Docker-swarm, running traefik in replicated mode with ACME

Hello,

Already browsed through the forum and searched google a bit, but unable to find a definitive answer.

I'm migrating away from Traefik v1.7 to v2.1. My current setup consists of traefik running replicated across my manager nodes. The configuration of my traefik instances in stored in consul and with it, is the acme.json for acme.

I understand the consul backend for acme has been removed, since this caused issues. My thought was to simply use a NFS share and have all traefik replicas use the same acme.json, however the documentation quite clearly states that one shouldn't do this.

Running 3 replicas and having all 3 maintain their own acme.json would also result in undefined behavior (depending on which replica you hit).

My question here is, what's the proposed migration path here? From Traefik 1.7 using a "HA" ACME setup to 2.1? When running a LB for "production" services, I consider it to be a pre-requisite to at least run 2 replicas.

Thanks for your insights, and apologies if this has been asked and answered already elsewhere.

Did you find out anything about this? I'm quite surprised it's not detailed.

Some digging around, it seems like with v2 the ability to do what we want here is now moved behind a paywall in 'Enterprise Edition'.

If 'distributed Let's Encrypt' means what I think it does, on this page.

I'd say the alternative likely involves using the 'exec' DNS provider in the acme config.

I would really appreciate some guidance here on best practices for acme DNS challenge on a globally deployed Traefik instance in a Docker Swarm environment.

Hello,
i'm also interested in getting HA for my Traefik CE 2 setup.

From what I've read, the only obstacle preventing deploying multiple instances of Traefik CE is the use of the embedded Acme/Letsencrypt.

Has anyone tried to run Letsencrypt outside of the Traefik container(s) and map the /.well-known/acme-challenge/ uri to that external Letsencrypt container ? Then it could be possible to share the certificates via a NFS volume for instance and make use of them in Traefik ?

With this setup we could be able to run multiple instances of Traefik

I think this issue summarizes the current situation quite well: