Let's Encrypt

自动HTTPS

您可以将Traefik配置为使用ACME提供程序(如Let's Encrypt)来自动生成证书.

让我们加密和限制速率

请注意,Let's Encrypt API具有速率限制 .

在进行实验时,请使用带有caServer配置选项的"让我们加密登台服务器"来避免太快达到此限制.

Certificate Resolvers

Traefik要求您在静态配置中定义"证书解析器",这些证书解析器负责从ACME服务器检索证书.

然后,每个"路由器"都配置为启用TLS,并通过tls.certresolver配置选项与证书解析器关联.

从路由器的动态配置中检索的域名需要证书.

您可以在以下部分中阅读有关此检索机制的更多信息: ACME Domain Definition .

定义证书解析器不会导致所有路由器都自动使用它. 每个应该使用解析器的路由器都必须引用它.

配置参考

ACME有许多可用选项. 快速浏览一下可能的情况,浏览配置参考:

# Enable ACME (Let's Encrypt): automatic SSL.
[certificatesResolvers.myresolver.acme]

  # Email address used for registration.
  #
  # Required
  #
  email = "[email protected]"

  # File or key used for certificates storage.
  #
  # Required
  #
  storage = "acme.json"

  # CA server to use.
  # Uncomment the line to use Let's Encrypt's staging server,
  # leave commented to go to prod.
  #
  # Optional
  # Default: "https://acme-v02.api.letsencrypt.org/directory"
  #
  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

  # KeyType to use.
  #
  # Optional
  # Default: "RSA4096"
  #
  # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
  #
  # keyType = "RSA4096"

  # Use a TLS-ALPN-01 ACME challenge.
  #
  # Optional (but recommended)
  #
  [certificatesResolvers.myresolver.acme.tlsChallenge]

  # Use a HTTP-01 ACME challenge.
  #
  # Optional
  #
  # [certificatesResolvers.myresolver.acme.httpChallenge]

    # EntryPoint to use for the HTTP-01 challenges.
    #
    # Required
    #
    # entryPoint = "web"

  # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
  # Note: mandatory for wildcard certificate generation.
  #
  # Optional
  #
  # [certificatesResolvers.myresolver.acme.dnsChallenge]

    # DNS provider used.
    #
    # Required
    #
    # provider = "digitalocean"

    # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
    # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
    # Useful if internal networks block external DNS queries.
    #
    # Optional
    # Default: 0
    #
    # delayBeforeCheck = 0

    # Use following DNS servers to resolve the FQDN authority.
    #
    # Optional
    # Default: empty
    #
    # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

    # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
    #
    # NOT RECOMMENDED:
    # Increase the risk of reaching Let's Encrypt's rate limits.
    #
    # Optional
    # Default: false
    #
    # disablePropagationCheck = true
certificatesResolvers:
  myresolver:
    # Enable ACME (Let's Encrypt): automatic SSL.
    acme:

      # Email address used for registration.
      #
      # Required
      #
      email: "[email protected]"

      # File or key used for certificates storage.
      #
      # Required
      #
      storage: "acme.json"

      # CA server to use.
      # Uncomment the line to use Let's Encrypt's staging server,
      # leave commented to go to prod.
      #
      # Optional
      # Default: "https://acme-v02.api.letsencrypt.org/directory"
      #
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

      # KeyType to use.
      #
      # Optional
      # Default: "RSA4096"
      #
      # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
      #
      # keyType: RSA4096

      # Use a TLS-ALPN-01 ACME challenge.
      #
      # Optional (but recommended)
      #
      tlsChallenge:

      # Use a HTTP-01 ACME challenge.
      #
      # Optional
      #
      # httpChallenge:

        # EntryPoint to use for the HTTP-01 challenges.
        #
        # Required
        #
        # entryPoint: web

      # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
      # Note: mandatory for wildcard certificate generation.
      #
      # Optional
      #
      # dnsChallenge:

        # DNS provider used.
        #
        # Required
        #
        # provider: digitalocean

        # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
        # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
        # Useful if internal networks block external DNS queries.
        #
        # Optional
        # Default: 0
        #
        # delayBeforeCheck: 0

        # Use following DNS servers to resolve the FQDN authority.
        #
        # Optional
        # Default: empty
        #
        # resolvers
        # - "1.1.1.1:53"
        # - "8.8.8.8:53"

        # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
        #
        # NOT RECOMMENDED:
        # Increase the risk of reaching Let's Encrypt's rate limits.
        #
        # Optional
        # Default: false
        #
        # disablePropagationCheck: true
# Enable ACME (Let's Encrypt): automatic SSL.

