search

kereis / traefik-certs-dumper

Dumps Let's Encrypt certificates of a specified domain which Traefik stores in acme.json.
Apache License 2.0
120 stars 24 forks source link

Specify Domain for COMBINED_PEM #126

Closed Ramalama2 closed 1 year ago

Ramalama2 commented 1 year ago

Hi Kereis :-)

    environment:
      DOMAIN: example.com,example.org,example.net,hello.example.in
      COMBINED_PEM: my_concatted_file.pem

Could you add the ability to Specify for which domain the cert-dumper creates a combined pem?

I have multiple domains for different usecases and services, where i share the certificates. All except one of them uses a key and cert and only one (3cx) needs a combined certificate :-) Need the same certificates for an ssl offloading instead of an sni proxy.

And yes, the workaround is to simply spin up a second cert-dumper instance. So whatever you say, if a second cert-dumper instance is "The way to go", like if you planned that for such situations, then i'll do a second one. If not and you can implent that feature, would be great either.

Thank for you work btw, cert-dumper works great! But i do have a second question, somewhat when traefik regenerates certificates, cert-dumper doesn't dump the new ones. Or at least not in a reasonable timeframe, like 1h. But dumps instantly if i restart the container. Do i miss there sth or is the timeframe longer?

Cheers

kereis commented 1 year ago

Hi @Ramalama2,

thank you very much for your feedback. :) I'm glad this tool helps you.

Could you add the ability to Specify for which domain the cert-dumper creates a combined pem?

Depends. Currently, the container should simply created combined PEM files for all domains. Does it matter that each domain's certificate and key are additionally combined, next to their original file?

And yes, the workaround is to simply spin up a second cert-dumper instance.

You could do that until then. If you don't need the restart functionalities of the image, you can also use the alpine version. Its size is much smaller than the default one with Docker in it.

But i do have a second question, somewhat when traefik regenerates certificates, cert-dumper doesn't dump the new ones. Or at least not in a reasonable timeframe, like 1h. But dumps instantly if i restart the container. Do i miss there sth or is the timeframe longer?

I'm sorry, I haven't noticed that behaviour before. The dump script that lies within the image waits for any changes to your specified acme.json, and acts accordingly.

https://github.com/kereis/traefik-certs-dumper/blob/cc8fdeb437e31664ffb6490959b3dc121360f15a/bin/dump.sh#L441

It might be related to inotifywait, however I'm not sure.

Hope I could help you out!

Cheers

Ramalama2 commented 1 year ago

Hi @Ramalama2,

thank you very much for your feedback. :) I'm glad this tool helps you.

Could you add the ability to Specify for which domain the cert-dumper creates a combined pem?

Depends. Currently, the container should simply created combined PEM files for all domains. Does it matter that each domain's certificate and key are additionally combined, next to their original file?

And yes, the workaround is to simply spin up a second cert-dumper instance.

You could do that until then. If you don't need the restart functionalities of the image, you can also use the alpine version. Its size is much smaller than the default one with Docker in it.

But i do have a second question, somewhat when traefik regenerates certificates, cert-dumper doesn't dump the new ones. Or at least not in a reasonable timeframe, like 1h. But dumps instantly if i restart the container. Do i miss there sth or is the timeframe longer?

I'm sorry, I haven't noticed that behaviour before. The dump script that lies within the image waits for any changes to your specified acme.json, and acts accordingly.

https://github.com/kereis/traefik-certs-dumper/blob/cc8fdeb437e31664ffb6490959b3dc121360f15a/bin/dump.sh#L441

It might be related to inotifywait, however I'm not sure.

Hope I could help you out!

Cheers

Jesus kereis, didn't thought that you're so nice :-)

About alpine and second container, thats exactly what im doing now and it works perfectly exactly as i wanted. Otherwise big docker containers like debian/ubuntu based, doesn't take any additional space here anyway, no matter how much i spin up, thanks to zfs deduplication. Just memory, but that's why im using alpine 😂

What i mean is anyway, spinning up multiple cert-dumper containers is actually in my mind a great solution, you can name them simply like your domains etc and they consume anyway almost no ressources.

About the second thing, if you could give me a bit time, till traefik regenerates the certificates, i could confirm or "deconfirm", if cert dumper dumps new certs on the certstorefile change. And how long it takes. However something like inotify should actually react or execute your dumping script instantly.

Thing is, im not sure if i did something. In short if im the error or intofy 😂 That's why i need a bit time. Otherwise i could simply edit with nano the certstore and delete the cert, then restart traefik. Should actually be the same as if traefik renews, but to be sure, ill wait a bit till traefik does it.

Especially because there is no one else reporting this issue.

Cheers and thank you!

kereis commented 1 year ago

Hey,

I'm going to close this issue for now. Btw, about the issue you wrote regarding the certdumper not dumping certificates renewed by Traefik: Maybe this could be the same issue? https://github.com/kereis/traefik-certs-dumper/issues/130

Cheers!

Ramalama2 commented 1 year ago

Hey,

I'm going to close this issue for now. Btw, about the issue you wrote regarding the certdumper not dumping certificates renewed by Traefik: Maybe this could be the same issue? #130

Cheers!

Hey @kereis , im sorry for the late reply 🤦 Im not sure if this "bug" even exists. But im gonna check it tomorrow "triggering recreation" on traefik. Just camed back from the holidays 🙈

I will reply in the other thread you mentioned then tomorrow.

Cheers ✌️