "decision"
acme.default_challenge
which can behttp
ordns_<provider>
The text was updated successfully, but these errors were encountered: