acme: add support of preferredchain in Traefik v1

acme/account.go

@@ -14,8 +14,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/go-acme/lego/v3/certcrypto"
-	"github.com/go-acme/lego/v3/registration"
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/registration"
 	"github.com/traefik/traefik/log"
 	acmeprovider "github.com/traefik/traefik/provider/acme"
 	"github.com/traefik/traefik/types"

acme/acme.go

@@ -21,14 +21,14 @@ import (
 	"github.com/containous/mux"
 	"github.com/containous/staert"
 	"github.com/eapache/channels"
-	"github.com/go-acme/lego/v3/certificate"
-	"github.com/go-acme/lego/v3/challenge"
-	"github.com/go-acme/lego/v3/challenge/dns01"
-	"github.com/go-acme/lego/v3/challenge/http01"
-	"github.com/go-acme/lego/v3/lego"
-	legolog "github.com/go-acme/lego/v3/log"
-	"github.com/go-acme/lego/v3/providers/dns"
-	"github.com/go-acme/lego/v3/registration"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/challenge/http01"
+	"github.com/go-acme/lego/v4/lego"
+	legolog "github.com/go-acme/lego/v4/log"
+	"github.com/go-acme/lego/v4/providers/dns"
+	"github.com/go-acme/lego/v4/registration"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/traefik/cluster"
 	"github.com/traefik/traefik/log"
@@ -46,6 +46,7 @@ var (
 // ACME allows to connect to lets encrypt and retrieve certs
 // Deprecated Please use provider/acme/Provider
 type ACME struct {
+	PreferredChain        string                      `description:"Preferred chain to use."`
 	Email                 string                      `description:"Email address used for registration"`
 	Domains               []types.Domain              `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
 	Storage               string                      `description:"File or key used for certificates storage."`
@@ -376,11 +377,13 @@ func (a *ACME) renewACMECertificate(certificateResource *DomainsCertificate) (*C
 		CertStableURL: certificateResource.Certificate.CertStableURL,
 		PrivateKey:    certificateResource.Certificate.PrivateKey,
 		Certificate:   certificateResource.Certificate.Certificate,
-	}, true, OSCPMustStaple)
+	}, true, OSCPMustStaple, a.PreferredChain)
 	if err != nil {
 		return nil, err
 	}
+
 	log.Infof("Renewed certificate from  LE: %+v", certificateResource.Domains)
+
 	return &Certificate{
 		Domain:        renewedCert.Domain,
 		CertURL:       renewedCert.CertURL,
@@ -448,14 +451,18 @@ func (a *ACME) buildACMEClient(account *Account) (*lego.Client, error) {
 
 		err = client.Challenge.SetDNS01Provider(provider,
 			dns01.CondOption(len(a.DNSChallenge.Resolvers) > 0, dns01.AddRecursiveNameservers(a.DNSChallenge.Resolvers)),
-			dns01.CondOption(a.DNSChallenge.DisablePropagationCheck || a.DNSChallenge.DelayBeforeCheck > 0,
-				dns01.AddPreCheck(func(_, _ string) (bool, error) {
-					if a.DNSChallenge.DelayBeforeCheck > 0 {
-						log.Debugf("Delaying %d rather than validating DNS propagation now.", a.DNSChallenge.DelayBeforeCheck)
-						time.Sleep(time.Duration(a.DNSChallenge.DelayBeforeCheck))
-					}
+			dns01.WrapPreCheck(func(domain, fqdn, value string, check dns01.PreCheckFunc) (bool, error) {
+				if a.DNSChallenge.DelayBeforeCheck > 0 {
+					log.Debugf("Delaying %d rather than validating DNS propagation now.", a.DNSChallenge.DelayBeforeCheck)
+					time.Sleep(time.Duration(a.DNSChallenge.DelayBeforeCheck))
+				}
+
+				if a.DNSChallenge.DisablePropagationCheck {
 					return true, nil
-				})),
+				}
+
+				return check(fqdn, value)
+			}),
 		)
 		return client, err
 	}

acme/challenge_http_provider.go

@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/cenk/backoff"
-	"github.com/go-acme/lego/v3/challenge"
+	"github.com/go-acme/lego/v4/challenge"
 	"github.com/traefik/traefik/cluster"
 	"github.com/traefik/traefik/log"
 	"github.com/traefik/traefik/safe"

acme/challenge_tls_provider.go

@@ -8,8 +8,8 @@ import (
 	"time"
 
