Let's Encrypt

自动HTTPS

您可以将Traefik配置为使用ACME提供程序(如Let's Encrypt)来自动生成证书.

让我们加密和限制速率

请注意,Let's Encrypt API具有速率限制 .

在进行实验时,请使用带有caServer配置选项的"让我们加密登台服务器"来避免太快达到此限制.

Certificate Resolvers

Traefik要求您在静态配置中定义"证书解析器",这些解析器负责从ACME服务器检索证书.

然后,将每个"路由器"配置为启用TLS,并通过tls.certresolver配置选项与证书解析器关联.

从路由器的动态配置中检索的域名需要证书.

您可以在以下部分中阅读有关此检索机制的更多信息: ACME Domain Definition .

Domain Definition

证书解析器使用以下逻辑请求从路由器推断出的一组域名的证书:

  • 如果路由器有一个tls.domains选项设置,则证书解析器使用main (和可选sans )的选项tls.domains知道该路由器的域名.

  • If no tls.domains option is set, then the certificate resolver uses the router's rule, by checking the Host() matchers. Please note that multiple Host() matchers can be used) for specifying multiple domain names for this router.

请注意:

请检查以下配置示例以了解更多详细信息.

Configuration Examples

启用ACME
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.web-secure]
    address = ":443"

[certificatesResolvers.sample.acme]
  email = "[email protected]"
  storage = "acme.json"
  [certificatesResolvers.sample.acme.httpChallenge]
    # used during the challenge
    entryPoint = "web"
entryPoints:
  web:
    address: ":80"

  web-secure:
    address: ":443"

certificatesResolvers:
  sample:
    acme:
      email: [email protected]
      storage: acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web
--entryPoints.web.address=:80
--entryPoints.websecure.address=:443
# ...
[email protected].org
--certificatesResolvers.sample.acme.storage=acme.json
# used during the challenge
--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web

定义证书解析器不会导致所有路由器都自动使用它. 每个应该使用解析器的路由器都必须引用它.

配置参考

ACME有许多可用选项. 快速浏览一下可能的情况,浏览配置参考:

# Enable ACME (Let's Encrypt): automatic SSL.
[certificatesResolvers.sample.acme]

  # Email address used for registration.
  #
  # Required
  #
  email = "[email protected]"

  # File or key used for certificates storage.
  #
  # Required
  #
  storage = "acme.json"

  # CA server to use.
  # Uncomment the line to use Let's Encrypt's staging server,
  # leave commented to go to prod.
  #
  # Optional
  # Default: "https://acme-v02.api.letsencrypt.org/directory"
  #
  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

  # KeyType to use.
  #
  # Optional
  # Default: "RSA4096"
  #
  # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
  #
  # keyType = "RSA4096"

  # Use a TLS-ALPN-01 ACME challenge.
  #
  # Optional (but recommended)
  #
  [certificatesResolvers.sample.acme.tlsChallenge]

  # Use a HTTP-01 ACME challenge.
  #
  # Optional
  #
  # [certificatesResolvers.sample.acme.httpChallenge]

    # EntryPoint to use for the HTTP-01 challenges.
    #
    # Required
    #
    # entryPoint = "web"

  # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
  # Note: mandatory for wildcard certificate generation.
  #
  # Optional
  #
  # [certificatesResolvers.sample.acme.dnsChallenge]

    # DNS provider used.
    #
    # Required
    #
    # provider = "digitalocean"

    # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
    # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
    # Useful if internal networks block external DNS queries.
    #
    # Optional
    # Default: 0
    #
    # delayBeforeCheck = 0

    # Use following DNS servers to resolve the FQDN authority.
    #
    # Optional
    # Default: empty
    #
    # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

    # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
    #
    # NOT RECOMMENDED:
    # Increase the risk of reaching Let's Encrypt's rate limits.
    #
    # Optional
    # Default: false
    #
    # disablePropagationCheck = true
certificatesResolvers:
  sample:
    # Enable ACME (Let's Encrypt): automatic SSL.
    acme:

      # Email address used for registration.
      #
      # Required
      #
      email: "[email protected]"

      # File or key used for certificates storage.
      #
      # Required
      #
      storage: "acme.json"

      # CA server to use.
      # Uncomment the line to use Let's Encrypt's staging server,
      # leave commented to go to prod.
      #
      # Optional
      # Default: "https://acme-v02.api.letsencrypt.org/directory"
      #
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

      # KeyType to use.
      #
      # Optional
      # Default: "RSA4096"
      #
      # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
      #
      # keyType: RSA4096

      # Use a TLS-ALPN-01 ACME challenge.
      #
      # Optional (but recommended)
      #
      tlsChallenge:

      # Use a HTTP-01 ACME challenge.
      #
      # Optional
      #
      # httpChallenge:

        # EntryPoint to use for the HTTP-01 challenges.
        #
        # Required
        #
        # entryPoint: web

      # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
      # Note: mandatory for wildcard certificate generation.
      #
      # Optional
      #
      # dnsChallenge:

        # DNS provider used.
        #
        # Required
        #
        # provider: digitalocean

        # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
        # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
        # Useful if internal networks block external DNS queries.
        #
        # Optional
        # Default: 0
        #
        # delayBeforeCheck: 0

        # Use following DNS servers to resolve the FQDN authority.
        #
        # Optional
        # Default: empty
        #
        # resolvers
        # - "1.1.1.1:53"
        # - "8.8.8.8:53"

        # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
        #
        # NOT RECOMMENDED:
        # Increase the risk of reaching Let's Encrypt's rate limits.
        #
        # Optional
        # Default: false
        #
        # disablePropagationCheck: true
# Enable ACME (Let's Encrypt): automatic SSL.

# Email address used for registration.
#
# Required
#
[email protected]

# File or key used for certificates storage.
#
# Required
#
--certificatesResolvers.sample.acme.storage=acme.json

# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
#
# Optional
# Default: "https://acme-v02.api.letsencrypt.org/directory"
#
--certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory

# KeyType to use.
#
# Optional
# Default: "RSA4096"
#
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
#
--certificatesResolvers.sample.acme.keyType=RSA4096

# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
--certificatesResolvers.sample.acme.tlsChallenge=true

# Use a HTTP-01 ACME challenge.
#
# Optional
#
--certificatesResolvers.sample.acme.httpChallenge=true

# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web

# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
--certificatesResolvers.sample.acme.dnsChallenge=true

# DNS provider used.
#
# Required
#
--certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean

# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
--certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0

# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
--certificatesResolvers.sample.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53

# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
#
# NOT RECOMMENDED:
# Increase the risk of reaching Let's Encrypt's rate limits.
#
# Optional
# Default: false
#
--certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
路由器规则示例中的单个域
  • 要求提供域名company.com证书:
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=le
## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=le
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`company.com`) && Path(`/blog`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls: {}
labels: {
  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "le",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=le
## Dynamic configuration
[http.routers]
    [http.routers.blog]
    rule = "Host(`company.com`) && Path(`/blog`)"
    [http.routers.blog.tls]
        certResolver = "le" # From static configuration
## Dynamic configuration
http:
  routers:
    blog:
      rule: "Host(`company.com`) && Path(`/blog`)"
      tls:
        certResolver: le
路由器规则示例中的多个域
  • 要求提供域名为company.com (主要)和blog.company.org证书:
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=le
## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=le
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: (Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls: {}
labels: {
  "traefik.http.routers.blog.rule": "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "le",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=le
## Dynamic configuration
[http.routers]
  [http.routers.blog]
    rule = "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
    [http.routers.blog.tls]
      certResolver = "le" # From static configuration
## Dynamic configuration
http:
  routers:
    blog:
      rule: "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
      tls:
        certResolver: le
路由器的tls.domain示例中的多个域
  • 要求提供域名company.com (主)和*.company.org (SAN)的证书:
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=le
  - traefik.http.routers.blog.tls.domains[0].main=company.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=le
    - traefik.http.routers.blog.tls.domains[0].main=company.org
    - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`company.com`) && Path(`/blog`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls:
    certResolver: le
labels: {
  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "le",
  "traefik.http.routers.blog.tls.domains[0].main": "company.com",
  "traefik.http.routers.blog.tls.domains[0].sans": "*.company.com",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=le
  - traefik.http.routers.blog.tls.domains[0].main=company.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
## Dynamic configuration
[http.routers]
  [http.routers.blog]
    rule = "Host(`company.com`) && Path(`/blog`)"
    [http.routers.blog.tls]
      certResolver = "le" # From static configuration
      [[http.routers.blog.tls.domains]]
        main = "company.org"
        sans = ["*.company.org"]
## Dynamic configuration
http:
  routers:
    blog:
      rule: "Host(`company.com`) && Path(`/blog`)"
      tls:
        certResolver: le
        domains:
          - main: "company.org"
            sans:
              - "*.company.org"

Automatic Renewals

Traefik自动跟踪其生成的ACME证书的到期日期.