# Email address used for registration.
#
# Required
#
[email protected]

# File or key used for certificates storage.
#
# Required
#
--certificatesresolvers.myresolver.acme.storage=acme.json

# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
#
# Optional
# Default: "https://acme-v02.api.letsencrypt.org/directory"
#
--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

# KeyType to use.
#
# Optional
# Default: "RSA4096"
#
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
#
--certificatesresolvers.myresolver.acme.keytype=RSA4096

# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
--certificatesresolvers.myresolver.acme.tlschallenge=true

# Use a HTTP-01 ACME challenge.
#
# Optional
#
--certificatesresolvers.myresolver.acme.httpchallenge=true

# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
--certificatesresolvers.myresolver.acme.dnschallenge=true

# DNS provider used.
#
# Required
#
--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean

# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0

# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53

# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
#
# NOT RECOMMENDED:
# Increase the risk of reaching Let's Encrypt's rate limits.
#
# Optional
# Default: false
#
--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

Domain Definition

证书解析器使用以下逻辑为从路由器推断出的一组域名请求证书:

请注意:

请检查以下配置示例以了解更多详细信息.

Configuration Examples

启用ACME
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[certificatesResolvers.myresolver.acme]
  email = "[email protected]"
  storage = "acme.json"
  [certificatesResolvers.myresolver.acme.httpChallenge]
    # used during the challenge
    entryPoint = "web"
entryPoints:
  web:
    address: ":80"

  websecure:
    address: ":443"

certificatesResolvers:
  myresolver:
    acme:
      email: [email protected]
      storage: acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
# ...
[email protected].com
--certificatesresolvers.myresolver.acme.storage=acme.json
# used during the challenge
--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

定义证书解析器不会导致所有路由器都自动使用它. 每个应该使用解析器的路由器都必须引用它.

路由器规则示例中的单个域
  • 请求域example.com证书:
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=myresolver
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`example.com`) && Path(`/blog`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls:
    certResolver: myresolver
labels: {
  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "myresolver",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
## Dynamic configuration
[http.routers]
  [http.routers.blog]
  rule = "Host(`example.com`) && Path(`/blog`)"
  [http.routers.blog.tls]
    certResolver = "myresolver"
## Dynamic configuration
http:
  routers:
    blog:
      rule: "Host(`example.com`) && Path(`/blog`)"
      tls:
        certResolver: myresolver
路由器规则示例中的多个域
  • 要求提供example.com (主要)域和blog.example.org域的证书:
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=myresolver
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls:
    certResolver: myresolver
labels: {
  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "myresolver",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
## Dynamic configuration
[http.routers]
  [http.routers.blog]
    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
    [http.routers.blog.tls]
      certResolver = "myresolver"
## Dynamic configuration
http:
  routers:
    blog:
      rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
      tls:
        certResolver: myresolver
路由器的tls.domain示例中的多个域
  • 要求提供example.com (主)域和*.example.org (SAN)域的证书:
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
  - traefik.http.routers.blog.tls.domains[0].main=example.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
## Dynamic configuration
deploy:
  labels:
    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=myresolver
    - traefik.http.routers.blog.tls.domains[0].main=example.org
    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blogtls
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`example.com`) && Path(`/blog`)
    kind: Rule
    services:
    - name: blog
      port: 8080
  tls:
    certResolver: myresolver
    domains:
    - main: example.org
      sans:
      - '*.example.org'
labels: {
  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "myresolver",
  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
## Dynamic configuration
labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
  - traefik.http.routers.blog.tls.domains[0].main=example.org
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
## Dynamic configuration
[http.routers]
  [http.routers.blog]
    rule = "Host(`example.com`) && Path(`/blog`)"
    [http.routers.blog.tls]
      certResolver = "myresolver" # From static configuration
      [[http.routers.blog.tls.domains]]
        main = "example.org"
        sans = ["*.example.org"]
## Dynamic configuration
http:
  routers:
    blog:
      rule: "Host(`example.com`) && Path(`/blog`)"
      tls:
        certResolver: myresolver
        domains:
          - main: "example.org"
            sans:
              - "*.example.org"

Automatic Renewals

Traefik自动跟踪其生成的ACME证书的到期日期.

如果证书过期之前还不到30天,Traefik将尝试自动续订.

不再使用的证书可能仍会续签,因为Traefik当前不会在续签前检查是否正在使用该证书.

Using LetsEncrypt with Kubernetes

当将LetsEncrypt与kubernetes结合使用时, 入口crd提供程序都有一些已知的警告.

如果您打算使用LetsEncrypt运行Traefik的多个实例,请确保您已阅读这些提供程序页面上的部分.

