mirror of
https://github.com/containous/traefik.git
synced 2025-12-06 00:23:54 +03:00
Merge branch v3.5 into master
This commit is contained in:
romain
@@ -73,32 +73,32 @@ certificatesResolvers:
|
||||
|
||||
ACME certificate resolvers have the following configuration options:
|
||||
|
||||
| Field | Description | Default | Required |
|
||||
|:--------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
|
||||
| `acme.email` | Email address used for registration. | "" | Yes |
|
||||
| `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
|
||||
| `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
|
||||
| `acme.keyType` | KeyType to use. | "RSA4096" | No |
|
||||
| `acme.disableCommonName` | Disable common name inside CSR and certificates. | false | No |
|
||||
| `acme.eab` | Enable external account binding. | | No |
|
||||
| `acme.eab.kid` | Key identifier from External CA. | "" | No |
|
||||
| `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No |
|
||||
| `acme.certificatesDuration` | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No |
|
||||
| `acme.clientTimeout` | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No |
|
||||
| `acme.clientResponseHeaderTimeout` | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No |
|
||||
| `acme.dnsChallenge` | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No |
|
||||
| `acme.dnsChallenge.provider` | DNS provider to use. | "" | No |
|
||||
| `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority. | [] | No |
|
||||
| `acme.dnsChallenge.propagation.delayBeforeChecks` | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries. | 0s | No |
|
||||
| `acme.dnsChallenge.propagation.disableChecks` | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding. | false | No |
|
||||
| `acme.dnsChallenge.propagation.requireAllRNS` | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead. | false | No |
|
||||
| `acme.dnsChallenge.propagation.disableANSChecks` | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No |
|
||||
| `acme.httpChallenge` | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No |
|
||||
| `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
|
||||
| `acme.httpChallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
|
||||
| `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
|
||||
| `acme.tlschallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
|
||||
| `acme.storage` | File path used for certificates storage. | "acme.json" | Yes |
|
||||
| Field | Description | Default | Required |
|
||||
|:--------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
|
||||
| <a id="acme-email" href="#acme-email" title="#acme-email">`acme.email`</a> | Email address used for registration. | "" | Yes |
|
||||
| <a id="acme-caServer" href="#acme-caServer" title="#acme-caServer">`acme.caServer`</a> | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
|
||||
| <a id="acme-preferredChain" href="#acme-preferredChain" title="#acme-preferredChain">`acme.preferredChain`</a> | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
|
||||
| <a id="acme-keyType" href="#acme-keyType" title="#acme-keyType">`acme.keyType`</a> | KeyType to use. | "RSA4096" | No |
|
||||
| <a id="acme-disableCommonName" href="#acme-disableCommonName" title="#acme-disableCommonName">`acme.disableCommonName`</a> | Disable common name inside CSR and certificates. | false | No |
|
||||
| <a id="acme-eab" href="#acme-eab" title="#acme-eab">`acme.eab`</a> | Enable external account binding. | | No |
|
||||
| <a id="acme-eab-kid" href="#acme-eab-kid" title="#acme-eab-kid">`acme.eab.kid`</a> | Key identifier from External CA. | "" | No |
|
||||
| <a id="acme-eab-hmacEncoded" href="#acme-eab-hmacEncoded" title="#acme-eab-hmacEncoded">`acme.eab.hmacEncoded`</a> | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No |
|
||||
| <a id="acme-certificatesDuration" href="#acme-certificatesDuration" title="#acme-certificatesDuration">`acme.certificatesDuration`</a> | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No |
|
||||
| <a id="acme-clientTimeout" href="#acme-clientTimeout" title="#acme-clientTimeout">`acme.clientTimeout`</a> | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No |
|
||||
| <a id="acme-clientResponseHeaderTimeout" href="#acme-clientResponseHeaderTimeout" title="#acme-clientResponseHeaderTimeout">`acme.clientResponseHeaderTimeout`</a> | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No |
|
||||
| <a id="acme-dnsChallenge" href="#acme-dnsChallenge" title="#acme-dnsChallenge">`acme.dnsChallenge`</a> | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No |
|
||||
| <a id="acme-dnsChallenge-provider" href="#acme-dnsChallenge-provider" title="#acme-dnsChallenge-provider">`acme.dnsChallenge.provider`</a> | DNS provider to use. | "" | No |
|
||||
| <a id="acme-dnsChallenge-resolvers" href="#acme-dnsChallenge-resolvers" title="#acme-dnsChallenge-resolvers">`acme.dnsChallenge.resolvers`</a> | DNS servers to resolve the FQDN authority. | [] | No |
|
||||
| <a id="acme-dnsChallenge-propagation-delayBeforeChecks" href="#acme-dnsChallenge-propagation-delayBeforeChecks" title="#acme-dnsChallenge-propagation-delayBeforeChecks">`acme.dnsChallenge.propagation.delayBeforeChecks`</a> | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries. | 0s | No |
|
||||
| <a id="acme-dnsChallenge-propagation-disableChecks" href="#acme-dnsChallenge-propagation-disableChecks" title="#acme-dnsChallenge-propagation-disableChecks">`acme.dnsChallenge.propagation.disableChecks`</a> | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding. | false | No |
|
||||
| <a id="acme-dnsChallenge-propagation-requireAllRNS" href="#acme-dnsChallenge-propagation-requireAllRNS" title="#acme-dnsChallenge-propagation-requireAllRNS">`acme.dnsChallenge.propagation.requireAllRNS`</a> | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead. | false | No |
|
||||
| <a id="acme-dnsChallenge-propagation-disableANSChecks" href="#acme-dnsChallenge-propagation-disableANSChecks" title="#acme-dnsChallenge-propagation-disableANSChecks">`acme.dnsChallenge.propagation.disableANSChecks`</a> | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No |
|
||||
| <a id="acme-httpChallenge" href="#acme-httpChallenge" title="#acme-httpChallenge">`acme.httpChallenge`</a> | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No |
|
||||
| <a id="acme-httpChallenge-entryPoint" href="#acme-httpChallenge-entryPoint" title="#acme-httpChallenge-entryPoint">`acme.httpChallenge.entryPoint`</a> | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
|
||||
| <a id="acme-httpChallenge-delay" href="#acme-httpChallenge-delay" title="#acme-httpChallenge-delay">`acme.httpChallenge.delay`</a> | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
|
||||
| <a id="acme-tlsChallenge" href="#acme-tlsChallenge" title="#acme-tlsChallenge">`acme.tlsChallenge`</a> | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
|
||||
| <a id="acme-tlschallenge-delay" href="#acme-tlschallenge-delay" title="#acme-tlschallenge-delay">`acme.tlschallenge.delay`</a> | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
|
||||
| <a id="acme-storage" href="#acme-storage" title="#acme-storage">`acme.storage`</a> | File path used for certificates storage. | "acme.json" | Yes |
|
||||
|
||||
## Automatic Certificate Renewal
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@ The OCSP response is cached in memory and is not persisted between Traefik resta
|
||||
|
||||
### General
|
||||
|
||||
Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
|
||||
Enabling OCSP is part of the [install configuration](../boot-environment.md).
|
||||
It can be defined by using a file (YAML or TOML) or CLI arguments:
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
@@ -67,5 +67,5 @@ ocsp:
|
||||
|
||||
```bash tab="CLI"
|
||||
## Static configuration
|
||||
-ocsp.responderoverrides.foo=bar
|
||||
--ocsp.responderoverrides.foo=bar
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user