Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificatesDuration not honored when getting certs from internal StepCA #10847

Open
2 tasks done
easpeagle opened this issue Jun 25, 2024 · 6 comments
Open
2 tasks done

certificatesDuration not honored when getting certs from internal StepCA #10847

easpeagle opened this issue Jun 25, 2024 · 6 comments
Labels
area/documentation contributor/good-first-issue contributor/wanted Participation from an external contributor is highly requested kind/bug/confirmed a confirmed bug (reproducible). priority/P3 maybe

Comments

@easpeagle
Copy link

easpeagle commented Jun 25, 2024
edited
Loading

Welcome!

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

We have configured traefik (3.0.3) to pull certificates from our internal StepCA, which has a default cert lifetime of 24h. When we use the certificatesDuration parameter to set say 48 or 72 hour duration, we expect to get certificates with those lifetimes. We use this same CA with tools such as acme.sh and can configure what lifetime we want up to 90d.

What did you see instead?

What we see is that no matter what value we give to certificatesDuration we only get 24h 1m certs. I can clearly see in the StepCA pod logs for new-order transactions a request for:

\"notBefore\":\"2024-06-25T21:30:14Z\",\"notAfter\":\"2024-06-26T21:31:14Z\"

What version of Traefik are you using?

Version:      3.0.3
Codename:     beaufort
Go version:   go1.22.4
Built:        2024-06-18T14:31:20Z
OS/Arch:      linux/amd64

What is your environment & configuration?

version: '3'
services:
  traefik:
    container_name: traefik
    image: traefik
    restart: always
    command:
      - "--api.insecure=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.traefikresolver.acme.caserver=https://step.example.com/acme/acme/directory"
      - "--certificatesresolvers.traefikresolver.acme.certificatesDuration=48"
      - "--certificatesresolvers.traefikresolver.acme.email=support@example.com"
      - "--certificatesresolvers.traefikresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.traefikresolver.acme.tlschallenge=true"
      - "--log.level=DEBUG"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    networks:
      - lb_web

networks:
  lb_web:
    external: true

If applicable, please paste the log output in DEBUG level

No response
@jspdown
Copy link
Contributor

jspdown commented Jun 27, 2024

Thanks @easpeagle for opening this issue.
The documentation is not very clear about the role of the certificatesDuration option. It tells Traefik how long the certificates issued by your certificate authority will last. This information is used to determine when to renew the certificate. This option doesn't define the duration of your certificates, it's up to your CA.

The documentation needs to be improved.

@jspdown jspdown added area/documentation kind/bug/confirmed a confirmed bug (reproducible). and removed status/0-needs-triage labels Jun 27, 2024
@easpeagle
Copy link
Author

Okay... yeah, that's helpful to know. Traefik definitely needs a feature that allows a user to configure certificate lifetime during the request similar to the acme.sh feature "valid-to" option.

https://github.com/acmesh-official/acme.sh/wiki/Validity

@jspdown
Copy link
Contributor

jspdown commented Jun 28, 2024

That would indeed be very useful on some CAs. This won't work everywhere as some don't allow to configure such things (Let's Encrypt for example)

If this is a feature you are willing to see in Traefik, please open a separate issue to track the proposal.

@nmengin nmengin added priority/P3 maybe contributor/good-first-issue contributor/wanted Participation from an external contributor is highly requested labels Jul 1, 2024
@peacewalker122
Copy link
Contributor

@nmengin @jspdown i would happy to contribute on this task :)

@peacewalker122
Copy link
Contributor

peacewalker122 commented Jul 18, 2024
edited
Loading

refer to @jspdown comment before.

Thanks @easpeagle for opening this issue. The documentation is not very clear about the role of the certificatesDuration option. It tells Traefik how long the certificates issued by your certificate authority will last. This information is used to determine when to renew the certificate. This option doesn't define the duration of your certificates, it's up to your CA.

The documentation needs to be improved.

i need to improve the documentation by modify it to explain like the @jspdown explanation on the previous comment wdyt?

@jspdown
Copy link
Contributor

jspdown commented Jul 19, 2024

You are welcome to contribute and we will be happy to review your PR. Don't hesitate to ask if you need some guidance. Thanks @peacewalker122

@peacewalker122 peacewalker122 mentioned this issue Jul 19, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/documentation contributor/good-first-issue contributor/wanted Participation from an external contributor is highly requested kind/bug/confirmed a confirmed bug (reproducible). priority/P3 maybe
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jspdown @nmengin @traefiker @peacewalker122 @easpeagle