search

kereis / traefik-certs-dumper

Dumps Let's Encrypt certificates of a specified domain which Traefik stores in acme.json.
Apache License 2.0
129 stars 24 forks source link

Where to put certdumper? Traefik or Mailcow? Will certs be dumped automatically again if the root domain gets renewed certificates? #185

Closed aronmgv closed 8 months ago

aronmgv commented 9 months ago

Hey,

For my Mailcow behind Traefik setup I just moved from different certdumper to this one and am curious where I should put this service. Into Traefik compose file or Mailcow override compose file? For the old certdumper I used to have it in traefik compose file but for this one I set it up into Mailcow override because of environment variables to restart mailcow services after the dump.. My main concern is that once certs get renewed for my domain will they be automatically dumped into Mailcow (without manual invervention)?

Thanks!

version: '2.1'

services:
    certdumper:
        image: humenius/traefik-certs-dumper
        command: --restart-containers ${COMPOSE_PROJECT_NAME}-postfix-mailcow-1,${COMPOSE_PROJECT_NAME}-nginx-mailcow-1,${COMPOSE_PROJECT_NAME}-dovecot-mailcow-1
        network_mode: none
        volumes:
          # Mount the volume which contains Traefik's `acme.json' file
          #   Configure the external name in the volume definition
          - /docker/+traefik/acme:/traefik:ro
          # Mount mailcow's SSL folder
          - ./data/assets/ssl/:/output:rw
          # Mount docker socket to restart containers
          - /var/run/docker.sock:/var/run/docker.sock:ro
        restart: always
        environment:
          # only change this, if you're using another domain for mailcow's web frontend compared to the standard config
          - DOMAIN=example.com
kereis commented 9 months ago

Hi,

For my Mailcow behind Traefik setup I just moved from different certdumper to this one and am curious where I should put this service. Into Traefik compose file or Mailcow override compose file? For the old certdumper I used to have it in traefik compose file but for this one I set it up into Mailcow override because of environment variables to restart mailcow services after the dump [...]

Yes, you should probably put it into a override file for Mailcow's docker-compose.yml.

My main concern is that once certs get renewed for my domain will they be automatically dumped into Mailcow (without manual invervention)?

The underlying script constantly checks if there are any changes to the acme.json that gets mounted to the certdumper container. If that's the case, at the end of dumping the certificates of your selected domain, the script goes through following lifecycle (w.r.t. https://github.com/kereis/traefik-certs-dumper/blob/develop/bin/dump.sh#L66-L72):

      combine_pkcs12
      combine_pem
      convert_keys_to_rsa
      change_ownership
      post_hook
      restart_containers
      restart_services

In that case, if you specify the containers to restart, then the certdumper will restart those containers after dumping the certificates.

I hope that this addresses your concerns. :)

aronmgv commented 8 months ago

Hey, it does! Thanks a lot. I would mention it in readme file as well.