 	"github.com/cenk/backoff"
-	"github.com/go-acme/lego/v3/challenge"
-	"github.com/go-acme/lego/v3/challenge/tlsalpn01"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
 	"github.com/traefik/traefik/cluster"
 	"github.com/traefik/traefik/log"
 	"github.com/traefik/traefik/safe"

configuration/configuration.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/containous/flaeg"
 	servicefabric "github.com/containous/traefik-extra-service-fabric"
-	"github.com/go-acme/lego/v3/challenge/dns01"
+	"github.com/go-acme/lego/v4/challenge/dns01"
 	"github.com/traefik/traefik/acme"
 	"github.com/traefik/traefik/api"
 	"github.com/traefik/traefik/log"

docs/configuration/acme.md

@@ -93,6 +93,13 @@ entryPoint = "https"
 #
 # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+# Preferred chain to use.
+#
+# Optional
+# Default: empty
+#
+preferredChain = "ISRG Root X1"
+
 # KeyType to use.
 #
 # Optional
@@ -186,6 +193,17 @@ caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 # ...
 ```
 
+### `preferredChain`
+
+Preferred chain to use.
+
+```toml
+[acme]
+# ...
+preferredChain = "ISRG Root X1"
+# ...
+```
+
 ### ACME Challenge
 
 #### `tlsChallenge`

go.mod

@@ -5,30 +5,28 @@ go 1.16
 require (
 	github.com/ArthurHlt/go-eureka-client v0.0.0-20170403140305-9d0a49cbd39a
 	github.com/ArthurHlt/gominlog v0.0.0-20170402142412-72eebf980f46 // indirect
+	github.com/Azure/azure-sdk-for-go v40.3.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
+	github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect
 	github.com/BurntSushi/toml v0.3.1
 	github.com/BurntSushi/ty v0.0.0-20140213233908-6add9cd6ad42
 	github.com/Masterminds/sprig v2.19.0+incompatible
-	github.com/Microsoft/go-winio v0.4.2 // indirect
-	github.com/NYTimes/gziphandler v1.0.1-0.20180125165240-289a3b81f5ae
-	github.com/PuerkitoBio/purell v1.0.0 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2 // indirect
+	github.com/Microsoft/go-winio v0.4.3 // indirect
+	github.com/NYTimes/gziphandler v1.0.1
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
 	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000
-	github.com/abronan/valkeyrie v0.0.0-20171113095143-063d875e3c5f
-	github.com/armon/go-metrics v0.3.0 // indirect
+	github.com/abronan/valkeyrie v0.2.0
+	github.com/armon/go-metrics v0.3.8 // indirect
 	github.com/armon/go-proxyproto v0.0.0-20170620220930-48572f11356f
-	github.com/aws/aws-sdk-go v1.23.0
+	github.com/aws/aws-sdk-go v1.37.27
 	github.com/cenk/backoff v2.1.1+incompatible
 	github.com/codahale/hdrhistogram v0.9.0 // indirect
 	github.com/containous/flaeg v1.4.1
 	github.com/containous/mux v0.0.0-20181024131434-c33f32e26898
 	github.com/containous/staert v3.1.2+incompatible
 	github.com/containous/traefik-extra-service-fabric v1.7.1-0.20210227093100-8dcd57b609a8
-	github.com/coreos/bbolt v1.3.1-coreos.5 // indirect
-	github.com/coreos/etcd v3.3.5+incompatible // indirect
-	github.com/coreos/go-semver v0.2.0 // indirect
-	github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b
-	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f // indirect
+	github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
 	github.com/davecgh/go-spew v1.1.1
 	github.com/docker/docker v1.4.2-0.20171023200535-7848b8beb9d3
 	github.com/docker/go-connections v0.3.0
@@ -38,49 +36,40 @@ require (
 	github.com/eapache/channels v1.1.0
 	github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385 // indirect
 	github.com/elazarl/go-bindata-assetfs v1.0.0
-	github.com/emicklei/go-restful v1.1.4-0.20160814184150-89ef8af493ab // indirect
-	github.com/fatih/color v1.5.1-0.20170523202404-62e9147c64a1 // indirect
