fix: persist Let's Encrypt certificates across container lifecycle#88
fix: persist Let's Encrypt certificates across container lifecycle#88iambaboucarr wants to merge 7 commits intomasterfrom
Conversation
iambaboucarr
requested review from
Philip-Larsen-Donnelly,
bobjolliffe,
netroms,
radnov,
tkipkurgat and
tonsV2
iambaboucarr
force-pushed
the
fix/letsencrypt-rate-limits
branch
from
138d2c8 to
2674db8
Compare
There was a problem hiding this comment.
I think the PR is good, if we were to accept the bind mount approach.
However, I'd rather we keep using a volume for the cert, unless a bind mount is really necessary.
I would go with changing make clean to something like:
make clean-all(with--volumesopt - destroys volumes, with confirmation prompt)make clean(doesn't destroy volumes)
Also, the extra LetsEncrypt Staging env var is good idea in any cases. 👍
scripts/init-cert.sh
Outdated
|
|
||
| set -eu | ||
|
|
||
| mkdir -p /cert |
There was a problem hiding this comment.
Isn't this folder created automatically by Docker when we mount the volume?
| @@ -62,7 +62,6 @@ | |||
| file: | |||
There was a problem hiding this comment.
Shouldn't this whole task be removed since we're handling all of this in an init container now?
There was a problem hiding this comment.
The original task was introduced by you in a previous PR. We can discuss the removal in an upcoming call
| # Ansible | ||
| .ansible/ | ||
|
|
||
| traefik/acme.json |
There was a problem hiding this comment.
I think this line is a leftover from when we initially used a bind mount for the acme file
There was a problem hiding this comment.
It's important to retain the .ansible/ dir, as IDEs that have the Ansible extension installed (e.g on VSCode) will create a .ansible/ dir.
.gitignore
Outdated
| # IDE | ||
| .vscode/ | ||
|
|
||
| # Ansible |
There was a problem hiding this comment.
This comment seems a bit redundant 🙂
README.md
Outdated
|
|
||
| ### Let's Encrypt Certificate Management | ||
|
|
||
| Traefik uses Let's Encrypt ACME and stores certificate data at `./traefik/cert/acme.json` on the host filesystem. |
There was a problem hiding this comment.
There is nothing funny here. This is a stale text from the original PR that used bind mount
| @@ -15,5 +15,8 @@ Thumbs.db | |||
| # IDE | |||
There was a problem hiding this comment.
When did we starting adding these comments? At the top of this file we ignore .idea which is also from an IDE
There was a problem hiding this comment.
We had the comments from the very beginning of the project, although it was a bit inconsistent
3 participants
Summary
certDocker named volume with a./traefik/certbind mount so ACME certificates persist throughdocker compose down --volumes, container recreation, and volume prune operations.LETSENCRYPT_ACME_CASERVERenv var (defaults to production) so operators can switch to the Let's Encrypt staging server during testing to avoid rate limits.traefik/cert/directory andtraefik/cert/acme.jsonwith correct ownership, aligning it with the new bind mount path.Problem
Running the deployment multiple times (e.g.
make clean && make launch) would destroy thecertnamed volume each cycle, wiping all cached certificates and ACME account data. Traefik then re-requested certificates from production Let's Encrypt, hitting the 5 duplicate certificates per week rate limit after a few iterations. Once rate-limited, Traefik could not obtain valid certificates and browsers showed certificate errors as encountered by @bobjolliffe during his last demo.Test plan
./traefik/cert/acme.jsonis created with correct permissions (600, nobody:nobody)make cleanandmake launchto confirm that certificates are preservedLETSENCRYPT_ACME_CASERVERto staging URL, verify Traefik uses staging CAtraefik/cert/acme.jsonis created at the correct path