Manually trigger Traefik to generate letsencrypt certificate using API #3652
Comments
|
If you are going to be manually managing your LE certificates, why not use a tool like Certbot to generate certificates, then just dynamically add them to Traefik? |
|
Actually, I just want to trigger Traefik and let it do the rest. Otherwise, I’ll have to take care of the setup for the challenge. |
juliens
added
kind/enhancement
|
I can see OP's purpose, but I think the answer lies in #3653, as it was stated the real issue is "not exceeding Let's Encrypt api limits". Although, this problem only exists once, on go-live. In which case, I heavily recommend a phased deployment. Add a website (container/backend/etc), then generate it's certificate, test it, repeat. This becomes VERY easy with |
|
Is it possible to use labels to enable OnHostRule for specific frontend? |
|
I came across the same need. My scenario: The The issue: When LoadBalancer is created it has a health check attached. No traffic gets through the LoadBalancer until the HealthCheck is green. Since traefik requests the LE certificates immediately after launch (and does not retry in error case) there is not enough time for the health check to get green and allow initial traffic into the cluster for the Currently I have to kill the pod and hope that the newly created one is ready fast enough to do the challenge. A wait time for the LE process, a retry or API endpoint to trigger would really help |
|
@soupdiver I think I'm facing the same issue as you. Were you able find any reliable workaround? |
|
FTR, there seems to be a separate issue #2174 for the problem described by @soupdiver above. |
|
Quick workaround:
|
|
Beside the mentioned API-call I'd really wish to see a button (per cert) in the dashboard which allows to force-renew individual certs. |
|
It would also be handy to have a shell/CLI command to do that. |
|
I bet everyone wishes this had been implemented today after the intermediate cert expired. Anyone else stuck in a "now what" moment? |
|
I deleted acme.json to try to force a regen, but it's only generating one cert (and then I got rate limited). |
|
@ptruman I encountered the same issue, so I replaced {
"le": {
"Account": {
"Email": "mail@example.com",
"Registration": {
"body": {
"status": "invalid",
"contact": [
"mailto:mail@examplel.com"
]
}
}
}
}
}And traefik did correctly re-generate all certificates. |
|
It will be good to have possibility to manually renew le certs. My certs are valid only for 10 days, it was issue with aws policy, i fixed it and need to check. I need to wait next auto renew. It is no possible to me to remove old ones and restart) It is working server. |
|
Hello @konstantin-schura,
There is a PR (#8046) that will allow you to set the certificate duration. This feature will be available in the next minor release of Traefik. |
|
Thanks for the solution @Austreelis, but I think there is no way to reissue 100+ certificates in one account in so short timeframe anyways... |
|
This is exactly my concern - I have a bunch of certificates in use which will be revoked as per recent mailing and am looking for a way to pre-emptively (in a controlled manner) renew these certificates (without causing downtime); any way to do this? |
|
@darkl0rd , LE staff offers some help here - https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449/24 - also saying that limit will be 300 orders per 3 hours which is quite high. I remember hitting limit of 50/week, and I'm a bit puzzled by this new information |
|
Thanks for that - my problem is, I run a large scale enterprise grade service - I can't have our customers end up with warnings either; that will cause a sh*tstorm with our support department. I can't remove the existing certificates either, because then I will have downtime, so I am really looking for a way to tell traefik - renew the certificates which are here; regardless of the expiry date. |
|
@darkl0rd - I'm quite positive you can feed traefik with information that certificates 'need to be updated 2 days after issuance" - seen this hint somewhere here or there. I'm pretty sure this will solve the problem for you. |
|
@darkl0rd I used a workaround with Træfik 1.7 (it should be possible with Træfik 2.X, too), I deleted only the |
|
@jgerken, thanks, this was my idea also. |
|
Maybe that helps: #6418 |
|
I really need to avoid -any- downtime - I have 1000's of live connections to remote agents that are processing data. I'm also running 1.7, my config is stored in Consul. |
|
@darkl0rd In this situation, I think the best way is to do the renewal on your own. Use an ACME client and use DNS-01 challenge and get the new certificate. Put the certificate in the correct format into As far as I know, Traefik needs a restart to load the file, but you don't have an issue process. I hope you don't have that many certificates 🤞 |
|
For people that need help to clean their https://github.com/ldez/traefik-certs-cleaner/ The process:
@darkl0rd for Traefik v1, the clean is a bit more complex but there are possibilities. FYI I'm a Traefik maintainer, I'm currently off but I took a few times to create this tool. |
|
@ldez could the tool be extended so that is does the actual renewal of the certificates? That would allow users to generate a fixed version of the |
It's more complex because the only information that I can use is the It's not possible to run 2 processes on 443 and a domain cannot point to 2 IPs. With the DNS challenge, it is possible, but with the TLS challenge, it will not be possible without a proxy in front of the proxy and some complex configuration. |
Ah, yes. Didn't think about that. Sorry! |
Struggled some time, trying to use this example, finally, I did this: |
|
I'm going to repeat my post because I'm afraid people who need a quick fix won't see it because of the discussion For people that need help to clean their https://github.com/ldez/traefik-certs-cleaner/ The process:
The readme contains examples for all the options (only 3 options). |
|
@bodomic2 wrote:
This can be done with jq like this. $ cp -p acme.json acme.json.bk
$ cat acme.json | jq 'del(.letsencrypt.Certificates)' | jq '.letsencrypt |= .+ {"Certificates":[]}' > acme-new.json
$ mv acme-new.json acme.jsonAnd don't forget that acme.json requires 600 permission. (like me :-) $ chmod 600 acme.json |
2 years later ... I think this is actually the only reliable way at the moment, I built a drop-in solution for |
|
Hello there, This would not make it to our roadmap as we are focused elsewhere. If a community member would like to build it, let us know, and we will work with you to ensure you have all the information needed to merge it. We prefer to work with our community members at the beginning of the design process to ensure that we are aligned and can move quickly with the review and merge process. Let us know here or create a PR before you start, and we will work with you there. Don’t forget to check out the contributor docs and link the PR to this issue. |
nmengin
added
contributor/wanted
and others
Do you want to request a feature or report a bug?
Feature
What did you expect to see?
The idea is I want to be able to ask Traefik to generate certificates based on an API call. Our system has a lot of domain names that are dynamically pointed to Traefik, so to make sure we don't exceed letsencrypt we want to manually trigger traefik.
The text was updated successfully, but these errors were encountered: