Support Traefik v2 format

[Xaroth]

I'm running a small stack with traefik (v2.0b1) configured to request a wildcard cert. traefik-certs-dumper is then asked to extract these certs. However, this segfaults.
I have run this same setup without a wildcard cert, which runs just fine, so I suspect it has to do with the naming of the certs. I saw that #20 fixes this for windows, but not for linux.

The segfault in question:

destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x7175c7]
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | goroutine 1 [running]:
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/dumper.extractPEMPrivateKey(0x0, 0xf, 0x1ed, 0x0)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/dumper/dumper.go:89 +0x37
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/dumper.Dump(0xc00011ed50, 0xc0001304d0, 0xc00011ed50, 0x0)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/dumper/dumper.go:42 +0xfb
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/dumper/file.dump(0x7ffd50154f2b, 0x10, 0xc0001304d0, 0xc0000a35a8, 0xc0000eea00)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/dumper/file/file.go:38 +0x70
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/dumper/file.Dump(0x7ffd50154f2b, 0x10, 0xc0001304d0, 0xc000097900, 0x7ffd50154f43)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/dumper/file/file.go:19 +0x43
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/cmd.glob..func2(0xc0001304d0, 0x11c9f60, 0x0, 0x0)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/cmd/file.go:17 +0x7d
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/cmd.runE.func1(0x11c9f60, 0xc000023dc0, 0x0, 0x4, 0x0, 0x0)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/cmd/root.go:100 +0x6d
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/spf13/cobra.(*Command).execute(0x11c9f60, 0xc000023d00, 0x4, 0x4, 0x11c9f60, 0xc000023d00)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/pkg/mod/github.com/spf13/cobra@v0.0.3/command.go:762 +0x465
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/spf13/cobra.(*Command).ExecuteC(0x11c9840, 0xc000129f68, 0x4e00a7, 0xc000094000)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/pkg/mod/github.com/spf13/cobra@v0.0.3/command.go:852 +0x2ec
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/spf13/cobra.(*Command).Execute(...)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/pkg/mod/github.com/spf13/cobra@v0.0.3/command.go:800
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/cmd.Execute()
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/cmd/root.go:45 +0x2e
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | main.main()
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/main.go:11 +0x3c

Looking at #20, it would probably make sense to have the same logic apply to both windows and linux to begin with, as this now introduces different behavior depending on what type of host you are running on... it should likely also fix this issue.

[ldez]

for now, the dumper is not compatible with the v2

[theq78]

Looking forward to see dumper being v2 compatible.

[theq78]

As a quick hack / workaround someone could use following one-liners to extract lets encrypt (wildcard) certificate and it's key from acme.json

cat acme.json | jq -r .letsencrypt.Certificates[0].certificate | base64 -d > \*.domain.tld/certificate.crt
cat acme.json | jq -r .letsencrypt.Certificates[0].key | base64 -d > \*.domain.tld/privatekey.key

[KoffeinKaio]

Looking forward to see dumper being v2 compatible.

because I currently cannot be bothered to look into the go code, heres a quick script while this is beeing fixed:

#!/bin/bash

DIR="/traefik/ssl"
FILENAME="/acme.json"
mkdir -p ${DIR}


FILE=`cat ${FILENAME}`
rm -rf "${DIR}"

LINES=`echo ${FILE} | jq -r '.basic.Certificates | length -1'`
for i in `seq 0 ${LINES}`; do
    ENTRY=`echo ${FILE} | jq .basic.Certificates[${i}]`

    DOMAIN=`echo $ENTRY | jq -r .domain.main`
    CERT=`echo $ENTRY | jq -r .certificate | base64 -d`
    KEY=`echo $ENTRY | jq -r .key | base64 -d`


    
    mkdir -p "${DIR}/${DOMAIN}"
    echo "${KEY}" > "${DIR}/${DOMAIN}/key.pem"
    echo "${CERT}" > "${DIR}/${DOMAIN}/cert.pem"
done

Produces:

/traefik-certs-dumper # tree /traefik/ssl/
/traefik/ssl/
├── cloud.domain.tld
│   ├── cert.pem
│   └── key.pem
├── sub.domain.tld
│   ├── cert.pem
│   └── key.pem
├── sub2.domain.tld
│   ├── cert.pem
│   └── key.pem
└── other-domain.tld
    ├── cert.pem
    └── key.pem

[dwaite]

The main difference is a new level on top - referencing which of (possibly many) certificate resolvers the certificates were issued by. For example, I have "default" and a "staging" root keys.

