From 93f7cb1082f9df5136b811b4f07166d70a838f0e Mon Sep 17 00:00:00 2001 From: Dave Date: Mon, 12 Jan 2026 10:58:05 -0500 Subject: [PATCH] Added CertificateTimeout ACME configuration option. --- .../reference/install-configuration/configuration-options.md | 1 + .../install-configuration/tls/certificate-resolvers/acme.md | 1 + pkg/provider/acme/provider.go | 3 +++ 3 files changed, 5 insertions(+) diff --git a/docs/content/reference/install-configuration/configuration-options.md b/docs/content/reference/install-configuration/configuration-options.md index 7837743c5..0f5bad662 100644 --- a/docs/content/reference/install-configuration/configuration-options.md +++ b/docs/content/reference/install-configuration/configuration-options.md @@ -50,6 +50,7 @@ THIS FILE MUST NOT BE EDITED BY HAND | certificatesresolvers._name_.acme.caservername | Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | | | certificatesresolvers._name_.acme.casystemcertpool | Define if the certificates pool must use a copy of the system cert pool. | false | | certificatesresolvers._name_.acme.certificatesduration | Certificates' duration in hours. | 2160 | +| certificatesresolvers._name_.acme.certificatetimeout | Timeout for obtaining the certificate during the finalization request. | 30 | | certificatesresolvers._name_.acme.clientresponseheadertimeout | Timeout for receiving the response headers when communicating with the ACME server. | 30 | | certificatesresolvers._name_.acme.clienttimeout | Timeout for a complete HTTP transaction with the ACME server. | 120 | | certificatesresolvers._name_.acme.disablecommonname | Disable the common name in the CSR. | false | diff --git a/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md b/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md index 407909818..1294fd46f 100644 --- a/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md +++ b/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md @@ -91,6 +91,7 @@ ACME certificate resolvers have the following configuration options: | `acme.certificatesDuration` | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No | | `acme.clientTimeout` | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No | | `acme.clientResponseHeaderTimeout` | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No | +| `acme.certificateTimeout` | Timeout for obtaining the certificate during the finalization request. Set this if the ACME server is slow to issue a certificate. | 30s | No | | `acme.dnsChallenge` | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No | | `acme.dnsChallenge.provider` | DNS provider to use. | "" | No | | `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority. | [] | No | diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go index f8ab4ca1f..d761dd6e9 100644 --- a/pkg/provider/acme/provider.go +++ b/pkg/provider/acme/provider.go @@ -55,6 +55,7 @@ type Configuration struct { ClientTimeout ptypes.Duration `description:"Timeout for a complete HTTP transaction with the ACME server." json:"clientTimeout,omitempty" toml:"clientTimeout,omitempty" yaml:"clientTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"` ClientResponseHeaderTimeout ptypes.Duration `description:"Timeout for receiving the response headers when communicating with the ACME server." json:"clientResponseHeaderTimeout,omitempty" toml:"clientResponseHeaderTimeout,omitempty" yaml:"clientResponseHeaderTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"` + CertificateTimeout ptypes.Duration `description:"Timeout for obtaining the certificate during the finalization request." json:"certificateTimeout,omitempty" toml:"certificateTimeout,omitempty" yaml:"certificateTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"` CACertificates []string `description:"Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caCertificates,omitempty" toml:"caCertificates,omitempty" yaml:"caCertificates,omitempty"` CASystemCertPool bool `description:"Define if the certificates pool must use a copy of the system cert pool." json:"caSystemCertPool,omitempty" toml:"caSystemCertPool,omitempty" yaml:"caSystemCertPool,omitempty" export:"true"` @@ -73,6 +74,7 @@ func (a *Configuration) SetDefaults() { a.CertificatesDuration = 3 * 30 * 24 // 90 Days a.ClientTimeout = ptypes.Duration(2 * time.Minute) a.ClientResponseHeaderTimeout = ptypes.Duration(30 * time.Second) + a.CertificateTimeout = ptypes.Duration(30 * time.Second) } // CertAndStore allows mapping a TLS certificate to a TLS store. @@ -298,6 +300,7 @@ func (p *Provider) getClient() (*lego.Client, error) { config.Certificate.KeyType = GetKeyType(ctx, p.KeyType) config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version) config.Certificate.DisableCommonName = p.DisableCommonName + config.Certificate.Timeout = time.Duration(p.CertificateTimeout) config.HTTPClient, err = p.createHTTPClient() if err != nil {