+	github.com/frankban/quicktest v1.11.0 // indirect
 	github.com/gambol99/go-marathon v0.7.2-0.20180614232016-99a156b96fb2
-	github.com/go-acme/lego/v3 v3.0.1
+	github.com/go-acme/lego/v4 v4.4.0
 	github.com/go-check/check v0.0.0-00010101000000-000000000000
-	github.com/go-kit/kit v0.8.0
-	github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1 // indirect
-	github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9 // indirect
-	github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501 // indirect
-	github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87 // indirect
-	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
-	github.com/golang/protobuf v1.3.2
+	github.com/go-kit/kit v0.9.0
+	github.com/golang/protobuf v1.5.2
+	github.com/golang/snappy v0.0.1 // indirect
 	github.com/google/go-github v9.0.0+incompatible
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.1.1
-	github.com/googleapis/gnostic v0.1.0 // indirect
+	github.com/google/uuid v1.1.2
 	github.com/gorilla/websocket v1.4.2
 	github.com/gravitational/trace v1.1.3 // indirect
-	github.com/gregjones/httpcache v0.0.0-20171119193500-2bcd89a1743f // indirect
-	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/hashicorp/consul v1.0.6
+	github.com/hashicorp/consul/api v1.9.1
+	github.com/hashicorp/go-hclog v0.14.1 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.0 // indirect
 	github.com/hashicorp/go-msgpack v1.1.5 // indirect
-	github.com/hashicorp/go-rootcerts v0.0.0-20160503143440-6bb64b370b90 // indirect
-	github.com/hashicorp/go-uuid v1.0.2 // indirect
-	github.com/hashicorp/go-version v0.0.0-20170202080759-03c5bf6be031
-	github.com/hashicorp/memberlist v0.1.5 // indirect
-	github.com/hashicorp/serf v0.8.2-0.20170308193951-19f2c401e122 // indirect
-	github.com/influxdata/influxdb v1.3.7
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/hashicorp/go-version v1.2.1
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/memberlist v0.2.4 // indirect
+	github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab
 	github.com/jjcollinge/servicefabric v0.0.2-0.20180125130438-8eebe170fa1b
-	github.com/juju/ratelimit v1.0.1 // indirect
 	github.com/libkermit/compose v0.0.0-20171122111507-c04e39c026ad
 	github.com/libkermit/docker v0.0.0-20171122101128-e6674d32b807
 	github.com/libkermit/docker-check v0.0.0-20171122104347-1113af38e591
-	github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a // indirect
-	github.com/mattn/go-colorable v0.0.8-0.20170210172801-5411d3eea597 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mesos/mesos-go v0.0.3-0.20150930144802-068d5470506e
 	github.com/mesosphere/mesos-dns v0.0.0-00010101000000-000000000000
-	github.com/miekg/dns v1.1.26
-	github.com/mitchellh/copystructure v0.0.0-20170525013902-d23ffcb85de3
+	github.com/miekg/dns v1.1.41
+	github.com/mitchellh/copystructure v1.0.0
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/hashstructure v1.0.0
-	github.com/mitchellh/mapstructure v1.1.2
-	github.com/mitchellh/reflectwalk v0.0.0-20170726202117-63d60e9d0dbc // indirect
+	github.com/mitchellh/mapstructure v1.4.1-0.20210112042008-8ebf2d61a8b4
+	github.com/mitchellh/reflectwalk v1.0.1 // indirect
 	github.com/mvdan/xurls v1.1.1-0.20170309204242-db96455566f0
 	github.com/ogier/pflag v0.0.2-0.20160129220114-45c278ab3607
 	github.com/opencontainers/image-spec v1.0.0-rc5.0.20170515205857-f03dbe35d449 // indirect
@@ -89,45 +78,38 @@ require (
 	github.com/opentracing/opentracing-go v1.0.2
 	github.com/openzipkin-contrib/zipkin-go-opentracing v0.3.5
 	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/philhofer/fwd v1.0.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.1.0
