I'm working on a setup where a load balancer would be running on server1. It routes to 3 other servers (2,3,4). I want the encrypted connections to pass through server 1 without terminating and instead terminate at each final server. The scheme I have in mind is for Traefik to run on server 2 where it will automatically get a Let's Encrypt certificate and auto renew. Then, I would run Traefik on servers 3 and 4 but with the static certificate mode, using a file sync system to sync any new certs from server 2 over to servers 3 and 4.
Is this a workable setup? Or is there a better/simpler way to do this?
LetsEncrypt with multiple Traefik instances (in Docker Swarm) can be a pain. The certs are stored in acme.json
, but you need a tool to export them to be readable as TLS crt/key.
Only a single Traefik instance can be front line for LetsEncrypt, can’t have them in parallel except when using Traefik Enterprise Edition, which enables distributed LetsEncrypt.
I created a prototype to use a single certbot behind Traefik and share the certs via http, to be consumed by provider.http
.
Another way to share certs is with a shared file system. I created another prototype to use SyncThing for that (not inline yet), with that the cert files are always local, therefore a share fail has no immediate impact.