Default certificate from letsencrypt

jordantrizz · April 18, 2023, 5:23pm

What @FrancYescO provided is the solution here. But it would be great if you could set the default Traefik SSL certificate to a certificate in the acme.json store versus dumping it and configuring it.

ldez · April 18, 2023, 5:27pm

jordantrizz · April 18, 2023, 6:00pm

FrancYescO:

  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:latest
    container_name: traefik-certs-dumper
    entrypoint: sh -c '
      apk add jq
      ; while ! [ -e /data/acme.json ]
      || ! [ `jq ".Certificates | length" /data/acme.json` != 0 ]; do
      sleep 1
      ; done
      && traefik-certs-dumper file --watch --version v2 --source /data/acme.json'
    volumes:
      - ssl_certs:/data

Updated to work with Traefik v2, be gentle I'm a newb

  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:v2.7.0
    container_name: traefik-certs-dumper
    entrypoint: sh -c 'apk add jq;
      while ! [ -e /data/acme.json ] || ! [ `jq ".[] | select(.Certificates?) | .Certificates | length" /data/acme.json` != 0 ]; do
          sleep 1;
      done && traefik-certs-dumper file --source /data/acme.json --dest /data/certs --version v2;
      traefik-certs-dumper file --watch --source /data/acme.json --dest /data/certs --version v2'
    volumes:
      - /srv/traefik/:/data

jordantrizz · April 18, 2023, 6:55pm

Thanks @Idez I didn't understand it at first but figured it out.

Define the defaultgeneratedcert

      - "traefik.tls.stores.default.defaultgeneratedcert.resolver=letsencrypt"
      - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=domain.com"
      - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=*.domain.com, *.docker01.domain.com"

But this won't generate a certificate using the above resolver. You need to define a https router first.

      - traefik.http.routers.traefik-secure.tls=true
      - traefik.http.routers.traefik-secure.tls.domains[0].main=domain.com
      - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.domain.com
      - traefik.http.routers.traefik-secure.tls.domains[1].sans=*.docker01.domain.com
      - "traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt"

In each of your docker containers, don't even specify a resolver so they don't get included in the certificate since you already have a wildcard.

      - "traefik.enable=true"
      - "traefik.http.routers.kuma-secure.entrypoints=websecure"
      - "traefik.http.routers.kuma-secure.rule=Host(`kuma.docker01.domain.com`,`kuma.domain.com`)"
      - "traefik.http.routers.kuma-secure.tls=true"
      - "traefik.http.routers.kuma-secure.service=kuma"
      - "traefik.http.services.kuma.loadbalancer.server.port=3001"
      - "traefik.docker.network=traefik-proxy"

I might be misunderstanding this, so correct me if I'm wrong.

Topic		Replies	Views
Specify default CertificatesResolvers? Traefik v2 docker-swarm , letsencrypt-acme	3	3345	December 8, 2019
Using certresolver over default stored certificate Traefik v2 letsencrypt-acme	3	1288	October 6, 2022
Traefik switches to default self signed certificate even when I have mounted the volume containng letsencrypt certs Traefik v2 letsencrypt-acme	0	726	November 13, 2021
Traefik v3 appears to be offering self-signed together with letsencrypt Traefik v3 (latest) letsencrypt-acme	2	726	July 24, 2024
About using user-defined certificates with letsencrypt certificatesResolvers Traefik v2 letsencrypt-acme	3	226	April 15, 2024

Default certificate from letsencrypt

Related topics