Dump ACME data from Traefik to certificates
| .github | ||
| cmd | ||
| docs | ||
| dumper | ||
| hook | ||
| integrationtest | ||
| .dockerignore | ||
| .gitignore | ||
| .golangci.toml | ||
| .goreleaser.yml | ||
| .travis.yml | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| godownloader.sh | ||
| LICENSE | ||
| main.go | ||
| Makefile | ||
| readme.md | ||
| tmpl.Dockerfile | ||
traefik-certs-dumper
If you appreciate this project:
Features
- Supported sources:
- file ("acme.json")
- KV stores (Consul, Etcd, Zookeeper, Boltdb)
- Watch changes:
- from file ("acme.json")
- from KV stores (Consul, Etcd, Zookeeper)
- Output formats:
- use domain as sub-directory (allow custom names and extensions)
- flat (domain as filename)
- Hook (only with watch mode and if the data source changes)
Installation
Download / CI Integration
curl -sfL https://raw.githubusercontent.com/ldez/traefik-certs-dumper/master/godownloader.sh | bash -s -- -b $GOPATH/bin v2.7.0
From Binaries
You can use pre-compiled binaries:
- To get the binary just download the latest release for your OS/Arch from the releases page
- Unzip the archive.
- Add
traefik-certs-dumperin yourPATH.
From Docker
docker run ldez/traefik-certs-dumper:<tag_name>
Usage
Examples
Note: to dump data from Traefik v2, the CLI flag --version v2 must be added.
docker-compose
docker-compose.yml:
version: '3'
services:
traefik:
image: traefik:1.7
command:
--entryPoints='Name:http Address::80'
--entryPoints='Name:https Address::443 TLS'
--defaultentrypoints=http,https
--logLevel=DEBUG
--docker
--docker.exposedByDefault=false
--acme
--acme.acmeLogging=true
--acme.entrypoint=https
--acme.storage=/data/acme.json
--acme.onHostRule=true
--acme.httpChallenge.entryPoint=http
ports:
- 8001:80
- 8002:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- .:/data
traefik-certs-dumper:
image: ldez/traefik-certs-dumper:v2.7.0
entrypoint: sh -c '
apk add jq
; while ! [ -e /data/acme.json ]
|| ! [ `jq ".Certificates | length" /data/acme.json` != 0 ]; do
sleep 1
; done
&& traefik-certs-dumper file --watch
--source /data/acme.json --dest /data/certs'
volumes:
- .:/data
whoami:
image: containous/whoami
labels:
traefik.enable: true
traefik.frontend.rule: Host:example.com
traefik ports are published to 8001 and 8002. It's assumed here that you need certificates as separate files because you want to put traefik behind another proxy.
Simple Dump
$ traefik-certs-dumper file
dump
├──certs
│ └──my.domain.com.key
└──private
├──my.domain.com.crt
└──letsencrypt.key
Change source and destination
$ traefik-certs-dumper file --source ./acme.json --dest ./dump/test
test
├──certs
│ └──my.domain.com.key
└──private
├──my.domain.com.crt
└──letsencrypt.key
Use domain as sub-directory
$ traefik-certs-dumper file --domain-subdir=true
dump
├──my.domain.com
│ ├──certificate.crt
│ └──privatekey.key
└──private
└──letsencrypt.key
Change file extension
$ traefik-certs-dumper file --domain-subdir --crt-ext=.pem --key-ext=.pem
dump
├──my.domain.com
│ ├──certificate.pem
│ └──privatekey.pem
└──private
└──letsencrypt.key
Change file name
$ traefik-certs-dumper file --domain-subdir --crt-name=fullchain --key-name=privkey
dump
├──my.domain.com
│ ├──fullchain.crt
│ └──privkey.key
└──private
└──letsencrypt.key
KV store
Consul
$ traefik-certs-dumper kv consul --endpoints localhost:8500
Etcd
$ traefik-certs-dumper kv etcd --endpoints localhost:2379
Boltdb
$ traefik-certs-dumper kv boltdb --endpoints /the/path/to/mydb.db
Zookeeper
$ traefik-certs-dumper kv zookeeper --endpoints localhost:2181