Traefik not loading certificates dynamically

Traefik Traefik v1
1

I'm using Traefik in an AWS ECS cluster with the file directive to load certificates as they are created dynamically. However, Traefik doesn't seem to be processing the updates. Below is my toml configuration I'm using for testing. As you can see, I'm using the [file] directive to watch a directory that has toml files added to it when a new certificate is created.

When I add new toml files to the directory Traefik doesn't update??? Yet if I restart the service in AWS ECS Traefik loads the configuration just fine. Why doesn't it update dynamically???

defaultEntryPoints = ["http", "https"]

[ecs]
  clusters = ["dev"]
  watch = true
  refreshSeconds = 15
  exposedByDefault = true
  region = "us-west-2"

[entryPoints]
  [entryPoints.http]
    address = ":80"
    compress = true
  [entryPoints.https]
    address = ":443"
    [entryPoints.https.forwardedHeaders]
       trustedIPs = ["127.0.0.1/32", "10.75.0.0/16"]
    [entryPoints.https.tls]
      [entryPoints.https.proxyProtocol]
        trustedIPs = ["127.0.0.1/32", "10.75.0.0/16"]
    [entryPoints.https.tls.defaultCertificate]
      certFile = "/certs/dwsites.ca/fullchain.pem"
      keyFile = "/certs/dwsites.ca/privkey.pem"

[file]
directory = "/etc/traefik/certs/"
watch = true

Below is an example of one of the files in the directory that Traefik should be watching for changes and updating itself automatically. It's a dynamic certificate definition.

[[tls]]
   entryPoints = ["https"]
   [tls.certificate]
     certFile = "/certs/domain.com/fullchain.cer"
     keyFile = "/certs/domain.com/domain.com.key"
2

Hello @zoomage,

Are those directories mounted from shared storage (like NFS or SMB?)

3

Yes. I'm using AWS EFS for shared storage of the certificates and various other artifacts. I should mention that the certificates are not created using Traefik. They are created outside of Traefik using other tools and placed on shared storage.

4

Hello @zoomage,

Traefik uses inotify to watch for filesystem changes. Unfortunately there is an issue with docker mounted volumes (https://github.com/moby/moby/issues/18246) where inotify is not triggered.

There are a few tools out there that can poll and watch and trigger an inotify event, but those would need to be tailored to your environment.

In that moby thread there are also suggestions of using rsync instead of mounting volumes, I don't know if that would work, but it may be something to investigate.

5

Thanks Daniel,

That explains why I'm not getting the updates. I suppose I could just move the certificates into a Consul Key Store which should allow Traefik to pickup the new certificates as they are added to the Consul store.