Traefik + Lets Encrypt TLS-ALPN-01 Certificate Managment

The need to manage and provide certificates for a large amount of domains(100k+) is said to supported by traefik in combination with a KV store for dynamic router configuration.
The chosen method is TLS-ALPN-01 because port 80 is blocked for HTTP-01 and DNS server managment isnt an option so that rules out DNS-01

Is it possible to store certificates in a KV?
Is there an upper limit to how many domains traefik can handle?
Will traefik be able to handle hunderds of thousands of domain certs?

From what i gathered on the one hand @emilevauge at this thread stated that traefik benchmarks worked with over 100k frontends/domains but in the documentation there is no mention to how many domains are supported.

Regarding the KV configuration and cert store, i found another thread stating that the feature to utilize a KV to store certificates is deprecated since the beginning of Traefik 2.x but @geraldcroes mentioned here that with the usage of third-party software like for example CertManager it is possible to manage the certificates for traefik but i am looking for a compatible solution that runs on k8s which also has the ability to validate TLS-ALPN-01 method.

Thanks for your help!

Hello @LordG66

Currently, there is no possibility to store certificates in KV. The certificates issued through Let's Encrypt will be stored in a file that is configured as storage for certificates. More details concerning that are available here.

There is no hard limit defined in Traefik. The limit is available memory for Traefik, so at specific point the process might killed with OOM.

The limitation here is the available memory for the Traefik instance, as I mentioned earlier.

Regarding the integration Traefik Proxy with Cert Manager there is a nice tutorial available:

Please let us know if you have more questions concerning that topic.
Thank you,

Hey @jakubhajek,

Thanks for your insight and quick response!

Regarding the amount of memory needed, ofcourse the cert store is dependent on the size of the pvc but if supplied enough memory can traefik handle hundreds of thousands of certificates + renewals?
if so, how much is enough memory?

Is there any other known acme-client which is also integrated into k8s to simplify the management of certificates such as the way CertManager handles k8s secrets to levarage certificates.


1 Like

It is hard to estimate what are the limits of the number of processed certificates. It depends on many factors e.g. the key size of the certificate, the number of alternative domains added to the certificate.

Theoretically speaking the limitations are resources assigned to the Traefik instance. More certificates mean more memory because Traefik is loading certificates into memory, but CPU is also important to factor.

In a real production environment having a monitoring solution implemented is crucial to see what is the condition of a component and what are the resource consumption. Going further setting the right limits is so important to avoid accidentally having OOM.

I hope that helps to give you the big picture of the problem you have raised.

1 Like