Skip to main content

ACME Certificates Resolvers

Configuration Example

certificatesResolvers:
my-resolver:
acme:
email: "[email protected]"
storage: "/path/to/acme.json"
httpChallenge:
entryPoint: "web"

Configuration Options

ACME and distributed ACME certificate resolvers share the following configuration options:

FieldDescriptionDefaultRequired
acme.email/ distributedAcme.emailEmail address used for registration.Yes
acme.caServer / distributedAcme.caServerCA server to use.https://acme-v02.api.letsencrypt.org/directoryNo
acme.preferredChain / distributedAcme.preferredChainPreferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.No
acme.keyType / distributedAcme.keyTypeKeyType to use.RSA4096No
acme.eab / distributedAcme.eabEnable external account binding.No
acme.eab.kid / distributedAcme.eab.kidKey identifier from External CA.No
acme.eab.hmacEncoded / distributedAcme.eab.hmacEncodedHMAC key from External CA, should be in Base64 URL Encoding without padding format.No
acme.certificatesDuration / distributedAcme.certificatesDurationThe certificates' duration in hours, exclusively used to determine renewal dates.2160No
acme.dnsChallenge / distributedAcme.dnsChallengeEnable DNS-01 challenge. More information hereNo
acme.dnsChallenge.provider / distributedAcme.dnsChallenge.providerDNS provider to use.No
acme.dnsChallenge.delayBeforeCheck / distributedAcme.dnsChallenge.delayBeforeCheckBy default, the provider will verify the TXT DNS challenge record before letting ACME verify. If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds. Useful if internal networks block external DNS queries.No
acme.dnsChallenge.resolvers / distributedAcme.dnsChallenge.resolversDNS servers to resolve the FQDN authority.No
acme.dnsChallenge.disablePropagationCheck / distributedAcme.dnsChallenge.disablePropagationCheckDisable the DNS propagation checks before notifying ACME that the DNS challenge is ready.No
acme.httpChallenge / distributedAcme.httpChallengeEnable HTTP-01 challenge.No
acme.httpChallenge.entryPoint / distributedAcme.httpChallenge.entryPointEntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80.Yes
acme.tlsChallenge / distributedAcme.tlsChallengeEnable TLS-ALPN-01 challenge. Hub API Gateway must be reachable by Let's Encrypt through port 443No
acme.storageFile path used for certificates storage.Yes
distributedAcme.storage.kubernetesEnable Kubernetes Secret storage.Yes
distributedAcme.storage.vaultEnable Vault storage.No
distributedAcme.storage.vault.urlVault server URL.Yes
distributedAcme.storage.vault.enginePathPath to the Vault KV engine version 2.Yes
distributedAcme.storage.vault.authAuthentication method.Yes
distributedAcme.storage.vault.auth.tokenAuthenticate using a Vault Token.No
distributedAcme.storage.vault.auth.appRoleAuthenticate using a Vault AppRole.No
distributedAcme.storage.vault.auth.appRole.roleIdAppRole RoleID.Yes
distributedAcme.storage.vault.auth.appRole.secretIdAppRole SecretID.Yes
distributedAcme.storage.vault.auth.appRole.pathCustom path under which AppRole authentication is enabled in Vault.approleNo
distributedAcme.storage.vault.auth.kubernetesAuthenticate using a Kubernetes Service Account Token.No
distributedAcme.storage.vault.auth.kubernetes.roleName of the role.Yes
distributedAcme.storage.vault.auth.kubernetes.pathCustom path under which Kubernetes authentication is enabled in Vault.kubernetesNo
distributedAcme.storage.vault.namespaceNamespace of the KV secret engine.No
distributedAcme.storage.vault.syncIntervalSecret synchronization interval.5sNo
distributedAcme.storage.vault.tlsTLS configuration.No
distributedAcme.storage.vault.tls.caPEM-encoded certificate bundle or a path to a file containing the certificate bundle used to establish a TLS connection with the Vault server.No
distributedAcme.storage.vault.tls.certPEM-encoded certificate or a path to a file containing the certificate used to establish a mTLS connection with the Vault server.No
distributedAcme.storage.vault.tls.keyPEM-encoded key or a path to a file containing the key used to establish a mTLS connection with the Vault server.No
distributedAcme.storage.vault.tls.insecureSkipVerifyDisables TLS certificate verification when communicating with Vault server.No

dnsChallenge

The DNS-01 challenge to generate and renew ACME certificates by provisioning a DNS record.

Hub API Gateway relies internally on Lego for ACME. You can find the list of all the supported DNS providers in their documentation with instructions about which environment variables need to be setup.

DNS-01 domain delegation

CNAME are supported and even encouraged.

If needed, CNAME support can be turned off with the following environment variable:

LEGO_DISABLE_CNAME_SUPPORT=true
Multiple DNS Challenge provider

Multiple DNS challenge provider are not supported with Hub API Gateway, but you can use CNAME to handle that. For example, if you have example.org (account foo) and example.com (account bar) you can create a CNAME on example.org called _acme-challenge.example.org pointing to challenge.example.com. This way, you can obtain certificates for example.com with the foo account.

Domain Definition

A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:

  • If the IngressRoute has a tls.domains option set, then the certificate resolver derives this router domain name from the main option of tls.domains.

  • Otherwise, the certificate resolver derives the domain name from any Host() or HostSNI() matchers in the IngressRoute's rule.

You can set SANs (alternative domains) for each main domain. Every domain must have A/AAAA records pointing to Traefik. Each domain & SAN will lead to a certificate request.

ACME v2 supports wildcard certificates. As described in Let's Encrypt's post wildcard certificates can only be generated through a DNS-01 challenge. It is not possible to request a double wildcard certificate for a domain (for example *.*.local.com).

Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 DNS-01 challenges are invoked. In such a case the generated DNS TXT record for both domains is the same. Even though this behavior is DNS RFC compliant, it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the DNS-01 challenge fail.

The Traefik ACME client library lego supports some but not all DNS providers to work around this issue. The supported provider table indicates if they allow generating certificates for a wildcard domain and its root domain.

Certificate Renewal

Hub API Gateway automatically tracks the expiry date of certificates it generates.

Not used Certificates

Certificates that are no longer used may still be renewed, as Hub API Gateway does not currently check if the certificate is being used before renewing.

By default, Hub API Gateway manages 90-day certificates and starts renewing them 30 days before their expiry.

When using a certificate resolver that issues certificates with custom durations, the certificatesDuration option can be used to configure the certificates' duration.