baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Fix TLS challenge timeout and validation error

Browse source 
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
This commit is contained in:
Ludovic Fernandez 2021-02-11 16:32:03 +01:00 committed by GitHub
parent 502c88ee3f
commit 5597d7633d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
cmd/traefik/traefik.go
View file

@ -186,7 +186,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
tlsManager := traefiktls.NewManager()
httpChallengeProvider := acme.NewChallengeHTTP()
tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
err = providerAggregator.AddProvider(tlsChallengeProvider)
if err != nil {
return nil, err

10
pkg/provider/acme/challenge_tls.go
View file

@ -39,8 +39,8 @@ func NewChallengeTLSALPN(timeout time.Duration) *ChallengeTLSALPN {
// Present presents a challenge to obtain new ACME certificate.
func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
log.WithoutContext().WithField(log.ProviderName, providerNameALPN).
Debugf("TLS Challenge Present temp certificate for %s", domain)
logger := log.WithoutContext().WithField(log.ProviderName, providerNameALPN)
logger.Debugf("TLS Challenge Present temp certificate for %s", domain)
certPEMBlock, keyPEMBlock, err := tlsalpn01.ChallengeBlocks(domain, keyAuth)
if err != nil {
@ -68,6 +68,12 @@ func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
case t := <-timer.C:
timer.Stop()
close(c.chans[string(certPEMBlock)])
err = c.CleanUp(domain, "", keyAuth)
if err != nil {
logger.Errorf("Failed to clean up TLS challenge: %v", err)
}
errC = fmt.Errorf("timeout %s", t)
case <-ch:
// noop

2
pkg/provider/acme/provider.go
View file

@ -421,6 +421,7 @@ func (p *Provider) watchNewDomains(ctx context.Context) {
if route.TLS == nil || route.TLS.CertResolver != p.ResolverName {
continue
}
ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
tlsStore := "default"
@ -462,6 +463,7 @@ func (p *Provider) resolveCertificate(ctx context.Context, domain types.Domain,
if len(uncheckedDomains) == 0 {
return nil, nil
}
defer p.removeResolvingDomains(uncheckedDomains)
logger := log.FromContext(ctx)