-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clean ACME certificates #10782
base: v3.0
Are you sure you want to change the base?
Clean ACME certificates #10782
Conversation
b5146f7
to
cb69d8a
Compare
Seems an interesting fix for v2.11. @kevinpollet @rtribotte @nmengin WDYT? |
IMHO, bringing the OCSP check before the renewal in v2.11 is needed. |
c054d26
to
d8fb597
Compare
Hello there, @mmatur, maybe I’ve missed something but, for me, this PR is an enhancement, not a bugfix. Indeed, currently, unexpected certificates are renewed and this PR improves their management but the current behavior does not avoid using Traefik. For this reason IMO it’s an enhancement. @ldez About the code itself I have a couple of questions: OSCP checkShouldn't this modification be part of a dedicated PR? Dead periodFirst, concerning the wording we could call it Then, even if allowing the users to set this period is a good addition to the original PR, I still have one concern: what happens if Traefik deletes unexpected certificates? Let me explain the scenario I have in mind: As a user, I generate my certificates using the DNS challenge, and I’ve set a GracefulPeriod. I do not know it but, my DNS credentials were changed. I still have routers that refer to the certificate resolver in error. In the current situation, for existing certificates, Traefik generates an error once a day per certificate during their renewal. With the proposal, except if I’ve missed something, the certificates are deleted and Traefik tries to create certificates during each configuration reload: the number of errors can become unmanageable. For this reason, WDYT to add a check to ensure that no router are using a certificate before deleting it? |
It's a bug fix from the POV of what OSCP revocation means.
The dead ACME certificates and the OSCP check are the same topic, so I will not split this PR.
This cannot happen based on the rules I apply.
You do not understand how Traefik currently works: Traefik tries to renew ACME certificates, even if they are not used, even if it is impossible to renew them, this creates a lot of errors. With my PR:
The certificates will be removed only when revoked or out-of-date (because no router uses it), and only during the renewal. |
d8fb597
to
317f93f
Compare
There are ongoing discussions on this PR (bugfix or enhancement, need design review, etc). More news soon. |
317f93f
to
c85387f
Compare
What does this PR do?
Removes dead ACME certificates and revoked ACME certificates.
Motivation
Fixes #3376
More
Additional Notes
Closes #8647