Prepare release v1.7.1

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change Log
 
+## [v1.7.1](https://github.com/containous/traefik/tree/v1.7.1) (2018-09-28)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.0...v1.7.1)
+
+**Bug fixes:**
+- **[acme,cluster]** Don't remove static certs from config when cluster mode ([#3946](https://github.com/containous/traefik/pull/3946) by [Juliens](https://github.com/Juliens))
+- **[acme]** Fix TLS ALPN cluster mode. ([#3934](https://github.com/containous/traefik/pull/3934) by [ldez](https://github.com/ldez))
+- **[acme]** Don't challenge ACME when host rule on another entry point ([#3923](https://github.com/containous/traefik/pull/3923) by [Juliens](https://github.com/Juliens))
+- **[tls]** Use the first static certificate as a fallback when no default is given ([#3948](https://github.com/containous/traefik/pull/3948) by [Juliens](https://github.com/Juliens))
+
 ## [v1.7.0](https://github.com/containous/traefik/tree/v1.7.0) (2018-09-24)
 [Commits](https://github.com/containous/traefik/compare/v1.7.0-rc1...v1.7.0)
 [Commits pre RC](https://github.com/containous/traefik/compare/v1.6.0-rc1...v1.7.0-rc1)

acme/acme.go

@@ -127,7 +127,6 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 
 	a.checkOnDemandDomain = checkOnDemandDomain
 	a.dynamicCerts = certs
-	a.challengeTLSProvider = &challengeTLSProvider{store: a.store}
 
 	tlsConfig.GetCertificate = a.getCertificate
 	a.TLSConfig = tlsConfig
@@ -157,6 +156,7 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 	}
 
 	a.store = datastore
+	a.challengeTLSProvider = &challengeTLSProvider{store: a.store}
 
 	ticker := time.NewTicker(24 * time.Hour)
 	leadership.Pool.AddGoCtx(func(ctx context.Context) {

configuration/configuration.go

@@ -207,6 +207,11 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
 				entryPoint.WhitelistSourceRange = nil
 			}
 		}
+
+		if entryPoint.TLS != nil && entryPoint.TLS.DefaultCertificate == nil && len(entryPoint.TLS.Certificates) > 0 {
+			log.Infof("No tls.defaultCertificate given for %s: using the first item in tls.certificates as a fallback.", entryPointName)
+			entryPoint.TLS.DefaultCertificate = &entryPoint.TLS.Certificates[0]
+		}
 	}
 
 	// Make sure LifeCycle isn't nil to spare nil checks elsewhere.

integration/etcd_test.go

@@ -315,13 +315,13 @@ func (s *EtcdSuite) TestCertificatesContentWithSNIConfigHandshake(c *check.C) {
 	snitestOrgKey, err := ioutil.ReadFile("fixtures/https/snitest.org.key")
 	c.Assert(err, checker.IsNil)
 
-	globalConfig := map[string]string{
-		"/traefik/entrypoints/https/address":                     ":4443",
-		"/traefik/entrypoints/https/tls/certificates/0/certfile": string(snitestComCert),
-		"/traefik/entrypoints/https/tls/certificates/0/keyfile":  string(snitestComKey),
-		"/traefik/entrypoints/https/tls/certificates/1/certfile": string(snitestOrgCert),
-		"/traefik/entrypoints/https/tls/certificates/1/keyfile":  string(snitestOrgKey),
-		"/traefik/defaultentrypoints/0":                          "https",
+	globalConfig := map[string][]byte{
+		"/traefik/entrypoints/https/address":                     []byte(":4443"),
+		"/traefik/entrypoints/https/tls/certificates/0/certfile": snitestComCert,
+		"/traefik/entrypoints/https/tls/certificates/0/keyfile":  snitestComKey,
+		"/traefik/entrypoints/https/tls/certificates/1/certfile": snitestOrgCert,
+		"/traefik/entrypoints/https/tls/certificates/1/keyfile":  snitestOrgKey,
+		"/traefik/defaultentrypoints/0":                          []byte("https"),
 	}
 
 	backend1 := map[string]string{
@@ -351,7 +351,7 @@ func (s *EtcdSuite) TestCertificatesContentWithSNIConfigHandshake(c *check.C) {
 		"/traefik/frontends/frontend2/routes/test_2/rule": "Host:snitest.org",
 	}
 	for key, value := range globalConfig {
-		err := s.kv.Put(key, []byte(value), nil)
+		err := s.kv.Put(key, value, nil)
 		c.Assert(err, checker.IsNil)
 	}
 	for key, value := range backend1 {

provider/acme/provider.go

@@ -323,12 +323,24 @@ func (p *Provider) initAccount() (*Account, error) {
 	return p.account, nil
 }
 
