Dump ACME data from Traefik to certificates

Go to file

Sven Dowideit 8cde64f469 Merge `e8b376abe5` into `1b021dc4f3`		2025-02-28 00:48:03 +02:00
.github	chore: update linter	2025-02-13 02:53:42 +01:00
cmd	chore: update donation URL	2025-01-24 22:38:24 +01:00
contrib	doc: note about contrib directory	2022-07-27 21:57:03 +02:00
docs	docs: update examples	2025-02-21 22:34:35 +01:00
dumper	chore: linting	2025-02-13 03:03:12 +01:00
hook	chore: linting	2025-02-13 03:03:12 +01:00
integrationtest	feat: update traefik and valkeyrie	2023-01-29 16:42:14 +01:00
internal	feat: improve binary size	2024-12-05 14:58:48 +01:00
.dockerignore	chore: migrate to seihon.	2019-04-30 23:05:08 +02:00
.gitignore	chore: migrate to seihon.	2019-04-30 23:05:08 +02:00
.golangci.yml	chore: update linter	2025-02-13 02:51:32 +01:00
.goreleaser.yml	chore: update linter	2025-02-13 02:51:32 +01:00
buildx.Dockerfile	fix: Docker image	2024-12-05 13:29:27 +01:00
go.mod	chore: bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#216 )	2025-02-25 00:26:58 +01:00
go.sum	chore: bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#216 )	2025-02-25 00:26:58 +01:00
godownloader.sh	chore: adds download script.	2019-04-04 21:29:26 +02:00
LICENSE	chore: update license	2024-05-29 06:03:14 +02:00
main.go	chore: prepare release v2.0.0	2019-04-20 22:24:57 +02:00
Makefile	chore: use goreleaser to publish Docker images	2024-12-04 22:43:30 +01:00
readme.md	Merge `e8b376abe5` into `1b021dc4f3`	2025-02-28 00:48:03 +02:00

readme.md

traefik-certs-dumper

If you appreciate this project:

Features

Supported sources:
- file ("acme.json")
- KV stores (Consul, Etcd, Zookeeper, Boltdb)
Watch changes:
- from file ("acme.json")
- from KV stores (Consul, Etcd, Zookeeper)
Output formats:
- use domain as subdirectory (allow custom names and extensions)
- flat (domain as filename)
Hook (only with watch mode and if the data source changes)
Support Traefik v1, v2, and v3.

Installation

Download / CI Integration

curl -sfL https://raw.githubusercontent.com/ldez/traefik-certs-dumper/master/godownloader.sh | bash -s -- -b $(go env GOPATH)/bin v2.9.3

From Binaries

You can use pre-compiled binaries:

To get the binary just download the latest release for your OS/Arch from the releases page
Unzip the archive.
Add traefik-certs-dumper in your PATH.

From Docker

docker run ldez/traefik-certs-dumper:<tag_name>

Examples:

Traefik v1: docker-compose
Traefik v2: docker-compose
Traefik v3: TODO

# assuming you're using traefik in a container, storing its configuration in consul
ubuntu@ereefs-prod-qld-00:~$ docker run --user $(id -u):$(id -g) --network consul_consul -v $(pwd)/dump/:/dump ldez/traefik-certs-dumper kv consul --endpoints consul.cluster:8500
dump
├──certs
│  ├──*.some.domain.com.crt
│  └──some.domain.com.crt
└──private
   ├──*.some.domain.com.key
   ├──some.domain.com.key
   └──letsencrypt.key
ubuntu@ereefs-prod-qld-00:~$ ls -lah
total 16K
drwxr-xr-x 4 ubuntu ubuntu 4.0K Mar 26 04:23 .
drwxr-xr-x 3 root   root   4.0K Mar 21 23:28 ..
drwxr-xr-x 2 ubuntu ubuntu 4.0K Mar 26 04:23 certs
drwxr-xr-x 2 ubuntu ubuntu 4.0K Mar 26 04:23 private
ubuntu@ereefs-prod-qld-00:~$ ls -lah certs/ private/
certs/:
total 16K
drwxr-xr-x 2 ubuntu ubuntu 4.0K Mar 26 04:23  .
drwxr-xr-x 4 ubuntu ubuntu 4.0K Mar 26 04:23  ..
-rw-r--r-- 1 ubuntu ubuntu 3.8K Mar 26 04:23 '*.some.domain.com.crt'
-rw-r--r-- 1 ubuntu ubuntu 3.8K Mar 26 04:23  some.domain.com.crt

private/:
total 20K
drwxr-xr-x 2 ubuntu ubuntu 4.0K Mar 26 04:23  .
drwxr-xr-x 4 ubuntu ubuntu 4.0K Mar 26 04:23  ..
-rw------- 1 ubuntu ubuntu 3.2K Mar 26 04:23 '*.some.domain.com.key'
-rw------- 1 ubuntu ubuntu 3.2K Mar 26 04:23  some.domain.com.key
-rw------- 1 ubuntu ubuntu 3.2K Mar 26 04:23  letsencrypt.key

Usage

Examples

Simple Dump

$ traefik-certs-dumper file --version v3
dump
├──certs
│  └──my.domain.com.key
└──private
   ├──my.domain.com.crt
   └──letsencrypt.key

Change source and destination

$ traefik-certs-dumper file --version v3 --source ./acme.json --dest ./dump/test
test
├──certs
│  └──my.domain.com.key
└──private
   ├──my.domain.com.crt
   └──letsencrypt.key

Use domain as sub-directory

$ traefik-certs-dumper file --version v3 --domain-subdir=true
dump
├──my.domain.com
│  ├──certificate.crt
│  └──privatekey.key
└──private
   └──letsencrypt.key

Change file extension

$ traefik-certs-dumper file --version v3 --domain-subdir --crt-ext=.pem --key-ext=.pem
dump
├──my.domain.com
│  ├──certificate.pem
│  └──privatekey.pem
└──private
   └──letsencrypt.key

Change file name

$ traefik-certs-dumper file --version v3 --domain-subdir --crt-name=fullchain --key-name=privkey
dump
├──my.domain.com
│  ├──fullchain.crt
│  └──privkey.key
└──private
   └──letsencrypt.key

Hook

Hook can be a one-liner passed as a string, or a file for more complex post-hook scenarios. For the former, create a file (ex: hook.sh) and mount it, then pass sh hooksh as a parameter to --post-hook.

Here is a docker-compose example:

services:
# ...

  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:v2.9.3
    container_name: traefik-certs-dumper
    entrypoint: sh -c '
      while ! [ -e /data/acme.json ]
      || ! [ `jq ".[] | .Certificates | length" /data/acme.json | jq -s "add" ` != 0 ]; do
      sleep 1
      ; done
      && traefik-certs-dumper file --version v2 --watch
        --source /data/acme.json --dest /data/certs
        --post-hook "sh /hook.sh"'
    labels:
      traefik.enable: false
    volumes:
      - ./letsencrypt:/data
      - ./hook.sh:/hook.sh

# ...

KV store

Consul

$ traefik-certs-dumper kv consul --endpoints localhost:8500

Etcd

$ traefik-certs-dumper kv etcd --endpoints localhost:2379

Boltdb

$ traefik-certs-dumper kv boltdb --endpoints /the/path/to/mydb.db

Zookeeper

$ traefik-certs-dumper kv zookeeper --endpoints localhost:2181