In Traefik 1 there was (is) a fundamental issue with Let's Encrypt in distributed environment.
When you use several traefik nodes for requesting certificates it is not safe to use file store, as more than one node can potentially write to that store which would not work. Atomic writes for a file system has always been tricky. The solution to this that traefik 1 provides is using a key-value store (either etcd or consul). Those two are distributed by nature; which guarantees that what one instance writes another one can read, and simultaneous writes can be handled as well.
However, the atomicity of these stores are scoped to a single value, and a single value has size limit, both in etcd and consul. Basically, both stores are not designed for storing megabytes of data with in a value.
This means that all certificates for a traefik installation need to fit into a single value. These are compressed, but even though, some customers have installation with thousands certificates, and they quickly hit the storage size limit.
Unfortunately it has proven that there is no easy fix for that: you cannot safely write certs into multiple values because of cuncurrency issues, and increasing the size limit is either impossible (consul) or comes at a hefty performance penalty (etcd).
This is the main reason that this github issue is still open.
New Traefik 2 is promising "Distributed Let's Encrypt" on the Traefik Enterprise Edition page.
The new traefik is going to be based on raft protocol (the same thing that etcd is using already) and therefore will have support for High Availability built-in.
Some information about this can be obtained from the following links:
- https://docs.containo.us/learning/concepts/ (Overall HA architecture)
- https://blog.containo.us/back-to-traefik-2-0-the-online-meet-up-4e4b6411fbfa (a video and some Q & A)
- http://thesecretlivesofdata.com/raft/ (Explanation of the raft protocol itslef)
However even with the information above it is not really clear how "Distributed Let's Encrypt" is planned.
In particular, what about Traefik 2 EE is different from etcd kv store, that makes "Distributed Let's Encrypt" feasible when it was not with etcd in Traefik 1? How configuration will be stored and distributed in Traefik 2 in HA mode?