From 5597d7633d9a8d16cc3137af792f8a8ce513630d Mon Sep 17 00:00:00 2001
From: Ludovic Fernandez <ldez@users.noreply.github.com>
Date: Thu, 11 Feb 2021 16:32:03 +0100
Subject: [PATCH] Fix TLS challenge timeout and validation error

Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
---
 cmd/traefik/traefik.go             |  4 +++-
 pkg/provider/acme/challenge_tls.go | 10 ++++++++--
 pkg/provider/acme/provider.go      |  2 ++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/cmd/traefik/traefik.go b/cmd/traefik/traefik.go
index d55eaa6a6..6126a1a7c 100644
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -186,7 +186,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	tlsManager := traefiktls.NewManager()
 	httpChallengeProvider := acme.NewChallengeHTTP()
-	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
+
+	// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
+	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
 	err = providerAggregator.AddProvider(tlsChallengeProvider)
 	if err != nil {
 		return nil, err
diff --git a/pkg/provider/acme/challenge_tls.go b/pkg/provider/acme/challenge_tls.go
index 114e6b749..c04e1b69f 100644
--- a/pkg/provider/acme/challenge_tls.go
+++ b/pkg/provider/acme/challenge_tls.go
@@ -39,8 +39,8 @@ func NewChallengeTLSALPN(timeout time.Duration) *ChallengeTLSALPN {
 
 // Present presents a challenge to obtain new ACME certificate.
 func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
-	log.WithoutContext().WithField(log.ProviderName, providerNameALPN).
-		Debugf("TLS Challenge Present temp certificate for %s", domain)
+	logger := log.WithoutContext().WithField(log.ProviderName, providerNameALPN)
+	logger.Debugf("TLS Challenge Present temp certificate for %s", domain)
 
 	certPEMBlock, keyPEMBlock, err := tlsalpn01.ChallengeBlocks(domain, keyAuth)
 	if err != nil {
@@ -68,6 +68,12 @@ func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
 	case t := <-timer.C:
 		timer.Stop()
 		close(c.chans[string(certPEMBlock)])
+
+		err = c.CleanUp(domain, "", keyAuth)
+		if err != nil {
+			logger.Errorf("Failed to clean up TLS challenge: %v", err)
+		}
+
 		errC = fmt.Errorf("timeout %s", t)
 	case <-ch:
 		// noop
diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go
index 3af7e1599..61bc68f1d 100644
--- a/pkg/provider/acme/provider.go
+++ b/pkg/provider/acme/provider.go
@@ -421,6 +421,7 @@ func (p *Provider) watchNewDomains(ctx context.Context) {
 					if route.TLS == nil || route.TLS.CertResolver != p.ResolverName {
 						continue
 					}
+
 					ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
 
 					tlsStore := "default"
@@ -462,6 +463,7 @@ func (p *Provider) resolveCertificate(ctx context.Context, domain types.Domain,
 	if len(uncheckedDomains) == 0 {
 		return nil, nil
 	}
+
 	defer p.removeResolvingDomains(uncheckedDomains)
 
 	logger := log.FromContext(ctx)