Add options to control ACME propagation checks

docs/content/https/acme.md

@@ -496,7 +496,7 @@ certificatesResolvers:
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
-#### `delayBeforeCheck`
+#### `propagation.delayBeforeChecks`
 
 By default, the `provider` verifies the TXT record _before_ letting ACME verify.
 
@@ -511,27 +511,107 @@ certificatesResolvers:
       # ...
       dnsChallenge:
         # ...
-        delayBeforeCheck: 2s
+        propagation:
+          # ...
+          delayBeforeChecks: 2s
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      delayBeforeChecks = "2s"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
+```
+
+#### `propagation.disableChecks`
+
+Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. 
+
+Please note that disabling checks can prevent the challenge to succeed.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        propagation:
+          # ...
+          disableChecks: true
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      disableChecks = true
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
+```
+
+#### `propagation.requireAllRNS`
+
+Requires the challenge TXT record to be propagated to all recursive nameservers.
+
+!!! note
+
+    If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
+    it is recommended to check all recursive nameservers instead.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        propagation:
+          # ...
+          requireAllRNS: true
 ```
 
 ```toml tab="File (TOML)"
 [certificatesResolvers.myresolver.acme]
   # ...
   [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
-    delayBeforeCheck = "2s"
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      requireAllRNS = true
 ```
 
 ```bash tab="CLI"
 # ...
---certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
 ```
 
-#### `disablePropagationCheck`
+#### `propagation.disableANSChecks`
+
+Disables the challenge TXT record propagation checks against authoritative nameservers.
+
+This option will skip the propagation check against the nameservers of the authority (SOA).
 
-**Not recommended**
+It should be used only if the nameservers of the authority are not reachable.
 
-Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready. 
+!!! note
+
+    If you have disabled authoritative nameservers checks,
+    it is recommended to check all recursive nameservers instead.
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
@@ -540,20 +620,24 @@ certificatesResolvers:
       # ...
       dnsChallenge:
         # ...
-        disablePropagationCheck: true
+        propagation:
+          # ...
+          disableANSChecks: true
 ```
 
 ```toml tab="File (TOML)"
 [certificatesResolvers.myresolver.acme]
   # ...
   [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
-    disablePropagationCheck = true
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      disableANSChecks = true
 ```
 
 ```bash tab="CLI"
 # ...
---certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
 ```
 
 #### Wildcard Domains

docs/content/migration/v3.md

@@ -160,3 +160,10 @@ the `configmaps`, `backendtlspolicies` and `backendtlspolicies/status` rights ha
 
 In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
 Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
+
+## v3.2 to v3.3
+
+### ACME DNS Certificate Resolver
+
+In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
+please use respectively `acme.dnsChallenge.propagation.delayBeforeCheck` and `acme.dnsChallenge.propagation.disableAllChecks` options instead.

docs/content/reference/static-configuration/cli-ref.md

@@ -79,10 +79,25 @@ Certificates' duration in hours. (Default: ```2160```)
 Activate DNS-01 Challenge. (Default: ```false```)
 
 `--certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck`:  
-Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
 
 `--certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck`:  
-Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation`:  
+DNS propagation checks configuration (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation.delaybeforechecks`:  
+Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation.disableanschecks`:  
+Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation.disablechecks`:  
+Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.propagation.requireallrns`:  
+Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)
 
 `--certificatesresolvers.<name>.acme.dnschallenge.provider`:  
 Use a DNS-01 based challenge provider rather than HTTPS.

docs/content/reference/static-configuration/env-ref.md

@@ -79,10 +79,25 @@ Certificates' duration in hours. (Default: ```2160```)
 Activate DNS-01 Challenge. (Default: ```false```)
 
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:  
-Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
 
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:  
-Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION`:  
+DNS propagation checks configuration (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DELAYBEFORECHECKS`:  
+Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DISABLEANSCHECKS`:  
+Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DISABLECHECKS`:  
+Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_REQUIREALLRNS`:  
+Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)
 
