Article Image
read

It's a fairly common need to extract a certificate and key from traefik to use it for other reasons. In my case, I needed to grab a certificate for an existing domain and use it for my mail-server.

There's a bunch of very complex examples to dump all certificates, and semi-official traefik-cert-dumper.

My method only uses jq (jq) in a one-liner.

The Snippet

jq -r '.le.Certificates[] | select(.domain.main==\"'example.com'\") | .certificate' /data/acme.json | base64 -d > /out/tls_cert.pem

This should be fairly self-explanatory, but it extracts the certificate of example.com and decodes the base64.

To extract the key, simply change the last jq expression .certificate to .key

As a scheduled docker service

version: "3.5"
services:
  certsync:
    image: stedolan/jq
    # Dumps both certificate and key for "example.com"
    entrypoint: |
      /bin/bash -c "
        jq -r '.le.Certificates[] | select(.domain.main==\"'example.com'\") | .certificate' /data/acme.json | base64 -d > /out/tls_cert.pem;
        jq -r '.le.Certificates[] | select(.domain.main==\"'example.com'\") | .key' /data/acme.json | base64 -d > /out/tls_key.pem;
      "
    volumes:
      - common_letsencrypt:/data:ro # Mount traefik volume as read-only
      - out:/out # And whichever volume you want to output on
    deploy:
      mode: global
      placement:
        constraints: [node.role==manager] # Only run on the manager node (Where traefik and its volume exists)
      restart_policy:
        delay: 24h # Re-run every 24 hours
      resources:
        limits: { cpus: '0.1', memory: '32M' }
        reservations: { cpus: '0.025', memory: '16M' }
Blog Logo

Christopher LaPointe


Published

Image

Chris LaPointe

Another site of Code

Back to Overview