We are running Traefik 1.7 (Docker image traefik:v1.7.26), and I'm currently trying to get the TLS configuration to reload dynamically - without having to restart Traefik - whenever we make any changes to it.
According to the documentation, this should be possible using the file provider. We have a configuration using multiple separated files, with the directory option set to
"/etc/traefik/file-rules" (which is a directory mounted in the Docker configuration) and the watch option set to
"/etc/traefik/file-rules" we have placed a file
certificates.toml with the following content:
# HTTPS certificates [[tls]] entryPoints = ["https"] minVersion = "VersionTLS12" [tls.certificate] certFile = "/etc/ssl/foo.local.crt" keyFile = "/etc/ssl/foo.local.key" # [[tls]] # entryPoints = ["https"] # minVersion = "VersionTLS12" # [tls.certificate] # certFile = "/etc/ssl/bar.local.crt" # keyFile = "/etc/ssl/bar.local.key"
"/etc/ssl is also a directory mounted in the Docker configuration)
With this configuration, I can successfully navigate to
https://foo.local/, and I get a valid TLS connection (foo.local takes me to Docker container running traefik/whoami with a host rule for foo.local). Based on this, my simple conclusion is that at least out basic configuration is correct.
https://bar.local/ (a different traefik/whoami container with a host rule for bar.local) naturally gives me a certificate error (since no certificate exists for that host, I get the default untrusted Traefik certificate).
Now what I would like to achieve, is to simply remove the comments for the bar.local certificate, save the file, and get the configuration dynamically reloaded. This however does not happen. I would also like to be able to replace the foo.local certificate files and get the new certificate dynamically updated. This doesn't happen either. If I however restart the Traefik container, all changes are reflected and I get a valid certificate for
https://bar.local/ and a new certificate is served for
https://foo.local/ (which indicates that the configuration is still correct).
My question is therefore: Why doesn't the certificate configuration reload dynamically? According to both the documentation and this old merge request from way back in 2017 indicate that this should indeed be possible.
We do also have other toml files in the
file-rules directory (with various route rules for different frontends), and for that route configuration the dynamic reloading works as expected.