-	github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90
+	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
+	github.com/prometheus/client_golang v1.11.0
+	github.com/prometheus/client_model v0.2.0
 	github.com/rancher/go-rancher v0.1.1-0.20171004213057-52e2f4895340
 	github.com/rancher/go-rancher-metadata v0.0.0-00010101000000-000000000000
 	github.com/ryanuber/go-glob v1.0.0
-	github.com/samuel/go-zookeeper v0.0.0-20161028232340-1d7be4effb13 // indirect
 	github.com/shopspring/decimal v1.1.1-0.20191009025716-f1972eb1d1f5
-	github.com/sirupsen/logrus v1.4.2
-	github.com/soheilhy/cmux v0.1.4 // indirect
-	github.com/spf13/pflag v0.0.0-20160427162146-cb88ea77998c // indirect
-	github.com/stretchr/testify v1.5.1
+	github.com/sirupsen/logrus v1.6.0
+	github.com/stretchr/testify v1.7.0
 	github.com/stvp/go-udp-testing v0.0.0-20171104055251-c4434f09ec13
 	github.com/thoas/stats v0.0.0-20190104110215-4975baf6a358
 	github.com/tinylib/msgp v1.0.2 // indirect
-	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
 	github.com/tv42/zbase32 v0.0.0-20150911225513-03389da7e0bf // indirect
 	github.com/uber/jaeger-client-go v2.15.0+incompatible
 	github.com/uber/jaeger-lib v1.5.0
-	github.com/ugorji/go v1.1.1 // indirect
 	github.com/unrolled/render v0.0.0-20170109143244-50716a0a8537
 	github.com/unrolled/secure v1.0.5
 	github.com/urfave/negroni v0.2.1-0.20170426175938-490e6a555d47
 	github.com/vdemeester/shakers v0.1.0
 	github.com/vulcand/oxy v1.2.0
-	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
-	golang.org/x/net v0.0.0-20190923162816-aa69164e4478
-	golang.org/x/sys v0.0.0-20191115151921-52ab43148777 // indirect
-	google.golang.org/grpc v1.22.1
+	go.etcd.io/bbolt v1.3.5 // indirect
+	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a // indirect
+	golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1
+	google.golang.org/grpc v1.38.0
 	gopkg.in/DataDog/dd-trace-go.v1 v1.13.0
 	gopkg.in/fsnotify.v1 v1.4.7
-	gopkg.in/inf.v0 v0.9.0 // indirect
-	gopkg.in/yaml.v2 v2.2.5
-	k8s.io/api v0.0.0-20171214033149-af4bc157c3a2
-	k8s.io/apimachinery v0.0.0-20171207040834-180eddb345a5
-	k8s.io/client-go v6.0.0+incompatible
-	k8s.io/kube-openapi v0.0.0-20180201014056-275e2ce91dec // indirect
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/api v0.21.0
+	k8s.io/apimachinery v0.21.0
+	k8s.io/client-go v0.21.0
+	k8s.io/utils v0.0.0-20210709001253-0e1f9d693477 // indirect
 )
 
 replace (

metrics/datadog.go

@@ -1,6 +1,7 @@
 package metrics
 
 import (
+	"context"
 	"time"
 
 	kitlog "github.com/go-kit/kit/log"
@@ -72,7 +73,7 @@ func initDatadogClient(config *types.Datadog) *time.Ticker {
 	report := time.NewTicker(pushInterval)
 
 	safe.Go(func() {
-		datadogClient.SendLoop(report.C, "udp", address)
+		datadogClient.SendLoop(context.Background(), report.C, "udp", address)
 	})
 
 	return report

metrics/influxdb.go

@@ -2,6 +2,7 @@ package metrics
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"net/url"
 	"regexp"
@@ -9,7 +10,7 @@ import (
 
 	kitlog "github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/metrics/influx"
-	influxdb "github.com/influxdata/influxdb/client/v2"
+	influxdb "github.com/influxdata/influxdb1-client/v2"
 	"github.com/traefik/traefik/log"
 	"github.com/traefik/traefik/safe"
 	"github.com/traefik/traefik/types"
@@ -118,7 +119,7 @@ func initInfluxDBTicker(config *types.InfluxDB) *time.Ticker {
 
 	safe.Go(func() {
 		var buf bytes.Buffer
-		influxDBClient.WriteLoop(report.C, &influxDBWriter{buf: buf, config: config})
+		influxDBClient.WriteLoop(context.Background(), report.C, &influxDBWriter{buf: buf, config: config})
 	})
 
 	return report

metrics/statsd.go

