Automatically reload self-signed certificates

Traefik Traefik v2
,
1

I'm trying to renew self-signed certificates on traefik without having to restart pods every time.

So far I have tried following configurations:

# docker-compose.yml
version: '3.9'

services:
  reverse-proxy:
    image: traefik:latest
    command:
      - --api.insecure=true
      - --providers.docker
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/username/self_signed_cert/certs-traefik.yml:/etc/traefik/dynamic/certs-traefik.yml
      - /home/username/self_signed_cert/server.key:/etc/traefik/dynamic/server.key
      - /home/username/self_signed_cert/server.crt:/etc/traefik/dynamic/server.crt
      - /home/username/self_signed_cert/server.csr:/etc/traefik/dynamic/server.csr
      - /home/username/self_signed_cert/gen_self_signed_cert.sh:/gen_self_signed_cert.sh

# whoami-docker.yml

version: '3.9'

services:
  whoami:
    image: stefanscherer/whoami
    labels:
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)"
      - "traefik.http.services.whoami-service.loadbalancer.server.port=8080"

# certs-traefik.yml

tls:
  certificates:
    - certFile: /etc/traefik/dynamic/server.crt
      keyFile: /etc/traefik/dynamic/server.key

# gen_self_signed_cert.sh

apk add openssl

echo "[ whoami.mydomain ]\nsubjectAltName = DNS:whoami.mydomain.com" >> /etc/ssl1.1/openssl.cnf

cd /etc/traefik/dynamic

openssl genrsa -aes128 -passout pass:123 2048 > server.key

openssl rsa -in server.key -out server.key -passin pass:123

openssl req -utf8 -new -key server.key -out server.csr -subj "/C=US/ST=NY/L=NY/O=IT/OU=IT/CN=IT/emailAddress=myemail@gmail.com" -passin pass:123

openssl x509 -in server.csr -out server.crt -req -signkey server.key -extfile /etc/ssl1.1/openssl.cnf -extensions whoami.mydomain -days 1460 -passin pass:123

chmod 600 server.key

touch certs-traefik.yml

and the initial certificate is generated by openssl as well.

I run the following commands and the containers come up:

docker-compose -f docker-compose.yml up -d
docker-compose -f whoami-compose.yml up -d

I have added the touch command hoping to trigger dynamic reloading according to this link. My intention is to automatically renew the certificate e.g. for every 5 minutes using such a loop in my host:

for i in $(seq 20); do
 docker exec -it <traefik-container-id> /bin/sh ./gen_self_signed_cert.sh
 sleep 300 # seconds
done

Although this generates new certificates in the container but the changes don't reflect in https://whoami.mydomain.com and the service uses the initial certificate every time. How can I possibly make traefik to some how watch the certificate files generated by openssl inside the container and use the renewed self-signed certificates?

2

First, you should not use an almost 2 year old Traefik release.

I would expect that you only need to touch certs-traefik.yml to update the timestamp and have watching providers.file reload the file.

3

Thank you. I changed traefik image version to latest and kept other configurations (including touch command and --providers.file.watch=true) but it is still the same.