Puzzle of traefik non-root in docker and 'outside of docker' letsencrypt cert

I am running traefik in a container via docker compose. I want traefik to use the system wide letsencrypt certificate. So I mapped the live letsencrypt cert into the container:

      - /etc/letsencrypt/live/foo.rna.nl/fullchain.pem:/foo.live.fullchain.pem:ro
      - /etc/letsencrypt/live/foo.rna.nl/privkey.pem:/foo.live.privkey.pem:ro

and in the dynamic toml, I have:

      certFile = "/foo.live.fullchain.pem"
      keyFile  = "/foo.live.privkey.pem"

This works.

This is also no problem when traefik runs as root, but I have changed traefik not to run as root, see https://community.traefik.io/t/running-traefik-as-non-root-in-a-container/16381. There I set an ACL on the privkey so traefik-non-root can read it.

But it turns out that ACL got removed somehow, it doesn't stick. I suspect some update action (e.g. OS update or cert update) removed the ACLs I set (they're all gone). So, setting an ACL is not a robust option it seems.

If I want to use the cert that is maintained outside the container (so not have traefik manage it) and I want to run traefik as non-root, what is a robust option? The only one I can think of is not to map the cert anymore but instead use a renewal-hook to copy the cert into the source area of the container during renewal. Is there a better way?

This sounds more like a Docker challenge than Traefik related.

Yes. Though I must add the whole docker challenge came to pass because of a traefik issue: https://community.traefik.io/t/traefik-v2-and-docker-compose-no-default-certificate/16146/7