Store traefik let's encrypt certificates not as json

Question

you know traefik is able to do all the Let's Encrypt stuff (request and renew) for your webservices. But traefik stores the requested certificates as a JSON-file, which isn't the common format for certificates.

I want to use the Let's Encrypt certificates also for my mail-server, so I need them in simple format: *.pem or *.crt.

Here my question: Is it possible that traefik stores the Let's Encrypt certificates in a common format?

Thanks for help!

Answer 1

I'm using jq to do this

export certificate

cat acme.json | jq -r '.Certificates[] | select(.Domain.Main=="'www.example.com'") | .Certificate' | base64 -d > www.example.com.crt

export private key

cat acme.json | jq -r '.Certificates[] | select(.Domain.Main=="'www.example.com'") | .Key' | base64 -d > www.example.com.key

Traefik with Consul as KV store

export JSON containing certificate and private key

consul kv get traefik/acme/account/object | gzip -dc | jq -r '.DomainsCertificate.Certs[] | select(.Domains.Main=="'www.example.com'") | .Certificate' > www.example.com.json

export certificate only

consul kv get traefik/acme/account/object | gzip -dc | jq -r '.DomainsCertificate.Certs[] | select(.Domains.Main=="'www.example.com'") | .Certificate.Certificate' | base64 -D >  www.example.com.crt

export private key only

consul kv get traefik/acme/account/object | gzip -dc | jq -r '.DomainsCertificate.Certs[] | select(.Domains.Main=="'www.example.com'") | .Certificate.PrivateKey' | base64 -D > www.example.com.key

backup Consul

backup

consul kv get -base64 traefik/acme/account/object > backup-base64

restore

cat -s backup-base64 | base64 --decode | consul kv put traefik/acme/account/object -

Answer 2

The most popular solution is ldez/traefik-certs-dumper. In case of docker-compose you need something along the following lines:

version: '3'

services:
    traefik:
        image: traefik:1.7
        command:
            --entryPoints='Name:http Address::80'
            --entryPoints='Name:https Address::443 TLS'
            --defaultentrypoints=http,https
            --logLevel=DEBUG
            --docker
            --docker.exposedByDefault=false
            --acme
            --acme.acmeLogging=true
            --acme.entrypoint=https
            --acme.storage=/data/acme.json
            --acme.onHostRule=true
            --acme.httpChallenge.entryPoint=http
        ports:
            - 8001:80
            - 8002:443
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - .:/data

    traefik-certs-dumper:
        image: ldez/traefik-certs-dumper:v2.7.0
        entrypoint: sh -c '
            apk add jq
            ; while ! [ -e /data/acme.json ]
                || ! [ `jq ".Certificates | length" /data/acme.json` != 0 ]; do
                    sleep 1
                ; done
            && traefik-certs-dumper file --watch 
                --source /data/acme.json --dest /data/certs'
        volumes:
            - .:/data

    # test service
    whoami:
        image: containous/whoami
        labels:
            traefik.enable: true
            traefik.frontend.rule: Host:example.com

traefik ports are published to 8001 and 8002. I assume here that you need certificates as separate files because you want to put traefik behind another proxy.

more