Dumps Let's Encrypt certificates of a specified domain to .pem
and .key
files which Traefik stores in acme.json
.
This image uses:
- a bash script that derivates from mailu/traefik-certdumper
- ldez's traefik-certs-dumper
Special thanks to them!
IMPORTANT: It's supposed to work with Traefik v2 or higher! If you want to use this certificate dumper with v1, you can simply change the image to mailu/traefik-certdumper.
We ship various flavors of this image - multi-arch, Docker (default) and Alpine. The versioning follows SemVer.
amd64 (normal) | arm32v7 | arm64v8 | |
---|---|---|---|
Docker (normal) | latest , x.x.x , x.x , x |
arm32v7 , x.x.x-arm32v7 , x.x-arm32v7 , x-arm32v7 |
arm64v8 ,x.x.x-arm64v8 , x.x-arm64v8 , x-arm64v8 |
Alpine | alpine , x.x.x-alpine , x.x-alpine , x-alpine |
arm32v7-alpine , x.x.x-arm32v7-alpine , x.x-arm32v7-alpine , x-arm32v7-alpine |
arm64v8-alpine ,x.x.x-arm64v8-alpine , x.x-arm64v8-alpine , x-arm64v8-alpine |
Please note that when using the alpine
variant, using the container restart functionality won't work due to missing Docker installation and will be skipped.
Mount your ACME folder into /traefik
and output folder to /output
. Here's an example for docker-compose:
version: '3.7'
services:
certdumper:
image: humenius/traefik-certs-dumper:latest
container_name: traefik_certdumper
volumes:
- ./traefik/acme:/traefik:ro
- ./output:/output:rw
environment:
- DOMAIN=example.org
If you want to have containers restarted after dumping certificates into your output folder, you can specify their names as comma-separated value and pass them through via optional parameter -r | --restart-containers
. In this case, you must pass the Docker socket (or override $DOCKER_HOST
if you use a Docker socket proxy). For instance:
version: '3.7'
services:
certdumper:
image: humenius/traefik-certs-dumper:latest
container_name: traefik_certdumper
command: --restart-containers container1,container2,container3
volumes:
- ./traefik/acme:/traefik:ro
- ./output:/output:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- DOMAIN=example.org
It is also possible to restart Docker services. You can specify their names exactly like the containers via the optional parameter --restart-services
. The services are updated with the command docker service update --force <service_name>
which restarts all tasks in the service.
If you want to change the onwership of the certificate and key files because your container runs on different permissions than root
, you can specify the UID and GID as an environment variable. These environment variables are OVERRIDE_UID
and OVERRIDE_GID
. These can only be integers and must both be set for the override to work. For instance:
version: '3.7'
services:
certdumper:
image: humenius/traefik-certs-dumper:latest
container_name: traefik_certdumper
command: --restart-containers container1,container2,container3
volumes:
- ./traefik/acme:/traefik:ro
- ./output:/output:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- DOMAIN=example.org
- OVERRIDE_UID=1000
- OVERRIDE_GID=1000
This Docker image is able to extract multiple domains as well.
Use environment variable DOMAIN
and add you domains as a comma-separated list.
After certificate dumping, the certificates can be found in the domains' subdirectories respectively.
(/output/DOMAIN[i]/...
)
If you specify a single domain, the output folder remains the same as in previous versions (< v1.3 - /output
).
version: '3.7'
services:
certdumper:
image: humenius/traefik-certs-dumper:latest
container_name: traefik_certdumper
volumes:
- ./traefik/acme:/traefik:ro
- ./output:/output:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
DOMAIN: example.com,example.org,example.net,hello.example.in
This Docker image does reports its health status.
The process which monitors run.sh
reports back 1
when it malfunctions and 0
when it is running inside Docker container.
Normally, it's embedded in the Dockerfile which means without further ado, this works out of the box. However, if you want to specify more than one health check, you can set them via docker-compose
.
version: '3.7'
services:
certdumper:
image: humenius/traefik-certs-dumper:latest
container_name: traefik_certdumper
volumes:
- ./traefik/acme:/traefik:ro
- ./output:/output:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
DOMAIN: example.com,example.org,example.net,sub.domain.ext
healthcheck:
test: ["CMD", "/usr/bin/healthcheck"]
interval: 30s
timeout: 10s
retries: 5
Load balancers like HAProxy need both private key and public certificate to be concatenated to one file. In this case, you can set the environment variable COMBINED_PEM
to a desired file name ending with file extension *.pem
. Each time traefik-certs-dumper
dumps the certificates for specified DOMAIN
, this script will create a *.pem
file named after COMBINED_PEM
in each domain's folder respectively.
version: '3.7'
services:
certdumper:
image: humenius/traefik-certs-dumper:latest
volumes:
- ./traefik/acme:/traefik:ro
- ./output:/output:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
DOMAIN: example.com,example.org,example.net,hello.example.in
COMBINED_PEM: my_concatted_file.pem
If you need help using this image, have suggestions or want to report a problem, feel free to open an issue on GitHub!