mirror of
https://github.com/containous/traefik.git
synced 2024-12-23 17:34:13 +03:00
Fix TLS challenge timeout and validation error
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
This commit is contained in:
parent
502c88ee3f
commit
5597d7633d
@ -186,7 +186,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
|
|||||||
|
|
||||||
tlsManager := traefiktls.NewManager()
|
tlsManager := traefiktls.NewManager()
|
||||||
httpChallengeProvider := acme.NewChallengeHTTP()
|
httpChallengeProvider := acme.NewChallengeHTTP()
|
||||||
tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
|
|
||||||
|
// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
|
||||||
|
tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
|
||||||
err = providerAggregator.AddProvider(tlsChallengeProvider)
|
err = providerAggregator.AddProvider(tlsChallengeProvider)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -39,8 +39,8 @@ func NewChallengeTLSALPN(timeout time.Duration) *ChallengeTLSALPN {
|
|||||||
|
|
||||||
// Present presents a challenge to obtain new ACME certificate.
|
// Present presents a challenge to obtain new ACME certificate.
|
||||||
func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
|
func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
|
||||||
log.WithoutContext().WithField(log.ProviderName, providerNameALPN).
|
logger := log.WithoutContext().WithField(log.ProviderName, providerNameALPN)
|
||||||
Debugf("TLS Challenge Present temp certificate for %s", domain)
|
logger.Debugf("TLS Challenge Present temp certificate for %s", domain)
|
||||||
|
|
||||||
certPEMBlock, keyPEMBlock, err := tlsalpn01.ChallengeBlocks(domain, keyAuth)
|
certPEMBlock, keyPEMBlock, err := tlsalpn01.ChallengeBlocks(domain, keyAuth)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -68,6 +68,12 @@ func (c *ChallengeTLSALPN) Present(domain, _, keyAuth string) error {
|
|||||||
case t := <-timer.C:
|
case t := <-timer.C:
|
||||||
timer.Stop()
|
timer.Stop()
|
||||||
close(c.chans[string(certPEMBlock)])
|
close(c.chans[string(certPEMBlock)])
|
||||||
|
|
||||||
|
err = c.CleanUp(domain, "", keyAuth)
|
||||||
|
if err != nil {
|
||||||
|
logger.Errorf("Failed to clean up TLS challenge: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
errC = fmt.Errorf("timeout %s", t)
|
errC = fmt.Errorf("timeout %s", t)
|
||||||
case <-ch:
|
case <-ch:
|
||||||
// noop
|
// noop
|
||||||
|
@ -421,6 +421,7 @@ func (p *Provider) watchNewDomains(ctx context.Context) {
|
|||||||
if route.TLS == nil || route.TLS.CertResolver != p.ResolverName {
|
if route.TLS == nil || route.TLS.CertResolver != p.ResolverName {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
|
ctxRouter := log.With(ctx, log.Str(log.RouterName, routerName), log.Str(log.Rule, route.Rule))
|
||||||
|
|
||||||
tlsStore := "default"
|
tlsStore := "default"
|
||||||
@ -462,6 +463,7 @@ func (p *Provider) resolveCertificate(ctx context.Context, domain types.Domain,
|
|||||||
if len(uncheckedDomains) == 0 {
|
if len(uncheckedDomains) == 0 {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
defer p.removeResolvingDomains(uncheckedDomains)
|
defer p.removeResolvingDomains(uncheckedDomains)
|
||||||
|
|
||||||
logger := log.FromContext(ctx)
|
logger := log.FromContext(ctx)
|
||||||
|
Loading…
Reference in New Issue
Block a user