@@ -1,6 +1,7 @@
 package metrics
 
 import (
+	"context"
 	"time"
 
 	kitlog "github.com/go-kit/kit/log"
@@ -70,7 +71,7 @@ func initStatsdTicker(config *types.Statsd) *time.Ticker {
 	report := time.NewTicker(pushInterval)
 
 	safe.Go(func() {
-		statsdClient.SendLoop(report.C, "udp", address)
+		statsdClient.SendLoop(context.Background(), report.C, "udp", address)
 	})
 
 	return report

provider/acme/account.go

@@ -6,8 +6,8 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 
-	"github.com/go-acme/lego/v3/certcrypto"
-	"github.com/go-acme/lego/v3/registration"
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/registration"
 	"github.com/traefik/traefik/log"
 )
 

provider/acme/challenge_http.go

@@ -7,8 +7,8 @@ import (
 
 	"github.com/cenk/backoff"
 	"github.com/containous/mux"
-	"github.com/go-acme/lego/v3/challenge"
-	"github.com/go-acme/lego/v3/challenge/http01"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/http01"
 	"github.com/traefik/traefik/log"
 	"github.com/traefik/traefik/safe"
 )

provider/acme/challenge_tls.go

@@ -3,8 +3,8 @@ package acme
 import (
 	"crypto/tls"
 
-	"github.com/go-acme/lego/v3/challenge"
-	"github.com/go-acme/lego/v3/challenge/tlsalpn01"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
 	"github.com/traefik/traefik/log"
 	"github.com/traefik/traefik/types"
 )

provider/acme/provider.go

@@ -15,13 +15,13 @@ import (
 
 	"github.com/cenk/backoff"
 	"github.com/containous/flaeg"
-	"github.com/go-acme/lego/v3/certificate"
-	"github.com/go-acme/lego/v3/challenge"
-	"github.com/go-acme/lego/v3/challenge/dns01"
-	"github.com/go-acme/lego/v3/lego"
-	legolog "github.com/go-acme/lego/v3/log"
-	"github.com/go-acme/lego/v3/providers/dns"
-	"github.com/go-acme/lego/v3/registration"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/lego"
+	legolog "github.com/go-acme/lego/v4/log"
+	"github.com/go-acme/lego/v4/providers/dns"
+	"github.com/go-acme/lego/v4/registration"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/traefik/log"
 	"github.com/traefik/traefik/rules"
@@ -38,18 +38,19 @@ var (
 
 // Configuration holds ACME configuration provided by users
 type Configuration struct {
-	Email         string         `description:"Email address used for registration"`
-	ACMELogging   bool           `description:"Enable debug logging of ACME actions."`
-	CAServer      string         `description:"CA server to use."`
-	Storage       string         `description:"Storage to use."`
-	EntryPoint    string         `description:"EntryPoint to use."`
-	KeyType       string         `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'"`
-	OnHostRule    bool           `description:"Enable certificate generation on frontends Host rules."`
-	OnDemand      bool           `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` // Deprecated
-	DNSChallenge  *DNSChallenge  `description:"Activate DNS-01 Challenge"`
-	HTTPChallenge *HTTPChallenge `description:"Activate HTTP-01 Challenge"`
-	TLSChallenge  *TLSChallenge  `description:"Activate TLS-ALPN-01 Challenge"`
-	Domains       []types.Domain `description:"CN and SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='*.main.net'. Wildcard domains only accepted with DNSChallenge"`
+	Email          string         `description:"Email address used for registration"`
+	ACMELogging    bool           `description:"Enable debug logging of ACME actions."`
+	PreferredChain string         `description:"Preferred chain to use."`
+	CAServer       string         `description:"CA server to use."`
+	Storage        string         `description:"Storage to use."`
+	EntryPoint     string         `description:"EntryPoint to use."`
