ldez
commented
7 years ago Auto renewing the SSL certificates from Let's Encrypt is the default behavior in Treafik.
Do you have a problem with this feature?
Closed truongdo closed 6 years ago
ldez
commented
7 years ago Auto renewing the SSL certificates from Let's Encrypt is the default behavior in Treafik.
Do you have a problem with this feature?
truongdo
commented
7 years ago @ldez thanks for your reply! Sorry for not being clear, I did not enable ACME in traefik, but instead, I used a separate program to generate the certificates using let's encrypt and configure traefik to read that certificate afterward.
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/letsencrypt/production/certs/fullchain.pem"
keyFile = "/etc/letsencrypt/production/certs/privkey.pem"I did this for two reasons:
The problem is that when the certificate is renewed, traefik does not reload the certificate. I have to restart traefik manually but it requires down time.
dtomcej
commented
7 years ago IMO, we have a couple options to pursue:
Hook the SSL request similar to the ACME code, and have a function to verify the certificate we have is the latest configured. This is sub-optimal IMO, as it creates a lot of overhead, since we will be verifying certificates per-request.
Provide an API endpoint that can force a reload of the certificates. This would allow for a manually-initiated reload without having to incurr overhead on the request level. We could also have a timer (~5 minutes?) that could initiate a reload, as a "watch" mode or something so that no api calls would be required.
Thoughts?
Takios
commented
7 years ago A timer might not be preferrable because you can't trigger the change immediately or exactly when you want (Customer: "I activated my new certificate and waited 2 minutes but it's not active yet, please check.").
A manual mechanism would give the user control when to activate their changes. You could also give immediate feedback if one made a mistake/typo in the SSL configuration so it can be corrected immediately.
santinoncs
commented
7 years ago A sidecar that forces a reload ( api endpoint to execute the reload ) when renewal is needed? I think prometheus helmchart is doing the same when reloading config.
ygersie
commented
7 years ago The lack of this functionality is currently a showstopper for me. Ideally I just want to supply a path on the filesystem where my private keys and associated certificates can be found and that's it. That'll make it a lot easier to deal with as adding or renewing certificates would be zero-conf. The built-in acme support is a nice feature but running things at scale is a different story as you'll need a way to distribute the keys and certificates Storing those in plain text in a K/V store is not an ideal way to deal with that.
Sending a HUP signal for a refresh could work and is easily integrated with config management or an N second refresh interval would be fine as well as this (AFAIK) does not have to be an atomic update.
( @ldez thanks, formatting on my phone didn't really work ;) )
urosgruber
commented
7 years ago Any news on this, planed or still in discussion? I'm deciding between traefik and fabio and some features works better with traefik but at least fabio solved ssl certs better.
Do you want to request a feature or report a bug?
feature
What did you do?
Started traefik using SSL certificates from let's encrypt.
What did you expect to see?
Traefik automatically picks up new certificate when it is renewed. The certificates from Let's encrypt is 3 months period and we have to renew it every 3 months.
What did you see instead?
Traefik did not pick up the renewed certificate.
Output of
traefik version: (What version of Traefik are you using?)v1.2.3 on the official docker image