How to reuse SSL certificates automatically fetched from Let´s encrypt?

[flexguse]

What version of Traefik are you using (traefik version)?

1.1.2

Hi everybody,

this is more a question than an issue. I installed traefik in my private server and it runs very smoothly. I was very pleased traefik is able to obtain SSL certificates from Let´s encrypt automatically.

In my setup I use mailcow, a webserver providing a web UI and IMAP. The web UI works nicely with traefik, a SSL certificate was obtained from Let´s encrypt.

As traefik seems to bind only one HTTP port to a backend, the IMAP access is not routed through traefik but these ports (143, 993, 587, etc.) are bound to the docker host with a self signed SSL certificate. This seems to cause a lot of trouble in Mozilla Thunderbird.

My idea is to re-use the SSL certificate obtained by traefik. I would like to put the Let´s encrpyt SSL certificates into a shared volume, so multiple Docker container have access to it.

Unfortunately I can't do something like
docker exec -it traefik bash
because there seems to be no bash in the traefik container.

Any ideas how I´m able to look into the container and how to extract the SSL certificates?

Cheers,
Christoph

[regner]

From the docs: https://docs.traefik.io/toml/

# File or key used for certificates storage.
# WARNING, if you use Traefik in Docker, you have 2 options:
#  - create a file on your host and mount it as a volume
#      storageFile = "acme.json"
#      $ docker run -v "/my/host/acme.json:acme.json" traefik
#  - mount the folder containing the file as a volume
#      storageFile = "/etc/traefik/acme/acme.json"
#      $ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
#
# Required
#
storage = "acme.json" # or "traefik/acme/account" if using KV store

In my toml config file I have storageFile = "/acme/acme.json" and then I just mount the /acme folder.

[flexguse]

Hi Regner,

thanks a lot for that hint. I saw this part of the documentation, but did not realize this is the key.

I tried you suggestion and now the certs are stored in the json file.

Cheers,
Christoph

[regner]

:D Glad I could help

[ggramlich]

I have not tried it yet, but I found a python gist to create .pem files from the acme.json:

http://codegist.net/snippet/python/acme-cert-dumppy_jayh5_python

http://codegist.net/snippet/python/acme-cert-dump-allpy_jayh5_python

[gayan415]

Hey @flexguse: Could you please explain it to me how did you do that?
I host my Traefik container in ec2 instance. Appreciate it.

[gayan415]

Hey Guys, That worked. Thank you. 👍

[x-yuri]

Given that the storage file goes like this:

    ...
    {
      "Domain": {
        "Main": "example.com",
        "SANs": [
          "www.example.com"
        ],
      },
      "Certificate": "...",
      "Key": "..."
    },
    ...

You can extract the certificate and the key values into separate files, then:

$ cat Certificate | base64 -d > example.com.crt
$ cat Key | base64 -d > example.com.key

To make sure the key corresponds to the certificate:

$ openssl x509 -noout -modulus -in example.com.crt | openssl md5                   
$ openssl rsa -noout -modulus -in example.com.key | openssl md5

Alternatively, you can make use of dumpcerts.sh utility.