+	KeyType        string         `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'"`
+	OnHostRule     bool           `description:"Enable certificate generation on frontends Host rules."`
+	OnDemand       bool           `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` // Deprecated
+	DNSChallenge   *DNSChallenge  `description:"Activate DNS-01 Challenge"`
+	HTTPChallenge  *HTTPChallenge `description:"Activate HTTP-01 Challenge"`
+	TLSChallenge   *TLSChallenge  `description:"Activate TLS-ALPN-01 Challenge"`
+	Domains        []types.Domain `description:"CN and SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='*.main.net'. Wildcard domains only accepted with DNSChallenge"`
 }
 
 // Provider holds configurations of the provider.
@@ -270,14 +271,18 @@ func (p *Provider) getClient() (*lego.Client, error) {
 
 		err = client.Challenge.SetDNS01Provider(provider,
 			dns01.CondOption(len(p.DNSChallenge.Resolvers) > 0, dns01.AddRecursiveNameservers(p.DNSChallenge.Resolvers)),
-			dns01.CondOption(p.DNSChallenge.DisablePropagationCheck || p.DNSChallenge.DelayBeforeCheck > 0,
-				dns01.AddPreCheck(func(_, _ string) (bool, error) {
-					if p.DNSChallenge.DelayBeforeCheck > 0 {
-						log.Debugf("Delaying %d rather than validating DNS propagation now.", p.DNSChallenge.DelayBeforeCheck)
-						time.Sleep(time.Duration(p.DNSChallenge.DelayBeforeCheck))
-					}
+			dns01.WrapPreCheck(func(domain, fqdn, value string, check dns01.PreCheckFunc) (bool, error) {
+				if p.DNSChallenge.DelayBeforeCheck > 0 {
+					log.Debugf("Delaying %d rather than validating DNS propagation now.", p.DNSChallenge.DelayBeforeCheck)
+					time.Sleep(time.Duration(p.DNSChallenge.DelayBeforeCheck))
+				}
+
+				if p.DNSChallenge.DisablePropagationCheck {
 					return true, nil
-				})),
+				}
+
+				return check(fqdn, value)
+			}),
 		)
 		if err != nil {
 			return nil, err
@@ -654,7 +659,11 @@ func (p *Provider) renewCertificates() {
 				Domain:      cert.Domain.Main,
 				PrivateKey:  cert.Key,
 				Certificate: cert.Certificate,
-			}, true, OSCPMustStaple)
+			}, true, OSCPMustStaple, p.PreferredChain)
+			if err != nil {
+				log.Errorf("Error renewing certificate from LE: %v, %v", cert.Domain, err)
+				continue
+			}
 
 			if err != nil {
 				log.Errorf("Error renewing certificate from LE: %v, %v", cert.Domain, err)

provider/acme/provider_test.go

@@ -4,7 +4,7 @@ import (
 	"crypto/tls"
 	"testing"
 
-	"github.com/go-acme/lego/v3/certcrypto"
+	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/stretchr/testify/assert"
 	"github.com/traefik/traefik/safe"
 	traefiktls "github.com/traefik/traefik/tls"

provider/kubernetes/client.go

@@ -1,6 +1,7 @@
 package kubernetes
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -192,7 +193,7 @@ func (c *clientImpl) UpdateIngressStatus(namespace, name, ip, hostname string) e
 	ingCopy := ing.DeepCopy()
 	ingCopy.Status = extensionsv1beta1.IngressStatus{LoadBalancer: corev1.LoadBalancerStatus{Ingress: []corev1.LoadBalancerIngress{{IP: ip, Hostname: hostname}}}}
 
-	_, err = c.clientset.ExtensionsV1beta1().Ingresses(ingCopy.Namespace).UpdateStatus(ingCopy)
+	_, err = c.clientset.ExtensionsV1beta1().Ingresses(ingCopy.Namespace).UpdateStatus(context.Background(), ingCopy, metav1.UpdateOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to update ingress status %s/%s: %v", namespace, name, err)
 	}

server/server.go

@@ -19,7 +19,7 @@ import (
 
 	"github.com/armon/go-proxyproto"
 	"github.com/containous/mux"
-	"github.com/go-acme/lego/v3/challenge/tlsalpn01"
+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/traefik/cluster"
 	"github.com/traefik/traefik/configuration"