Traefik is not hot reloading the certificates

Hi,

I'm trying to find how to reload traefik when my certificates (that are stored in files updated via rsync every now and then) are renewed.
But it seems that when the certificate files are updated on the host, traefik doesn't load the new ones, and that is an issue because I have to manually restart traefik in order to update them.

Here is my compose traefik config:

version: '3.6'

services:

  traefik:
    image: traefik:v2.0
    command:
      - "--log.level=DEBUG"
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=docker
      - --providers.file.filename=config.toml
      - --providers.file.watch=true
      - --api.insecure=true
      - --accesslog=true
    networks:
      - traefik
    restart: always
    ports:
      - '80:80'
      - '443:443'
      - '8080:8080'
    volumes:
      - /home/web/data/config.toml:/config.toml
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/ssl/eri/:/etc/ssl/eri/:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"


networks:
  traefik:
    external: true

And the config.toml file

defaultEntryPoints = ["http", "https"]

# Connection to docker host system (docker.sock)
[docker]
domain = "eri.network"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "websecure"
  [entryPoints.websecure]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/ssl/eri/fullchain.pem"
      keyFile = "/etc/ssl/eri/privkey.pem"

[[tls.certificates]]
  certFile = "/etc/ssl/eri/fullchain.pem"
  keyFile  = "/etc/ssl/eri/privkey.pem"

Hoping that someone can help me..

Kind regards,

Dorian

It is better if you use providers.file.directory=/etc/traefik, mount your configuration into that path, and Traefik will load all the configuration files within said path.

Due to fsnotify being unreliable, Traefik will not watch individual certificate files, however, if you touch config.toml, this will force Traefik to reload the provider configuration (which includes the certificates), and those will be reloaded.

It's also worth noting that you have a mix of v1 and v2 traefik in your configuration file, so you may want to take the time to remove some of the irrelevant pieces (pretty much everything except [[tls.certificates]]). Also, please update Traefik to the latest version for security updates and bug-fixes image: traefik:v2.3.2

Thanks for using Traefik and let us know if you have any other questions.

Hi,

Sorry for the (quite) late reply, the touch of the config.toml file doesn't seem to work, despite using providers.file.directory=/etc/traefik instead.

Any idea ?

Thanks in advance.