There is also a store attribute on the individual cert/key level, but I only see this set to "default"

[ldez]

Fixed in the version v2.5.3

[theq78]

just tested latest v2.5.3 - still following segvault occurs?! Can anybody confirm segvault?

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x73dba7]

goroutine 1 [running]:
github.com/ldez/traefik-certs-dumper/v2/dumper/v1.extractPEMPrivateKey(0x0, 0xc, 0x1ed, 0x0)
	/go/src/github.com/ldez/traefik-certs-dumper/dumper/v1/dumper.go:84 +0x37
github.com/ldez/traefik-certs-dumper/v2/dumper/v1.Dump(0xc0003aad20, 0xc00012cc00, 0xc0003aad20, 0x0)
	/go/src/github.com/ldez/traefik-certs-dumper/dumper/v1/dumper.go:37 +0xfa
github.com/ldez/traefik-certs-dumper/v2/dumper/file.dumpV1(0xe80484, 0xb, 0xc00012cc00, 0xc000370ea0, 0xc0002d7cb8)
	/go/src/github.com/ldez/traefik-certs-dumper/dumper/file/file.go:54 +0x110
github.com/ldez/traefik-certs-dumper/v2/dumper/file.dump(0xe80484, 0xb, 0xc00012cc00, 0xc000370f28, 0xc00012ec00)
	/go/src/github.com/ldez/traefik-certs-dumper/dumper/file/file.go:40 +0x55
github.com/ldez/traefik-certs-dumper/v2/dumper/file.Dump(0xe80484, 0xb, 0xc00012cc00, 0xc000313a40, 0xe7b0c7)
	/go/src/github.com/ldez/traefik-certs-dumper/dumper/file/file.go:22 +0x43
github.com/ldez/traefik-certs-dumper/v2/cmd.glob..func2(0xc00012cc00, 0x1674ec0, 0x0, 0x0)
	/go/src/github.com/ldez/traefik-certs-dumper/cmd/file.go:17 +0x7d
github.com/ldez/traefik-certs-dumper/v2/cmd.runE.func1(0x1674ec0, 0xc000127e40, 0x0, 0x2, 0x0, 0x0)
	/go/src/github.com/ldez/traefik-certs-dumper/cmd/root.go:100 +0x6d
github.com/spf13/cobra.(*Command).execute(0x1674ec0, 0xc000127de0, 0x2, 0x2, 0x1674ec0, 0xc000127de0)
	/go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:826 +0x460
github.com/spf13/cobra.(*Command).ExecuteC(0x16753c0, 0x4ef1ef, 0x0, 0x0)
	/go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:914 +0x2fb
github.com/spf13/cobra.(*Command).Execute(...)
	/go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:864
github.com/ldez/traefik-certs-dumper/v2/cmd.Execute()
	/go/src/github.com/ldez/traefik-certs-dumper/cmd/root.go:45 +0x2d
main.main()
	/go/src/github.com/ldez/traefik-certs-dumper/main.go:11 +0x3b

[ldez]

https://github.com/ldez/traefik-certs-dumper/blob/master/docs/traefik-certs-dumper_file.md#options

You have to use --version v2

[ldez]

or your acme.json file doesn't have any account information.

[ldez]

I made a change to allow to dump file even if the file is altered (no account information).
You can try the version v2.5.4.

Note: Traefik always create the account information. So, if there is no account information in the file, it's because the file has been manually modified.

[theq78]

@ldez: Thanks! --version v2 option worked 👍

[rezor92]

Hi,

first of all thanks for your work and that you are sharing it. I have tried it but I cannot get it to work on my server.

I'm using traefik v2.0 and the docker image ldez/traefik-certs-dumper:latest with the following command:

  certdumper:
    image: ldez/traefik-certs-dumper:latest
    command: "file --watch --domain-subdir=true --version v2"
    volumes:
      - "/XX/XX/XX/acme.json:/acme.json:ro"
      - "/XX/XX/certs:/dump"

I'm getting the following log after the acme.json changed:

2019/09/25 07:15:54 file.go:96: error: EOF,
dump,
└──private,

If I check the output folders they are empty. It would be kind if someone could give me a hint what I'm doing wrong.

Best regards

[ldez]

@rezor92 could you open another issue, thanks.

[francescor]

As a quick hack / workaround someone could use following one-liners to extract lets encrypt (wildcard) certificate and it's key from acme.json

cat acme.json | jq -r .letsencrypt.Certificates[0].certificate | base64 -d > \*.domain.tld/certificate.crt cat acme.json | jq -r .letsencrypt.Certificates[0].key | base64 -d > \*.domain.tld/privatekey.key

sure?

that would'n create a proper cert (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- missing, for example), while traefik-certs-dumper work perfectly