diff --git a/docs/content/https/acme.md b/docs/content/https/acme.md index 96c337342..764b4b30c 100644 --- a/docs/content/https/acme.md +++ b/docs/content/https/acme.md @@ -835,6 +835,71 @@ certificatesResolvers: # ... ``` +### `clientTimeout` + +_Optional, Default=2m_ + +`clientTimeout` is the total timeout for a complete HTTP transaction (including TCP connection, sending request and receiving response) with the ACME server. +It defaults to 2 minutes. + +!!! warning "This timeout encompasses the entire request-response cycle, including the response headers timeout. It must be at least `clientResponseHeaderTimeout`, otherwise the certificate resolver will fail to start." + +```yaml tab="File (YAML)" +certificatesResolvers: + myresolver: + acme: + # ... + clientTimeout: 1m + # ... +``` + +```toml tab="File (TOML)" +[certificatesResolvers.myresolver.acme] + # ... + clientTimeout=1m + # ... +``` + +```bash tab="CLI" +# ... +--certificatesresolvers.myresolver.acme.clientTimeout=1m +# ... +``` + +!!! warning + This should not be confused with any timeouts used for validating challenges. + +### `clientResponseHeaderTimeout` + +_Optional, Default=30s_ + +`clientResponseHeaderTimeout` defines how long the HTTP client waits for response headers when communicating with the `caServer`. +It defaults to 30 seconds. + +!!! warning "It must be lower than `clientTimeout`, otherwise the certificate resolver will fail to start." + +```yaml tab="File (YAML)" +certificatesResolvers: + myresolver: + acme: + # ... + clientResponseHeaderTimeout: 1m + # ... +``` + +```toml tab="File (TOML)" +[certificatesResolvers.myresolver.acme] + # ... + clientResponseHeaderTimeout=1m + # ... +``` + +```bash tab="CLI" +# ... +--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=1m +# ... +``` + ### `preferredChain` _Optional, Default=""_ diff --git a/docs/content/https/ref-acme.toml b/docs/content/https/ref-acme.toml index e5db57a53..a93f4775c 100644 --- a/docs/content/https/ref-acme.toml +++ b/docs/content/https/ref-acme.toml @@ -30,6 +30,20 @@ # # certificatesDuration=2160 + # Timeout for a complete HTTP transaction with the ACME server. + # + # Optional + # Default: 2m + # + # clientTimeout="2m" + + # Timeout for receiving the response headers when communicating with the ACME server. + # + # Optional + # Default: 30s + # + # clientResponseHeaderTimeout="30s" + # Preferred chain to use. # # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. diff --git a/docs/content/https/ref-acme.txt b/docs/content/https/ref-acme.txt index d817a4dbe..10aa3b5d6 100644 --- a/docs/content/https/ref-acme.txt +++ b/docs/content/https/ref-acme.txt @@ -29,6 +29,20 @@ # --certificatesresolvers.myresolver.acme.certificatesDuration=2160 +# Timeout for a complete HTTP transaction with the ACME server. +# +# Optional +# Default: 2m +# +--certificatesresolvers.myresolver.acme.clientTimeout=2m + +# Timeout for receiving the response headers when communicating with the ACME server. +# +# Optional +# Default: 30s +# +--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=30s + # Preferred chain to use. # # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. diff --git a/docs/content/https/ref-acme.yaml b/docs/content/https/ref-acme.yaml index 044c7ff9b..65cd2462b 100644 --- a/docs/content/https/ref-acme.yaml +++ b/docs/content/https/ref-acme.yaml @@ -32,6 +32,20 @@ certificatesResolvers: # # certificatesDuration: 2160 + # Timeout for a complete HTTP transaction with the ACME server. + # + # Optional + # Default: 2m + # + # clientTimeout: "2m" + + # Timeout for receiving the response headers when communicating with the ACME server. + # + # Optional + # Default: 30s + # + # clientResponseHeaderTimeout: "30s" + # Preferred chain to use. # # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. diff --git a/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md b/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md index ec425f38a..3a14f3493 100644 --- a/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md +++ b/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md @@ -83,6 +83,8 @@ ACME certificate resolvers have the following configuration options: | `acme.eab.kid` | Key identifier from External CA. | "" | No | | `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No | | `acme.certificatesDuration` | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No | +| `acme.clientTimeout` | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No | +| `acme.clientResponseHeaderTimeout` | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No | | `acme.dnsChallenge` | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No | | `acme.dnsChallenge.provider` | DNS provider to use. | "" | No | | `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority. | [] | No | diff --git a/docs/content/reference/static-configuration/cli-ref.md b/docs/content/reference/static-configuration/cli-ref.md index 92902ec2e..6d7e180a7 100644 --- a/docs/content/reference/static-configuration/cli-ref.md +++ b/docs/content/reference/static-configuration/cli-ref.md @@ -129,6 +129,12 @@ Define if the certificates pool must use a copy of the system cert pool. (Defaul `--certificatesresolvers..acme.certificatesduration`: Certificates' duration in hours. (Default: ```2160```) +`--certificatesresolvers..acme.clientresponseheadertimeout`: +Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```) + +`--certificatesresolvers..acme.clienttimeout`: +Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```) + `--certificatesresolvers..acme.dnschallenge`: Activate DNS-01 Challenge. (Default: ```false```) diff --git a/docs/content/reference/static-configuration/env-ref.md b/docs/content/reference/static-configuration/env-ref.md index c0f46f53d..884fa4aaa 100644 --- a/docs/content/reference/static-configuration/env-ref.md +++ b/docs/content/reference/static-configuration/env-ref.md @@ -129,6 +129,12 @@ Define if the certificates pool must use a copy of the system cert pool. (Defaul `TRAEFIK_CERTIFICATESRESOLVERS__ACME_CERTIFICATESDURATION`: Certificates' duration in hours. (Default: ```2160```) +`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CLIENTRESPONSEHEADERTIMEOUT`: +Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```) + +`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CLIENTTIMEOUT`: +Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```) + `TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE`: Activate DNS-01 Challenge. (Default: ```false```) diff --git a/docs/content/reference/static-configuration/file.toml b/docs/content/reference/static-configuration/file.toml index 204fead53..964cd8a7b 100644 --- a/docs/content/reference/static-configuration/file.toml +++ b/docs/content/reference/static-configuration/file.toml @@ -511,6 +511,8 @@ storage = "foobar" keyType = "foobar" certificatesDuration = 42 + clientTimeout = "42s" + clientResponseHeaderTimeout = "42s" caCertificates = ["foobar", "foobar"] caSystemCertPool = true caServerName = "foobar" @@ -542,6 +544,8 @@ storage = "foobar" keyType = "foobar" certificatesDuration = 42 + clientTimeout = "42s" + clientResponseHeaderTimeout = "42s" caCertificates = ["foobar", "foobar"] caSystemCertPool = true caServerName = "foobar" diff --git a/docs/content/reference/static-configuration/file.yaml b/docs/content/reference/static-configuration/file.yaml index 2c9fb3223..691101e01 100644 --- a/docs/content/reference/static-configuration/file.yaml +++ b/docs/content/reference/static-configuration/file.yaml @@ -557,6 +557,8 @@ certificatesResolvers: kid: foobar hmacEncoded: foobar certificatesDuration: 42 + clientTimeout: 42s + clientResponseHeaderTimeout: 42s caCertificates: - foobar - foobar @@ -594,6 +596,8 @@ certificatesResolvers: kid: foobar hmacEncoded: foobar certificatesDuration: 42 + clientTimeout: 42s + clientResponseHeaderTimeout: 42s caCertificates: - foobar - foobar diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go index 2ff220100..35ea148f8 100644 --- a/pkg/provider/acme/provider.go +++ b/pkg/provider/acme/provider.go @@ -50,6 +50,9 @@ type Configuration struct { EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"` CertificatesDuration int `description:"Certificates' duration in hours." json:"certificatesDuration,omitempty" toml:"certificatesDuration,omitempty" yaml:"certificatesDuration,omitempty" export:"true"` + ClientTimeout ptypes.Duration `description:"Timeout for a complete HTTP transaction with the ACME server." json:"clientTimeout,omitempty" toml:"clientTimeout,omitempty" yaml:"clientTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"` + ClientResponseHeaderTimeout ptypes.Duration `description:"Timeout for receiving the response headers when communicating with the ACME server." json:"clientResponseHeaderTimeout,omitempty" toml:"clientResponseHeaderTimeout,omitempty" yaml:"clientResponseHeaderTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"` + CACertificates []string `description:"Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caCertificates,omitempty" toml:"caCertificates,omitempty" yaml:"caCertificates,omitempty"` CASystemCertPool bool `description:"Define if the certificates pool must use a copy of the system cert pool." json:"caSystemCertPool,omitempty" toml:"caSystemCertPool,omitempty" yaml:"caSystemCertPool,omitempty" export:"true"` CAServerName string `description:"Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caServerName,omitempty" toml:"caServerName,omitempty" yaml:"caServerName,omitempty" export:"true"` @@ -65,6 +68,8 @@ func (a *Configuration) SetDefaults() { a.Storage = "acme.json" a.KeyType = "RSA4096" a.CertificatesDuration = 3 * 30 * 24 // 90 Days + a.ClientTimeout = ptypes.Duration(2 * time.Minute) + a.ClientResponseHeaderTimeout = ptypes.Duration(30 * time.Second) } // CertAndStore allows mapping a TLS certificate to a TLS store. @@ -164,6 +169,10 @@ func (p *Provider) Init() error { return errors.New("cannot manage certificates with duration lower than 1 hour") } + if p.ClientTimeout < p.ClientResponseHeaderTimeout { + return errors.New("clientTimeout must be at least clientResponseHeaderTimeout") + } + var err error p.account, err = p.Store.GetAccount(p.ResolverName) if err != nil { @@ -379,7 +388,7 @@ func (p *Provider) createHTTPClient() (*http.Client, error) { } return &http.Client{ - Timeout: 2 * time.Minute, + Timeout: time.Duration(p.ClientTimeout), Transport: &http.Transport{ Proxy: http.ProxyFromEnvironment, DialContext: (&net.Dialer{ @@ -387,7 +396,7 @@ func (p *Provider) createHTTPClient() (*http.Client, error) { KeepAlive: 30 * time.Second, }).DialContext, TLSHandshakeTimeout: 30 * time.Second, - ResponseHeaderTimeout: 30 * time.Second, + ResponseHeaderTimeout: time.Duration(p.ClientResponseHeaderTimeout), TLSClientConfig: tlsConfig, }, }, nil