在Traefik中使用现有的LetsEncrypt证书 [英] Use existing LetsEncrypt certificates in Traefik
问题描述
是否可以在Traefik中使用现有的LetsEncrypt证书(.pem格式)?
Is it possible to use existing LetsEncrypt certificates (.pem format) in Traefik?
我已设置Traefik/Docker来生成acme.json-我可以为一组域导入现有证书吗?
I have Traefik/Docker set up to generate acme.json - can I import my existing certificates for a set of domains?
推荐答案
最终,我找到了正确的解决方案-不使用Traefik的ACME集成,而是简单地以手动方式挂载包含certbot颁发的证书的网络卷(EFS)
Eventually I found the correct solution - not to use Traefik's ACME integration but instead to simply mount a network volume (EFS) containing certificates as issued by certbot in manual mode.
为什么这是我选择的方法?因为我正在两个服务器(蓝色和绿色)上安装该证书持有NFS卷.这些服务器是实时服务器. Web服务器的临时服务器.在任何时候,一个都可以运行",而另一个可以运行候选版本,或者以热备用"角色运行.
Why was this my chosen method? Because I'm mounting that certificate-holding NFS volume on two servers (blue and green). These servers are the live & staging servers for the web servers. At any time one will be "live" and the other can be either running a release candidate or otherwise in a "hot standby" role.
因此,最好将问题分开,并让第三台服务器作为专用的证书管理器"运行.基本上永远不会碰到这台t2.nano服务器,它唯一的责任是每周运行一次certbot,将证书写入两个Web服务器共享的NFS挂载(以只读模式).
For this reason, better to make a separation of concerns and have a third server run as a dedicated "certificate manager". This t2.nano server will basically never be touched and has the sole responsibility of running certbot once a week, writing the certificates into an NFS mount that is shared (in read-only mode) by the two web servers.
通过这种方式,Traefik可以在蓝色和绿色服务器上运行,以解决代理Web流量的主要问题,并仅指向由certbot颁发的证书文件.对于那些找到此页面并可能受益于相同解决方案的用户,以下是我的traefik.toml文件中的相关摘录:
In this way, Traefik runs on both blue and green servers to takes care of its primary concern of proxying web traffic, and simply points to the certbot-issued certificate files. For those who found this page and could benefit from the same solution, here is the relevant extract from my traefik.toml file:
defaultEntryPoints = ["https","http"]
[docker]
watch = true
exposedbydefault = false
swarmMode = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/cert.pem"
keyFile = "/privkey.pem"
这是我的Docker swarm堆栈文件中的相关部分:
Here is the relevant section from my Docker swarm stack file:
version: '3.2'
volumes:
composer:
networks:
traefik:
external: true
services:
proxy:
image: traefik:latest
command: --docker --web --docker.swarmmode --logLevel=DEBUG
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- "./certs/live/example.com/fullchain.pem:/cert.pem"
- "./certs/live/example.com/privkey.pem:/privkey.pem"
networks:
- traefik
最后,这是cron在专用证书服务器上每周运行一次的命令,该服务器配置为将ACME v2用于通配符证书,并将Route 53集成用于挑战自动化:
And finally here is the command that cron runs once a week on the dedicated cert server, configured to use ACME v2 for wildcard certs and Route 53 integration for challenge automation:
sudo docker run -it --rm --name certbot \
-v `pwd`/certs:/etc/letsencrypt \
-v `pwd`/lib:/var/lib/letsencrypt \
-v `pwd`/log:/var/log/letsencrypt \
--env-file ./env \
certbot/dns-route53 \
certonly --dns-route53 \
--server https://acme-v02.api.letsencrypt.org/directory \
-d example.com \
-d example.net \
-d *.example.com \
-d *.example.net \
--non-interactive \
-m me@example.org \
--agree-tos
文件夹certs是三台服务器之间共享的NFS卷.
The folder certs is the NFS volume shared between the three servers.
这篇关于在Traefik中使用现有的LetsEncrypt证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