+func contains(entryPoints []string, acmeEntryPoint string) bool {
+	for _, entryPoint := range entryPoints {
+		if entryPoint == acmeEntryPoint {
+			return true
+		}
+	}
+	return false
+}
+
 func (p *Provider) watchNewDomains() {
 	p.pool.Go(func(stop chan bool) {
 		for {
 			select {
 			case config := <-p.configFromListenerChan:
 				for _, frontend := range config.Frontends {
+					if !contains(frontend.EntryPoints, p.EntryPoint) {
+						continue
+					}
 					for _, route := range frontend.Routes {
 						domainRules := rules.Rules{}
 						domains, err := domainRules.ParseDomains(route.Rule)

server/server.go

@@ -480,18 +480,17 @@ func (s *Server) createTLSConfig(entryPointName string, tlsOption *traefiktls.TL
 		}
 	} else {
 		config.GetCertificate = s.serverEntryPoints[entryPointName].getCertificate
-	}
+		if len(config.Certificates) != 0 {
+			certMap := s.buildNameOrIPToCertificate(config.Certificates)
 
-	if len(config.Certificates) != 0 {
-		certMap := s.buildNameOrIPToCertificate(config.Certificates)
-
-		if s.entryPoints[entryPointName].CertificateStore != nil {
-			s.entryPoints[entryPointName].CertificateStore.StaticCerts.Set(certMap)
+			if s.entryPoints[entryPointName].CertificateStore != nil {
+				s.entryPoints[entryPointName].CertificateStore.StaticCerts.Set(certMap)
+			}
 		}
-	}
 
-	// Remove certs from the TLS config object
-	config.Certificates = []tls.Certificate{}
+		// Remove certs from the TLS config object
+		config.Certificates = []tls.Certificate{}
+	}
 
 	// Set the minimum TLS version if set in the config TOML
 	if minConst, exists := traefiktls.MinVersion[s.entryPoints[entryPointName].Configuration.TLS.MinVersion]; exists {

server/server_configuration.go

@@ -590,13 +590,17 @@ func (s *Server) buildServerEntryPoints() map[string]*serverEntryPoint {
 			serverEntryPoints[entryPointName].certs.SniStrict = entryPoint.Configuration.TLS.SniStrict
 
 			if entryPoint.Configuration.TLS.DefaultCertificate != nil {
-				cert, err := tls.LoadX509KeyPair(entryPoint.Configuration.TLS.DefaultCertificate.CertFile.String(), entryPoint.Configuration.TLS.DefaultCertificate.KeyFile.String())
+				cert, err := buildDefaultCertificate(entryPoint.Configuration.TLS.DefaultCertificate)
 				if err != nil {
+					log.Error(err)
+					continue
 				}
-				serverEntryPoints[entryPointName].certs.DefaultCertificate = &cert
+				serverEntryPoints[entryPointName].certs.DefaultCertificate = cert
 			} else {
 				cert, err := generate.DefaultCertificate()
 				if err != nil {
+					log.Errorf("failed to generate default certificate: %v", err)
+					continue
 				}
 				serverEntryPoints[entryPointName].certs.DefaultCertificate = cert
 			}
@@ -611,6 +615,24 @@ func (s *Server) buildServerEntryPoints() map[string]*serverEntryPoint {
 	return serverEntryPoints
 }
 
+func buildDefaultCertificate(defaultCertificate *traefiktls.Certificate) (*tls.Certificate, error) {
+	certFile, err := defaultCertificate.CertFile.Read()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get cert file content: %v", err)
+	}
+
+	keyFile, err := defaultCertificate.KeyFile.Read()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get key file content: %v", err)
+	}
+
+	cert, err := tls.X509KeyPair(certFile, keyFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load X509 key pair: %v", err)
+	}
+	return &cert, nil
+}
+
 func (s *Server) buildDefaultHTTPRouter() *mux.Router {
 	rt := mux.NewRouter()
 	rt.NotFoundHandler = s.wrapHTTPHandlerWithAccessLog(http.HandlerFunc(http.NotFound), "backend not found")