如果证书过期之前还不到30天,Traefik将尝试自动续订.

不再使用的证书可能仍会续签,因为Traefik当前不会在续签前检查是否正在使用该证书.

Using LetsEncrypt with Kubernetes

当将LetsEncrypt与kubernetes结合使用时, 入口crd提供程序都有一些已知的警告.

如果您打算使用LetsEncrypt运行Traefik的多个实例,请确保您已阅读这些提供程序页面上的部分.

The Different ACME Challenges

定义证书解析器不会导致所有路由器都自动使用它. 每个应该使用解析器的路由器都必须引用它.

tlsChallenge

通过配置TLS证书,使用TLS-ALPN-01质询来生成和更新ACME证书.

如"让我们加密" 社区论坛上所述,当使用TLS-ALPN-01挑战时,必须让"让我们加密"通过端口443到达Traefik.

配置tlsChallenge
[certificatesResolvers.sample.acme]
  # ...
  [certificatesResolvers.sample.acme.tlsChallenge]
certificatesResolvers:
  sample:
    acme:
      # ...
      tlsChallenge: {}
# ...
--certificatesResolvers.sample.acme.tlsChallenge=true

httpChallenge

通过在众所周知的URI下配置HTTP资源,使用HTTP-01挑战来生成和更新ACME证书.

如在"让我们加密" 社区论坛上所述,当使用HTTP-01挑战时,"让我们通过端口80进行加密"必须可以访问certificatesResolvers.sample.acme.httpChallenge.entryPoint .

使用名为http的EntryPoint进行http httpChallenge
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.web-secure]
    address = ":443"

[certificatesResolvers.sample.acme]
  # ...
  [certificatesResolvers.sample.acme.httpChallenge]
    entryPoint = "web"
entryPoints:
  web:
    address: ":80"

  web-secure:
    address: ":443"

certificatesResolvers:
  sample:
    acme:
      # ...
      httpChallenge:
        entryPoint: web
--entryPoints.web.address=:80
--entryPoints.websecure.address=:443
# ...
--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web

重定向与HTTP-01挑战完全兼容.

dnsChallenge

使用DNS-01质询通过设置DNS记录来生成和更新ACME证书.

使用DigitalOcean提供程序配置dnsChallenge
[certificatesResolvers.sample.acme]
  # ...
  [certificatesResolvers.sample.acme.dnsChallenge]
    provider = "digitalocean"
    delayBeforeCheck = 0
# ...
certificatesResolvers:
  sample:
    acme:
      # ...
      dnsChallenge:
        provider: digitalocean
        delayBeforeCheck: 0
    # ...
# ...
--certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
--certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
# ...

Important

provider是强制性的.

providers

以下是受支持的providers的列表,这些提供providers可以自动进行DNS验证以及所需的环境变量及其通配符和根域支持 . 不要犹豫,完成它.

每个lego环境变量都可以由其各自的_FILE对应项覆盖,该_FILE对应项应具有指向包含秘密值的文件的文件路径. 例如, CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email可用于提供Cloudflare API电子邮件地址,作为名为traefik_cf-api-email的Docker机密.

