I am running traefik in a container via docker compose. I want traefik to use the system wide letsencrypt certificate. So I mapped the live letsencrypt cert into the container:
- /etc/letsencrypt/live/foo.rna.nl/fullchain.pem:/foo.live.fullchain.pem:ro
- /etc/letsencrypt/live/foo.rna.nl/privkey.pem:/foo.live.privkey.pem:ro
and in the dynamic toml, I have:
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/foo.live.fullchain.pem"
keyFile = "/foo.live.privkey.pem"
This works.
This is also no problem when traefik runs as root, but I have changed traefik not to run as root, see https://community.traefik.io/t/running-traefik-as-non-root-in-a-container/16381. There I set an ACL on the privkey so traefik-non-root can read it.
But it turns out that ACL got removed somehow, it doesn't stick. I suspect some update action (e.g. OS update or cert update) removed the ACLs I set (they're all gone). So, setting an ACL is not a robust option it seems.
If I want to use the cert that is maintained outside the container (so not have traefik manage it) and I want to run traefik as non-root, what is a robust option? The only one I can think of is not to map the cert anymore but instead use a renewal-hook to copy the cert into the source area of the container during renewal. Is there a better way?