Skip to content

Dump ACME data from Traefik to certificates

License

Notifications You must be signed in to change notification settings

ldez/traefik-certs-dumper

Repository files navigation

traefik-certs-dumper

GitHub release Build Status Docker Image Version (latest semver) Go Report Card

If you appreciate this project:

Sponsor

Features

  • Supported sources:
    • file ("acme.json")
    • KV stores (Consul, Etcd, Zookeeper, Boltdb)
  • Watch changes:
    • from file ("acme.json")
    • from KV stores (Consul, Etcd, Zookeeper)
  • Output formats:
    • use domain as sub-directory (allow custom names and extensions)
    • flat (domain as filename)
  • Hook (only with watch mode and if the data source changes)

Installation

Download / CI Integration

curl -sfL https://raw.githubusercontent.com/ldez/traefik-certs-dumper/master/godownloader.sh | bash -s -- -b $(go env GOPATH)/bin v2.8.1

From Binaries

You can use pre-compiled binaries:

  • To get the binary just download the latest release for your OS/Arch from the releases page
  • Unzip the archive.
  • Add traefik-certs-dumper in your PATH.

From Docker

docker run ldez/traefik-certs-dumper:<tag_name>

Examples:

Usage

Examples

Note: to dump data from Traefik v2 or v3, the CLI flag --version v2 must be added.

Simple Dump

$ traefik-certs-dumper file
dump
├──certs
│  └──my.domain.com.key
└──private
   ├──my.domain.com.crt
   └──letsencrypt.key

Change source and destination

$ traefik-certs-dumper file --source ./acme.json --dest ./dump/test
test
├──certs
│  └──my.domain.com.key
└──private
   ├──my.domain.com.crt
   └──letsencrypt.key

Use domain as sub-directory

$ traefik-certs-dumper file --domain-subdir=true
dump
├──my.domain.com
│  ├──certificate.crt
│  └──privatekey.key
└──private
   └──letsencrypt.key

Change file extension

$ traefik-certs-dumper file --domain-subdir --crt-ext=.pem --key-ext=.pem
dump
├──my.domain.com
│  ├──certificate.pem
│  └──privatekey.pem
└──private
   └──letsencrypt.key

Change file name

$ traefik-certs-dumper file --domain-subdir --crt-name=fullchain --key-name=privkey
dump
├──my.domain.com
│  ├──fullchain.crt
│  └──privkey.key
└──private
   └──letsencrypt.key

Hook

Hook can be a one liner passed as a string, or a file for more complex post-hook scenarios. For the former, create a file (ex: hook.sh) and mount it, then pass sh hooksh as a parameter to --post-hook.

Here is a docker-compose example:

version: '3.9'

services:
# ...

  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:v2.8.1
    container_name: traefik-certs-dumper
    entrypoint: sh -c '
      apk add jq
      ; while ! [ -e /data/acme.json ]
      || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do
      sleep 1
      ; done
      && traefik-certs-dumper file --version v2 --watch
        --source /data/acme.json --dest /data/certs
        --post-hook "sh /hook.sh"'
    labels:
      traefik.enable: false
    volumes:
      - ./letsencrypt:/data
      - ./hook.sh:/hook.sh

# ...

KV store

Consul

$ traefik-certs-dumper kv consul --endpoints localhost:8500

Etcd

$ traefik-certs-dumper kv etcd --endpoints localhost:2379

Boltdb

$ traefik-certs-dumper kv boltdb --endpoints /the/path/to/mydb.db

Zookeeper

$ traefik-certs-dumper kv zookeeper --endpoints localhost:2181