ACME V2 Integration

[nmengin]

What does this PR do?

This PR allows Træfik to use the new ACME version.
It uses the new lego branch to access to the ACME V2 API.

ACME V2 API main features :

• Suppression of TLS-SNI-01 challenge
• Adding wildcard certificates generation with DNS-02 challenge

Motivation

Fix #2674

Allowing users to do ACME wildcard certificates

More

• Added/updated tests
• Added/updated documentation

Additional Notes

• For the moment, wildcard domains can only be defined with the ACME domains option.
• SANs are not allowed in wildcard certificates.
• Another PR with end-to-end tests for wildcard domains will come ASAP.

[dtomcej]

SANs are not allowed

[emilevauge]

Great job @nmengin !
Few comments though ;)

[emilevauge]

s/OldRegistration/ACMEv1Registration may be more explicit

[emilevauge]

I think there is an issue in this test

[emilevauge]

s/getValidDomain/getValidDomains

[dtomcej]

Are there any intentions to fork this for stability? Not really excited to use a feature branch on a third party repo as a basis for prod use...

[nmengin]

Hello @dtomcej.

We are not enthusiastic either but, for the moment it's the only way we have if we want to integrate ACME V2.
Moreover, I tested a lot and the branch seems to be stable.

We are following the LEGO repo and, if a big problem appears, we will be able to fork the repo with a stable version thanks to the vendoring.

[dtomcej]

👍

[dtomcej]

Is this fully backwards compatible? Is it something that we should be defaulting back to v1 somehow?

[nmengin]

@dtomcej It's not backward compatible.

That's why getAccount methods have been modified.
They can detect V1 Account format and delete is from the ACME structure.

Thus, Træfik reads the new configuration and create a new V2 ACME Account.

However, of course, ACME certificates generated in V1 are compatibles

[dtomcej]

👍

[juliens]

You can't do that (wildcard with sans) ?

[nmengin]

No you can't do it for the moment!

[emilevauge]

Really ?

[mmatur]

Nice work @nmengin 👏
Few comments in the review

[mmatur]

Could you add a new line please

[nmengin]

done

[mmatur]

Space missing between DNS-02 and Challenge

[mmatur]

even instead of ven

[mmatur]

Why a new line for this part ? The note in the documentation is broken

[nmengin]

It's another note but a space is missing I add it.

[mmatur]

You should maybe use "https://acme-staging-v02.api.letsencrypt.org/directory instead of http://172.18.0.1:4000/directory

[mmatur]

You can not do that. If main domain is a wildcard you can not use sans

[mmatur]

Could you please remove this line

[mmatur]

deleteUnnecessariesDomains instead of deleteUnecessariesDomains

[mmatur]

LGTM

Great job @nmengin 👏

[emilevauge]

Great job @nmengin !
Very much awaited feature ;)
LGTM

[sarkistlt]

thanks! literally much awaited feature in my project!
I just have one question, trying to defined it like so:

[[acme.domains]]
  main = "mydomain.com"
  sans = ["*.mydomain.com"]

and getting error Error getting ACME certificate for domain [mydomain.com *.mydomain.com]: cannot obtain certificates map[*.mydomain.com:acme: Error 400 - urn:acme:error:malformed - Error creating new authz :: Wildcard names not supported],

so who then should I define wildcard?

[nmengin]

Hello @sarkistlt ,

Many thanks for your feedback.

For the moment, we do not support wildcard certificates with/in SANs.
Moreover, the error seems to come from ACME library.

You can use the configuration described below :

[[acme.domains]]
  main = "mydomain.com"
[[acme.domains]]
  main = ["*.mydomain.com"]

If you still have problems, I suggest you to open an issue or to join our Slack workspace for more community #support.

[sarkistlt]

thanks for response, I just downloaded source code of traefik and it still uses https://acme-v01.api.letsencrypt.org/directory, instead of https://acme-v02.api.letsencrypt.org/directory, I tried to use _ACME_SERVER_HOST: acme-staging-v02.api.letsencrypt.org but it ignores acme env. vars, so which tag of docker image does support acme2? I tried 1.5 and latest, no luck

[sarkistlt]

actually just saw version 1.6 deployed on docker hub 10hr ago and it works, thanks!

[sarkistlt]

getting another error unable to generate a wildcard certificate in ACME provider for domain \"*. mydomain.com\" : ACME needs a DNSChallenge, looks like it doesn't generate .well-known/acme-challenge
And for the main domain: Unable to obtain ACME certificate for domains \"mydomain.com\" : cannot obtain certificates map[mydomain.com:acme: Error 400 - urn:ietf:params:acme:error:connection - Fetching http://mydomain.com/.well-known/acme-challenge/some_hash: Timeout], should I open new issue?

[e-nikolov]

You can find info on how to configure the wildcard certs here: https://docs.traefik.io/v1.6/configuration/acme/.

Let's Encrypt uses a DNS challenge for issuing wildcard certificates, which requires setting a DNS TXT record. Traefik can automate this via the API of your DNS provider (if it is supported), for which it requires an API key.

[ldez]

⚠️ For all those who have problems with this feature, please open a dedicated issue. ⚠️

You can also join our Slack workspace for more community #support.

Remember, we dedicate the issue tracker to bug reports and feature requests only

[iautom8things]

Is this a typo?

[ldez]

https://docs.traefik.io/v1.6/configuration/acme/#wildcard-certificates