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROVIDER`:  
 Use a DNS-01 based challenge provider rather than HTTPS.

docs/content/reference/static-configuration/file.toml

@@ -457,9 +457,14 @@
         hmacEncoded = "foobar"
       [certificatesResolvers.CertificateResolver0.acme.dnsChallenge]
         provider = "foobar"
-        delayBeforeCheck = "42s"
         resolvers = ["foobar", "foobar"]
+        delayBeforeCheck = "42s"
         disablePropagationCheck = true
+        [certificatesResolvers.CertificateResolver0.acme.dnsChallenge.propagation]
+          disableChecks = true
+          disableANSChecks = true
+          requireAllRNS = true
+          delayBeforeChecks = "42s"
       [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
         entryPoint = "foobar"
       [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
@@ -480,9 +485,14 @@
         hmacEncoded = "foobar"
       [certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
         provider = "foobar"
-        delayBeforeCheck = "42s"
         resolvers = ["foobar", "foobar"]
+        delayBeforeCheck = "42s"
         disablePropagationCheck = true
+        [certificatesResolvers.CertificateResolver1.acme.dnsChallenge.propagation]
+          disableChecks = true
+          disableANSChecks = true
+          requireAllRNS = true
+          delayBeforeChecks = "42s"
       [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
         entryPoint = "foobar"
       [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]

docs/content/reference/static-configuration/file.yaml

@@ -500,10 +500,15 @@ certificatesResolvers:
       caServerName: foobar
       dnsChallenge:
         provider: foobar
-        delayBeforeCheck: 42s
         resolvers:
           - foobar
           - foobar
+        propagation:
+          disableChecks: true
+          disableANSChecks: true
+          requireAllRNS: true
+          delayBeforeChecks: 42s
+        delayBeforeCheck: 42s
         disablePropagationCheck: true
       httpChallenge:
         entryPoint: foobar
@@ -527,10 +532,15 @@ certificatesResolvers:
       caServerName: foobar
       dnsChallenge:
         provider: foobar
-        delayBeforeCheck: 42s
         resolvers:
           - foobar
           - foobar
+        propagation:
+          disableChecks: true
+          disableANSChecks: true
+          requireAllRNS: true
+          delayBeforeChecks: 42s
+        delayBeforeCheck: 42s
         disablePropagationCheck: true
       httpChallenge:
         entryPoint: foobar

pkg/config/static/static_config.go

@@ -306,6 +306,36 @@ func (c *Configuration) SetEffectiveConfiguration() {
 		c.Providers.KubernetesIngress.DefaultRuleSyntax = c.Core.DefaultRuleSyntax
 	}
 
+	for _, resolver := range c.CertificatesResolvers {
+		if resolver.ACME == nil {
+			continue
+		}
+
+		if resolver.ACME.DNSChallenge == nil {
+			continue
+		}
+
+		if resolver.ACME.DNSChallenge.DisablePropagationCheck {
+			log.Warn().Msgf("disablePropagationCheck is now deprecated, please use propagation.disableAllChecks instead.")
+
+			if resolver.ACME.DNSChallenge.Propagation == nil {
+				resolver.ACME.DNSChallenge.Propagation = &acmeprovider.Propagation{}
+			}
+
+			resolver.ACME.DNSChallenge.Propagation.DisableChecks = true
+		}
+
+		if resolver.ACME.DNSChallenge.DelayBeforeCheck > 0 {
+			log.Warn().Msgf("delayBeforeCheck is now deprecated, please use propagation.delayBeforeCheck instead.")
+
+			if resolver.ACME.DNSChallenge.Propagation == nil {
+				resolver.ACME.DNSChallenge.Propagation = &acmeprovider.Propagation{}
+			}
+
+			resolver.ACME.DNSChallenge.Propagation.DelayBeforeChecks = resolver.ACME.DNSChallenge.DelayBeforeCheck
+		}
+	}
+
 	c.initACMEProvider()
 }