From afe4c307f9e2554e170170de8bff6e5244fd71d1 Mon Sep 17 00:00:00 2001 From: SALLEYRON Julien Date: Mon, 5 Feb 2018 18:20:04 +0100 Subject: [PATCH] Traefik still start when Let's encrypt is down --- acme/acme.go | 6 ++-- docs/configuration/acme.md | 12 ++++++++ integration/acme_test.go | 13 +++++++++ integration/fixtures/acme/wrong_acme.toml | 34 +++++++++++++++++++++++ 4 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 integration/fixtures/acme/wrong_acme.toml diff --git a/acme/acme.go b/acme/acme.go index c3da88c4a..6dacdb90c 100644 --- a/acme/acme.go +++ b/acme/acme.go @@ -295,6 +295,7 @@ func (a *ACME) leadershipListener(elected bool) error { // CreateLocalConfig creates a tls.config using local ACME configuration func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkOnDemandDomain func(domain string) bool) error { + defer a.runJobs() err := a.init() if err != nil { return err @@ -333,7 +334,9 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkO a.client, err = a.buildACMEClient(account) if err != nil { - return err + log.Errorf(`Failed to build ACME client: %s +Let's Encrypt functionality will be limited until traefik is restarted.`, err) + return nil } if needRegister { @@ -374,7 +377,6 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkO a.retrieveCertificates() a.renewCertificates() - a.runJobs() ticker := time.NewTicker(24 * time.Hour) safe.Go(func() { diff --git a/docs/configuration/acme.md b/docs/configuration/acme.md index ffad21f29..09b4962ed 100644 --- a/docs/configuration/acme.md +++ b/docs/configuration/acme.md @@ -144,6 +144,18 @@ entryPoint = "https" If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80. These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72). +### Let's Encrypt downtime + +Let's Encrypt functionality will be limited until Træfik is restarted. + +If Let's Encrypt is not reachable, these certificates will be used : + - ACME certificates already generated before downtime + - Expired ACME certificates + - Provided certificates + +!!! note + Default Træfik certificate will be used instead of ACME certificates for new (sub)domains (which need Let's Encrypt challenge). + ### `storage` ```toml diff --git a/integration/acme_test.go b/integration/acme_test.go index 5a9f1dd32..ad43b68b1 100644 --- a/integration/acme_test.go +++ b/integration/acme_test.go @@ -142,6 +142,19 @@ func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithDynamicWildcard(c * s.retrieveAcmeCertificate(c, testCase) } +// Test Let's encrypt down +func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) { + cmd, display := s.traefikCmd(withConfigFile("fixtures/acme/wrong_acme.toml")) + defer display(c) + err := cmd.Start() + c.Assert(err, checker.IsNil) + defer cmd.Process.Kill() + + // Expected traefik works + err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.StatusCodeIs(http.StatusOK)) + c.Assert(err, checker.IsNil) +} + // Doing an HTTPS request and test the response certificate func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) { file := s.adaptFile(c, testCase.traefikConfFilePath, struct { diff --git a/integration/fixtures/acme/wrong_acme.toml b/integration/fixtures/acme/wrong_acme.toml new file mode 100644 index 000000000..3f8f65051 --- /dev/null +++ b/integration/fixtures/acme/wrong_acme.toml @@ -0,0 +1,34 @@ +logLevel = "DEBUG" + +defaultEntryPoints = ["http", "https"] + +[api] + +[entryPoints] + [entryPoints.http] + address = ":8081" + [entryPoints.https] + address = ":5001" + [entryPoints.https.tls] + + +[acme] +email = "test@traefik.io" +storage = "/dev/null" +entryPoint = "https" +OnHostRule = true +caServer = "http://wrongurl:4000/directory" + +[file] + +[backends] + [backends.backend] + [backends.backend.servers.server1] + url = "http://127.0.0.1:9010" + + +[frontends] + [frontends.frontend] + backend = "backend" + [frontends.frontend.routes.test] + rule = "Host:traefik.acme.wtf"