提供商名称 提供商代码 环境变量
ACME DNS acme-dns ACME_DNS_API_BASE, ACME_DNS_STORAGE_PATH Additional configuration
Alibaba Cloud alidns ALICLOUD_ACCESS_KEY, ALICLOUD_SECRET_KEY, ALICLOUD_REGION_ID Additional configuration
Auroradns auroradns AURORA_USER_ID, AURORA_KEY, AURORA_ENDPOINT Additional configuration
Autodns autodns AUTODNS_API_USER, AUTODNS_API_PASSWORD Additional configuration
Azure azure AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESOURCE_GROUP, [AZURE_METADATA_ENDPOINT] Additional configuration
Bindman bindman BINDMAN_MANAGER_ADDRESS Additional configuration
Blue Cat bluecat BLUECAT_SERVER_URL, BLUECAT_USER_NAME, BLUECAT_PASSWORD, BLUECAT_CONFIG_NAME, BLUECAT_DNS_VIEW Additional configuration
ClouDNS cloudns CLOUDNS_AUTH_ID, CLOUDNS_AUTH_PASSWORD Additional configuration
Cloudflare cloudflare CF_API_EMAIL, CF_API_KEY 5 or CF_DNS_API_TOKEN, [CF_ZONE_API_TOKEN] Additional configuration
CloudXNS cloudxns CLOUDXNS_API_KEY, CLOUDXNS_SECRET_KEY Additional configuration
ConoHa conoha CONOHA_TENANT_ID, CONOHA_API_USERNAME, CONOHA_API_PASSWORD Additional configuration
DigitalOcean digitalocean DO_AUTH_TOKEN Additional configuration
DNSimple dnsimple DNSIMPLE_OAUTH_TOKEN, DNSIMPLE_BASE_URL Additional configuration
DNS Made Easy dnsmadeeasy DNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET, DNSMADEEASY_SANDBOX Additional configuration
DNSPod dnspod DNSPOD_API_KEY Additional configuration
Domain Offensive (do.de) dode DODE_TOKEN Additional configuration
DreamHost dreamhost DREAMHOST_API_KEY Additional configuration
Duck DNS duckdns DUCKDNS_TOKEN Additional configuration
Dyn dyn DYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORD Additional configuration
EasyDNS easydns EASYDNS_TOKEN, EASYDNS_KEY Additional configuration
外部程序 exec EXEC_PATH Additional configuration
Exoscale exoscale EXOSCALE_API_KEY, EXOSCALE_API_SECRET, EXOSCALE_ENDPOINT Additional configuration
Fast DNS fastdns AKAMAI_CLIENT_TOKEN, AKAMAI_CLIENT_SECRET, AKAMAI_ACCESS_TOKEN Additional configuration
Gandi gandi GANDI_API_KEY Additional configuration
Gandi v5 gandiv5 GANDIV5_API_KEY Additional configuration
Glesys glesys GLESYS_API_USER, GLESYS_API_KEY, GLESYS_DOMAIN Additional configuration
GoDaddy godaddy GODADDY_API_KEY, GODADDY_API_SECRET Additional configuration
Google Cloud DNS gcloud GCE_PROJECT ,应用程序默认凭据2 3 ,[ GCE_SERVICE_ACCOUNT_FILE ] Additional configuration
hosting.de hostingde HOSTINGDE_API_KEY, HOSTINGDE_ZONE_NAME Additional configuration
HTTP请求 httpreq HTTPREQ_ENDPOINT, HTTPREQ_MODE, HTTPREQ_USERNAME, HTTPREQ_PASSWORD 1 Additional configuration
IIJ iij IIJ_API_ACCESS_KEY, IIJ_API_SECRET_KEY, IIJ_DO_SERVICE_CODE Additional configuration
INWX inwx INWX_USERNAME, INWX_PASSWORD Additional configuration
Joker.com joker JOKER_API_KEY or JOKER_USERNAME, JOKER_PASSWORD Additional configuration
Lightsail lightsail AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DNS_ZONE Additional configuration
Linode linode LINODE_API_KEY Additional configuration
Linode v4 linodev4 LINODE_TOKEN Additional configuration
Liquid Web liquidweb LIQUID_WEB_PASSWORD, LIQUID_WEB_USERNAME, LIQUID_WEB_ZONE Additional configuration
manual - 没有,但是您需要交互运行Traefik 4 ,打开调试日志以查看说明,然后按Enter .
MyDNS.jp mydnsjp MYDNSJP_MASTER_ID, MYDNSJP_PASSWORD Additional configuration
Namecheap namecheap NAMECHEAP_API_USER, NAMECHEAP_API_KEY Additional configuration
name.com namedotcom NAMECOM_USERNAME, NAMECOM_API_TOKEN, NAMECOM_SERVER Additional configuration
Namesilo namesilo NAMESILO_API_KEY Additional configuration
Netcup netcup NETCUP_CUSTOMER_NUMBER, NETCUP_API_KEY, NETCUP_API_PASSWORD Additional configuration
NIFCloud nifcloud NIFCLOUD_ACCESS_KEY_ID, NIFCLOUD_SECRET_ACCESS_KEY Additional configuration
Ns1 ns1 NS1_API_KEY Additional configuration
Open Telekom Cloud otc OTC_DOMAIN_NAME, OTC_USER_NAME, OTC_PASSWORD, OTC_PROJECT_NAME, OTC_IDENTITY_ENDPOINT Additional configuration
OVH ovh OVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY Additional configuration
Openstack Designate designate OS_AUTH_URL, OS_USERNAME, OS_PASSWORD, OS_TENANT_NAME, OS_REGION_NAME Additional configuration
Oracle Cloud oraclecloud OCI_COMPARTMENT_OCID, OCI_PRIVKEY_FILE, OCI_PRIVKEY_PASS, OCI_PUBKEY_FINGERPRINT, OCI_REGION, OCI_TENANCY_OCID, OCI_USER_OCID Additional configuration
PowerDNS pdns PDNS_API_KEY, PDNS_API_URL Additional configuration
Rackspace rackspace RACKSPACE_USER, RACKSPACE_API_KEY Additional configuration
RFC2136 rfc2136 RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER Additional configuration
Route 53 route53 AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY[AWS_REGION][AWS_HOSTED_ZONE_ID]或配置的用户/实例IAM配置文件. Additional configuration
Sakura Cloud sakuracloud SAKURACLOUD_ACCESS_TOKEN, SAKURACLOUD_ACCESS_TOKEN_SECRET Additional configuration
Selectel selectel SELECTEL_API_TOKEN Additional configuration
Stackpath stackpath STACKPATH_CLIENT_ID, STACKPATH_CLIENT_SECRET, STACKPATH_STACK_ID Additional configuration
TransIP transip TRANSIP_ACCOUNT_NAME, TRANSIP_PRIVATE_KEY_PATH Additional configuration
VegaDNS vegadns SECRET_VEGADNS_KEY, SECRET_VEGADNS_SECRET, VEGADNS_URL Additional configuration
Versio versio VERSIO_USERNAME, VERSIO_PASSWORD Additional configuration
Vscale vscale VSCALE_API_TOKEN Additional configuration
VULTR vultr VULTR_API_KEY Additional configuration
Zone.ee zoneee ZONEEE_API_USER, ZONEEE_API_KEY Additional configuration