The Different ACME Challenges

定义证书解析器不会导致所有路由器都自动使用它. 每个应该使用解析器的路由器都必须引用它.

tlsChallenge

通过配置TLS证书,使用TLS-ALPN-01质询来生成和更新ACME证书.

如"让我们加密" 社区论坛上所述,使用TLS-ALPN-01挑战时,"让我们加密"必须通过端口443可以到达Traefik.

配置tlsChallenge
[certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.tlsChallenge]
certificatesResolvers:
  myresolver:
    acme:
      # ...
      tlsChallenge: {}
# ...
--certificatesresolvers.myresolver.acme.tlschallenge=true

httpChallenge

通过在众所周知的URI下配置HTTP资源,使用HTTP-01质询来生成和更新ACME证书.

如在"让我们加密" 社区论坛上所述,在使用HTTP-01挑战时,"让我们通过端口80进行加密"必须可以访问certificatesresolvers.myresolver.acme.httpchallenge.entrypoint .

httpChallenge使用EntryPoint调用的网站
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.httpChallenge]
    entryPoint = "web"
entryPoints:
  web:
    address: ":80"

  websecure:
    address: ":443"

certificatesResolvers:
  myresolver:
    acme:
      # ...
      httpChallenge:
        entryPoint: web
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
# ...
--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web

重定向与HTTP-01挑战完全兼容.

dnsChallenge

使用DNS-01质询通过设置DNS记录来生成和更新ACME证书.

使用DigitalOcean提供程序配置dnsChallenge
[certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    provider = "digitalocean"
    delayBeforeCheck = 0
# ...
certificatesResolvers:
  myresolver:
    acme:
      # ...
      dnsChallenge:
        provider: digitalocean
        delayBeforeCheck: 0
    # ...
# ...
--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
# ...

Important

provider是强制性的.

providers

以下是受支持的providers的列表,这些提供providers可以自动进行DNS验证以及所需的环境变量及其通配符和根域支持 . 不要犹豫,完成它.

许多乐高环境变量可以由其各自的_FILE对应项覆盖,该变量应具有指向包含秘密值的文件的文件路径. 例如, CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email可用于提供Cloudflare API电子邮件地址,作为名为traefik_cf-api-email的Docker机密.

有关完整的详细信息,请参阅提供商的其他配置链接.

