after searching the docs and this forum i am still confused about the usage of predefined tls certificates referenced with "dynamic" file provider.
Also i'm not getting whats the deal with tls.stores and how to use it.
For Example:
If i have a wildcard certifacte and a tls key file that are referenced by "dynamic_conf.toml" with file provider.
All i have to write is this:
Hi @lachnerd, I'm trying to answer with the best of my abilities and understanding:
When Traefik loads the dynamic configuration from the file provider, assuming you're using the TOML syntax for the dynamic configuration, it behaves like this: for each [[tls.certificates]] directive, it adds the defined certificate (and it's asscoiated key) to the default store. It also extracts the subject (and eventually the alternative subjects) from the certificate to identify the domains covered by this certificate.
=> When enabling "TLS" on a router, any request handled by this router is parsed by Traefik which extracts the host. Then, Traefik searches in the certificate store if there is certificate with a subject matching this host. If one is found, then it is used. If no certificate is used, then Traefik falls back to the "Default autogenerated self signed certificate". The behavior is the same with let's Encrypt any certificate requested successfully is added to this default store.
Yes of course, by using the right TOML syntax. For instance:
# dynamic_conf.toml
# ...
# Add Certificate for domainA.com (can be wildcard, single subject, or even with SAN)
[[tls.certificates]]
certFile = "/certs/domainA.com/fullchain.crt"
keyFile = "/certs/domainA.com/tls.key"
# Add Certificate for domainB.com (can be wildcard, single subject, or even with SAN)
[[tls.certificates]]
certFile = "/certs/domainB.com/fullchain.crt"
keyFile = "/certs/domainB.com/tls.key"
# etc.
Please note that with Traefik v2.0, the YML syntax is also supported: in this particular case, it might be easier to get the concept of "collection of certificates":
Don't worry about the stores. You can see this as a "black box" thing. For now (Traefik v2.0), only the "default" store is available. This is a remnant of the foundation changes from 1.7 to 2.0. I can't say if a feature will come out from this, but consider you're using the default store, and don't overload your config with this.
One of the problem with certs in v1 was that for highly available setup you could store them in consul or etcd. At the same time, the size of a value in those stores is ususally small. This resulted in the fact that only about a hundred certs would fit into the store and not more.
This was a very common complain. Unfortunately, this was very hard to fix due to how atomicity is handled in those key-value stores.
I think that traefik team might consider a better support for those HA scenarions in Entrerprise version of traefik. If so, aparently alternate stores from the default are needed for the same reason they existed in v1 - you cannot share the same acme.json between several instances of traefik, it will not be very stable due to concurrency. This is the idea behind the stores.