delayBeforeCheck

默认情况下, provider 让ACME验证之前先验证TXT记录. 您可以通过使用delayBeforeCheck指定延迟(以秒为单位)来延迟此操作(值必须大于零). 当内部网络阻止外部DNS查询时,此选项很有用.

resolvers

使用自定义DNS服务器来解析FQDN权限.

[certificatesResolvers.sample.acme]
  # ...
  [certificatesResolvers.sample.acme.dnsChallenge]
    # ...
    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
certificatesResolvers:
  sample:
    acme:
      # ...
      dnsChallenge:
        # ...
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
# ...
--certificatesResolvers.sample.acme.dnsChallenge.resolvers:=1.1.1.1:53,8.8.8.8:53

Wildcard Domains

ACME V2支持通配符证书. 如《 让我们加密》中的通配符证书中所述,只能通过DNS-01挑战生成.

More Configuration

caServer

使用"让我们加密"登台服务器
[certificatesResolvers.sample.acme]
  # ...
  caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  # ...
certificatesResolvers:
  sample:
    acme:
      # ...
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      # ...
# ...
--certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
# ...

storage

storage选项可设置ACME证书的保存位置.

[certificatesResolvers.sample.acme]
  # ...
  storage = "acme.json"
  # ...
certificatesResolvers:
  sample:
    acme:
      # ...
      storage: acme.json
      # ...
# ...
--certificatesResolvers.sample.acme.storage=acme.json
# ...

该值可以引用某些类型的存储:

  • JSON文件

In a File

ACME证书可以存储在需要具有600文件模式的JSON文件中.

在Docker中,您可以挂载JSON文件或包含该文件的文件夹:

docker run -v "/my/host/acme.json:/acme.json" traefik
docker run -v "/my/host/acme:/etc/traefik/acme" traefik

Warning

由于并发原因,无法在Traefik的多个实例之间共享此文件.

Fallback

如果无法进行"加密",则将应用以下证书:

  1. 先前生成的ACME证书(停机之前)
  2. ACME证书过期
  3. 提供的证书

Important

对于需要"让我们加密"身份验证的新(子)域,将使用默认的Traefik证书,直到重新启动Traefik.


  1. 有关HTTP报文格式的更多信息,可以发现这里

  2. providing_credentials_to_your_application 

  3. google/default.go 

  4. docker stack备注:使用docker stack部署时,无法支持将终端连接到容器,因此您可能需要使用docker run -it运行容器以使用manual提供程序生成证书.

  5. 需要使用Global API Key ,而不是Origin CA Key .