提供商名称 提供商代码 环境变量
ACME DNS acme-dns ACME_DNS_API_BASE, ACME_DNS_STORAGE_PATH Additional configuration
Alibaba Cloud alidns ALICLOUD_ACCESS_KEY, ALICLOUD_SECRET_KEY, ALICLOUD_REGION_ID Additional configuration
ArvanCloud arvancloud ARVANCLOUD_API_KEY Additional configuration
Auroradns auroradns AURORA_USER_ID, AURORA_KEY, AURORA_ENDPOINT Additional configuration
Autodns autodns AUTODNS_API_USER, AUTODNS_API_PASSWORD Additional configuration
Azure azure AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESOURCE_GROUP, [AZURE_METADATA_ENDPOINT] Additional configuration
Bindman bindman BINDMAN_MANAGER_ADDRESS Additional configuration
Blue Cat bluecat BLUECAT_SERVER_URL, BLUECAT_USER_NAME, BLUECAT_PASSWORD, BLUECAT_CONFIG_NAME, BLUECAT_DNS_VIEW Additional configuration
Checkdomain checkdomain CHECKDOMAIN_TOKEN, Additional configuration
CloudDNS clouddns CLOUDDNS_CLIENT_ID, CLOUDDNS_EMAIL, CLOUDDNS_PASSWORD Additional configuration
ClouDNS cloudns CLOUDNS_AUTH_ID, CLOUDNS_AUTH_PASSWORD Additional configuration
Cloudflare cloudflare CF_API_EMAIL, CF_API_KEY 5 or CF_DNS_API_TOKEN, [CF_ZONE_API_TOKEN] Additional configuration
CloudXNS cloudxns CLOUDXNS_API_KEY, CLOUDXNS_SECRET_KEY Additional configuration
ConoHa conoha CONOHA_TENANT_ID, CONOHA_API_USERNAME, CONOHA_API_PASSWORD Additional configuration
Constellix constellix CONSTELLIX_API_KEY, CONSTELLIX_SECRET_KEY Additional configuration
deSEC desec DESEC_TOKEN Additional configuration
DigitalOcean digitalocean DO_AUTH_TOKEN Additional configuration
DNSimple dnsimple DNSIMPLE_OAUTH_TOKEN, DNSIMPLE_BASE_URL Additional configuration
DNS Made Easy dnsmadeeasy DNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET, DNSMADEEASY_SANDBOX Additional configuration
DNSPod dnspod DNSPOD_API_KEY Additional configuration
Domain Offensive (do.de) dode DODE_TOKEN Additional configuration
DreamHost dreamhost DREAMHOST_API_KEY Additional configuration
Duck DNS duckdns DUCKDNS_TOKEN Additional configuration
Dyn dyn DYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORD Additional configuration
Dynu dynu DYNU_API_KEY Additional configuration
EasyDNS easydns EASYDNS_TOKEN, EASYDNS_KEY Additional configuration
外部程序 exec EXEC_PATH Additional configuration
Exoscale exoscale EXOSCALE_API_KEY, EXOSCALE_API_SECRET, EXOSCALE_ENDPOINT Additional configuration
Fast DNS fastdns AKAMAI_CLIENT_TOKEN, AKAMAI_CLIENT_SECRET, AKAMAI_ACCESS_TOKEN Additional configuration
Gandi gandi GANDI_API_KEY Additional configuration
Gandi v5 gandiv5 GANDIV5_API_KEY Additional configuration
Glesys glesys GLESYS_API_USER, GLESYS_API_KEY, GLESYS_DOMAIN Additional configuration
GoDaddy godaddy GODADDY_API_KEY, GODADDY_API_SECRET Additional configuration
Google Cloud DNS gcloud GCE_PROJECT ,应用程序默认凭据2 3 ,[ GCE_SERVICE_ACCOUNT_FILE ] Additional configuration
Hetzner hetzner HETZNER_API_KEY Additional configuration
hosting.de hostingde HOSTINGDE_API_KEY, HOSTINGDE_ZONE_NAME Additional configuration
HTTP请求 httpreq HTTPREQ_ENDPOINT, HTTPREQ_MODE, HTTPREQ_USERNAME, HTTPREQ_PASSWORD 1 Additional configuration
IIJ iij IIJ_API_ACCESS_KEY, IIJ_API_SECRET_KEY, IIJ_DO_SERVICE_CODE Additional configuration
INWX inwx INWX_USERNAME, INWX_PASSWORD Additional configuration
Joker.com joker JOKER_API_KEY or JOKER_USERNAME, JOKER_PASSWORD Additional configuration
Lightsail lightsail AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DNS_ZONE Additional configuration
Linode linode LINODE_API_KEY Additional configuration
Linode v4 linodev4 LINODE_TOKEN Additional configuration
Liquid Web liquidweb LIQUID_WEB_PASSWORD, LIQUID_WEB_USERNAME, LIQUID_WEB_ZONE Additional configuration
LuaDNS luadns LUADNS_API_USERNAME, LUADNS_API_TOKEN Additional configuration
manual manual 没有,但是您需要交互式运行Traefik 4 ,打开调试日志以查看说明,然后按Enter .
MyDNS.jp mydnsjp MYDNSJP_MASTER_ID, MYDNSJP_PASSWORD Additional configuration
Mythic Beasts mythicbeasts MYTHICBEASTS_USER_NAME, MYTHICBEASTS_PASSWORD Additional configuration
Namecheap namecheap NAMECHEAP_API_USER, NAMECHEAP_API_KEY Additional configuration
name.com namedotcom NAMECOM_USERNAME, NAMECOM_API_TOKEN, NAMECOM_SERVER Additional configuration
Namesilo namesilo NAMESILO_API_KEY Additional configuration
Netcup netcup NETCUP_CUSTOMER_NUMBER, NETCUP_API_KEY, NETCUP_API_PASSWORD Additional configuration
Netlify netlify NETLIFY_TOKEN Additional configuration
NIFCloud nifcloud NIFCLOUD_ACCESS_KEY_ID, NIFCLOUD_SECRET_ACCESS_KEY Additional configuration
Ns1 ns1 NS1_API_KEY Additional configuration
Open Telekom Cloud otc OTC_DOMAIN_NAME, OTC_USER_NAME, OTC_PASSWORD, OTC_PROJECT_NAME, OTC_IDENTITY_ENDPOINT Additional configuration
OVH ovh OVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY Additional configuration
Openstack Designate designate OS_AUTH_URL, OS_USERNAME, OS_PASSWORD, OS_TENANT_NAME, OS_REGION_NAME Additional configuration
Oracle Cloud oraclecloud OCI_COMPARTMENT_OCID, OCI_PRIVKEY_FILE, OCI_PRIVKEY_PASS, OCI_PUBKEY_FINGERPRINT, OCI_REGION, OCI_TENANCY_OCID, OCI_USER_OCID Additional configuration
PowerDNS pdns PDNS_API_KEY, PDNS_API_URL Additional configuration
Rackspace rackspace RACKSPACE_USER, RACKSPACE_API_KEY Additional configuration
reg.ru regru REGRU_USERNAME, REGRU_PASSWORD Additional configuration
RFC2136 rfc2136 RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER Additional configuration
Route 53 route53 AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY[AWS_REGION][AWS_HOSTED_ZONE_ID]或配置的用户/实例IAM配置文件. Additional configuration
RimuHosting rimuhosting RIMUHOSTING_API_KEY Additional configuration
Sakura Cloud sakuracloud SAKURACLOUD_ACCESS_TOKEN, SAKURACLOUD_ACCESS_TOKEN_SECRET Additional configuration
Scaleway scaleway SCALEWAY_API_TOKEN Additional configuration
Selectel selectel SELECTEL_API_TOKEN Additional configuration
Servercow servercow SERVERCOW_USERNAME, SERVERCOW_PASSWORD Additional configuration
Stackpath stackpath STACKPATH_CLIENT_ID, STACKPATH_CLIENT_SECRET, STACKPATH_STACK_ID Additional configuration
TransIP transip TRANSIP_ACCOUNT_NAME, TRANSIP_PRIVATE_KEY_PATH Additional configuration
VegaDNS vegadns SECRET_VEGADNS_KEY, SECRET_VEGADNS_SECRET, VEGADNS_URL Additional configuration
Versio versio VERSIO_USERNAME, VERSIO_PASSWORD Additional configuration
Vscale vscale VSCALE_API_TOKEN Additional configuration
VULTR vultr VULTR_API_KEY Additional configuration
Yandex yandex YANDEX_PDD_TOKEN Additional configuration
Zone.ee zoneee ZONEEE_API_USER, ZONEEE_API_KEY Additional configuration
Zonomi zonomi ZONOMI_API_KEY Additional configuration

