Article Image
read
It's a fairly common need to extract a certificate and key from traefik to use it for other reasons. In my case, I needed to grab a certificate for an existing domain and use it for my mail-server.
There's a bunch of very complex examples to dump all certificates, and semi-official traefik-cert-dumper.
My method only uses jq (jq) in a one-liner.
The Snippet
jq -r '.le.Certificates[] | select(.domain.main==\"'example.com'\") | .certificate' /data/acme.json | base64 -d > /out/tls_cert.pem
This should be fairly self-explanatory, but it extracts the certificate of example.com and decodes the base64.
To extract the key, simply change the last jq expression .certificate to .key
As a scheduled docker service
version: "3.5"
services:
certsync:
image: stedolan/jq
# Dumps both certificate and key for "example.com"
entrypoint: |
/bin/bash -c "
jq -r '.le.Certificates[] | select(.domain.main==\"'example.com'\") | .certificate' /data/acme.json | base64 -d > /out/tls_cert.pem;
jq -r '.le.Certificates[] | select(.domain.main==\"'example.com'\") | .key' /data/acme.json | base64 -d > /out/tls_key.pem;
"
volumes:
- common_letsencrypt:/data:ro # Mount traefik volume as read-only
- out:/out # And whichever volume you want to output on
deploy:
mode: global
placement:
constraints: [node.role==manager] # Only run on the manager node (Where traefik and its volume exists)
restart_policy:
delay: 24h # Re-run every 24 hours
resources:
limits: { cpus: '0.1', memory: '32M' }
reservations: { cpus: '0.025', memory: '16M' }