cybercyst/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2025-05-05 15:33:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow configuration of ACME provider http timeout

Browse Source
This commit is contained in:
Tom Wiesing 2025-04-28 14:30:06 +02:00 committed by GitHub
parent 8f37c8f0c5
commit dddb68cd5f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 140 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
docs/content/https/acme.md
View File

@ -835,6 +835,71 @@ certificatesResolvers:
# ... # ...
``` ```
### `clientTimeout`
_Optional, Default=2m_
`clientTimeout` is the total timeout for a complete HTTP transaction (including TCP connection, sending request and receiving response) with the ACME server.
It defaults to 2 minutes.
!!! warning "This timeout encompasses the entire request-response cycle, including the response headers timeout. It must be at least `clientResponseHeaderTimeout`, otherwise the certificate resolver will fail to start."
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
clientTimeout: 1m
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
clientTimeout=1m
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.clientTimeout=1m
# ...
```
!!! warning
This should not be confused with any timeouts used for validating challenges.
### `clientResponseHeaderTimeout`
_Optional, Default=30s_
`clientResponseHeaderTimeout` defines how long the HTTP client waits for response headers when communicating with the `caServer`.
It defaults to 30 seconds.
!!! warning "It must be lower than `clientTimeout`, otherwise the certificate resolver will fail to start."
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
clientResponseHeaderTimeout: 1m
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
clientResponseHeaderTimeout=1m
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=1m
# ...
```
### `preferredChain` ### `preferredChain`
_Optional, Default=""_ _Optional, Default=""_

14
docs/content/https/ref-acme.toml
View File

@ -30,6 +30,20 @@
# #
# certificatesDuration=2160 # certificatesDuration=2160
# Timeout for a complete HTTP transaction with the ACME server.
#
# Optional
# Default: 2m
#
# clientTimeout="2m"
# Timeout for receiving the response headers when communicating with the ACME server.
#
# Optional
# Default: 30s
#
# clientResponseHeaderTimeout="30s"
# Preferred chain to use. # Preferred chain to use.
# #
# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

14
docs/content/https/ref-acme.txt
View File

@ -29,6 +29,20 @@
# #
--certificatesresolvers.myresolver.acme.certificatesDuration=2160 --certificatesresolvers.myresolver.acme.certificatesDuration=2160
# Timeout for a complete HTTP transaction with the ACME server.
#
# Optional
# Default: 2m
#
--certificatesresolvers.myresolver.acme.clientTimeout=2m
# Timeout for receiving the response headers when communicating with the ACME server.
#
# Optional
# Default: 30s
#
--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=30s
# Preferred chain to use. # Preferred chain to use.
# #
# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

14
docs/content/https/ref-acme.yaml
View File

@ -32,6 +32,20 @@ certificatesResolvers:
# #
# certificatesDuration: 2160 # certificatesDuration: 2160
# Timeout for a complete HTTP transaction with the ACME server.
#
# Optional
# Default: 2m
#
# clientTimeout: "2m"
# Timeout for receiving the response headers when communicating with the ACME server.
#
# Optional
# Default: 30s
#
# clientResponseHeaderTimeout: "30s"
# Preferred chain to use. # Preferred chain to use.
# #
# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

2
docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
View File

@ -83,6 +83,8 @@ ACME certificate resolvers have the following configuration options:
| `acme.eab.kid` | Key identifier from External CA. | "" | No | | `acme.eab.kid` | Key identifier from External CA. | "" | No |
| `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No | | `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No |
| `acme.certificatesDuration` | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No | | `acme.certificatesDuration` | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No |
| `acme.clientTimeout` | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No |
| `acme.clientResponseHeaderTimeout` | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No |
| `acme.dnsChallenge` | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No | | `acme.dnsChallenge` | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No |
| `acme.dnsChallenge.provider` | DNS provider to use. | "" | No | | `acme.dnsChallenge.provider` | DNS provider to use. | "" | No |
| `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority. | [] | No | | `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority. | [] | No |

6
docs/content/reference/static-configuration/cli-ref.md
View File

@ -129,6 +129,12 @@ Define if the certificates pool must use a copy of the system cert pool. (Defaul
`--certificatesresolvers.<name>.acme.certificatesduration`: `--certificatesresolvers.<name>.acme.certificatesduration`:
Certificates' duration in hours. (Default: ```2160```) Certificates' duration in hours. (Default: ```2160```)
`--certificatesresolvers.<name>.acme.clientresponseheadertimeout`:
Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```)
`--certificatesresolvers.<name>.acme.clienttimeout`:
Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
`--certificatesresolvers.<name>.acme.dnschallenge`: `--certificatesresolvers.<name>.acme.dnschallenge`:
Activate DNS-01 Challenge. (Default: ```false```) Activate DNS-01 Challenge. (Default: ```false```)

6
docs/content/reference/static-configuration/env-ref.md
View File

@ -129,6 +129,12 @@ Define if the certificates pool must use a copy of the system cert pool. (Defaul
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CERTIFICATESDURATION`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CERTIFICATESDURATION`:
Certificates' duration in hours. (Default: ```2160```) Certificates' duration in hours. (Default: ```2160```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTRESPONSEHEADERTIMEOUT`:
Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTTIMEOUT`:
Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`: `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:
Activate DNS-01 Challenge. (Default: ```false```) Activate DNS-01 Challenge. (Default: ```false```)

4
docs/content/reference/static-configuration/file.toml
View File

@ -511,6 +511,8 @@
storage = "foobar" storage = "foobar"
keyType = "foobar" keyType = "foobar"
certificatesDuration = 42 certificatesDuration = 42
clientTimeout = "42s"
clientResponseHeaderTimeout = "42s"
caCertificates = ["foobar", "foobar"] caCertificates = ["foobar", "foobar"]
caSystemCertPool = true caSystemCertPool = true
caServerName = "foobar" caServerName = "foobar"
@ -542,6 +544,8 @@
storage = "foobar" storage = "foobar"
keyType = "foobar" keyType = "foobar"
certificatesDuration = 42 certificatesDuration = 42
clientTimeout = "42s"
clientResponseHeaderTimeout = "42s"
caCertificates = ["foobar", "foobar"] caCertificates = ["foobar", "foobar"]
caSystemCertPool = true caSystemCertPool = true
caServerName = "foobar" caServerName = "foobar"

4
docs/content/reference/static-configuration/file.yaml
View File

@ -557,6 +557,8 @@ certificatesResolvers:
kid: foobar kid: foobar
hmacEncoded: foobar hmacEncoded: foobar
certificatesDuration: 42 certificatesDuration: 42
clientTimeout: 42s
clientResponseHeaderTimeout: 42s
caCertificates: caCertificates:
- foobar - foobar
- foobar - foobar
@ -594,6 +596,8 @@ certificatesResolvers:
kid: foobar kid: foobar
hmacEncoded: foobar hmacEncoded: foobar
certificatesDuration: 42 certificatesDuration: 42
clientTimeout: 42s
clientResponseHeaderTimeout: 42s
caCertificates: caCertificates:
- foobar - foobar
- foobar - foobar

13
pkg/provider/acme/provider.go
View File

@ -50,6 +50,9 @@ type Configuration struct {
EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"` EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"`
CertificatesDuration int `description:"Certificates' duration in hours." json:"certificatesDuration,omitempty" toml:"certificatesDuration,omitempty" yaml:"certificatesDuration,omitempty" export:"true"` CertificatesDuration int `description:"Certificates' duration in hours." json:"certificatesDuration,omitempty" toml:"certificatesDuration,omitempty" yaml:"certificatesDuration,omitempty" export:"true"`
ClientTimeout ptypes.Duration `description:"Timeout for a complete HTTP transaction with the ACME server." json:"clientTimeout,omitempty" toml:"clientTimeout,omitempty" yaml:"clientTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
ClientResponseHeaderTimeout ptypes.Duration `description:"Timeout for receiving the response headers when communicating with the ACME server." json:"clientResponseHeaderTimeout,omitempty" toml:"clientResponseHeaderTimeout,omitempty" yaml:"clientResponseHeaderTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
CACertificates []string `description:"Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caCertificates,omitempty" toml:"caCertificates,omitempty" yaml:"caCertificates,omitempty"` CACertificates []string `description:"Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caCertificates,omitempty" toml:"caCertificates,omitempty" yaml:"caCertificates,omitempty"`
CASystemCertPool bool `description:"Define if the certificates pool must use a copy of the system cert pool." json:"caSystemCertPool,omitempty" toml:"caSystemCertPool,omitempty" yaml:"caSystemCertPool,omitempty" export:"true"` CASystemCertPool bool `description:"Define if the certificates pool must use a copy of the system cert pool." json:"caSystemCertPool,omitempty" toml:"caSystemCertPool,omitempty" yaml:"caSystemCertPool,omitempty" export:"true"`
CAServerName string `description:"Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caServerName,omitempty" toml:"caServerName,omitempty" yaml:"caServerName,omitempty" export:"true"` CAServerName string `description:"Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caServerName,omitempty" toml:"caServerName,omitempty" yaml:"caServerName,omitempty" export:"true"`
@ -65,6 +68,8 @@ func (a *Configuration) SetDefaults() {
a.Storage = "acme.json" a.Storage = "acme.json"
a.KeyType = "RSA4096" a.KeyType = "RSA4096"
a.CertificatesDuration = 3 * 30 * 24 // 90 Days a.CertificatesDuration = 3 * 30 * 24 // 90 Days
a.ClientTimeout = ptypes.Duration(2 * time.Minute)
a.ClientResponseHeaderTimeout = ptypes.Duration(30 * time.Second)
} }
// CertAndStore allows mapping a TLS certificate to a TLS store. // CertAndStore allows mapping a TLS certificate to a TLS store.
@ -164,6 +169,10 @@ func (p *Provider) Init() error {
return errors.New("cannot manage certificates with duration lower than 1 hour") return errors.New("cannot manage certificates with duration lower than 1 hour")
} }
if p.ClientTimeout < p.ClientResponseHeaderTimeout {
return errors.New("clientTimeout must be at least clientResponseHeaderTimeout")
}
var err error var err error
p.account, err = p.Store.GetAccount(p.ResolverName) p.account, err = p.Store.GetAccount(p.ResolverName)
if err != nil { if err != nil {
@ -379,7 +388,7 @@ func (p *Provider) createHTTPClient() (*http.Client, error) {
} }
return &http.Client{ return &http.Client{
Timeout: 2 * time.Minute, Timeout: time.Duration(p.ClientTimeout),
Transport: &http.Transport{ Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment, Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{ DialContext: (&net.Dialer{
@ -387,7 +396,7 @@ func (p *Provider) createHTTPClient() (*http.Client, error) {
KeepAlive: 30 * time.Second, KeepAlive: 30 * time.Second,
}).DialContext, }).DialContext,
TLSHandshakeTimeout: 30 * time.Second, TLSHandshakeTimeout: 30 * time.Second,
ResponseHeaderTimeout: 30 * time.Second, ResponseHeaderTimeout: time.Duration(p.ClientResponseHeaderTimeout),
TLSClientConfig: tlsConfig, TLSClientConfig: tlsConfig,
}, },
}, nil }, nil