delayBeforeCheck

默认情况下, provider 让ACME验证之前先验证TXT记录. 您可以通过使用delayBeforeCheck (值必须大于零)指定延迟(以秒为单位)来延迟此操作. 当内部网络阻止外部DNS查询时,此选项很有用.

resolvers

使用自定义DNS服务器来解析FQDN权限.

[certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    # ...
    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
certificatesResolvers:
  myresolver:
    acme:
      # ...
      dnsChallenge:
        # ...
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
# ...
--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53

Wildcard Domains

ACME V2支持通配符证书. 如" 让我们加密"中的通配符证书中所述,只能通过DNS-01质询生成.

More Configuration

caServer

必需,默认=" https://acme-v02.api.letsencrypt.org/directory"

要使用的CA服务器:

  • 让我们加密生产服务器:https://acme-v02.api.letsencrypt.org/directory
  • 让我们加密登台服务器:https://acme-staging-v02.api.letsencrypt.org/directory
使用"让我们加密"登台服务器
[certificatesResolvers.myresolver.acme]
  # ...
  caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  # ...
certificatesResolvers:
  myresolver:
    acme:
      # ...
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      # ...
# ...
--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
# ...

storage

必需,默认=" acme.json"

storage选项可设置ACME证书的保存位置.

[certificatesResolvers.myresolver.acme]
  # ...
  storage = "acme.json"
  # ...
certificatesResolvers:
  myresolver:
    acme:
      # ...
      storage: acme.json
      # ...
# ...
--certificatesresolvers.myresolver.acme.storage=acme.json
# ...

ACME证书存储在需要具有600文件模式的JSON文件中.

在Docker中,您可以挂载JSON文件或包含该文件的文件夹:

docker run -v "/my/host/acme.json:/acme.json" traefik
docker run -v "/my/host/acme:/etc/traefik/acme" traefik

Warning

由于并发原因,无法在Traefik的多个实例之间共享此文件.

Fallback

如果无法进行"加密",则将应用以下证书:

  1. 先前生成的ACME证书(停机之前)
  2. ACME证书过期
  3. 提供的证书

Important

对于需要"让我们加密"身份验证的新(子)域,将使用默认的Traefik证书,直到重新启动Traefik.


  1. 有关HTTP报文格式的更多信息,可以发现这里

  2. providing_credentials_to_your_application 

  3. google/default.go 

  4. docker stack备注:使用docker stack部署时,无法支持将终端连接到容器,因此您可能需要使用docker run -it运行容器以使用manual提供程序生成证书.

  5. 需要使用Global API Key ,而不是Origin CA Key .