Backing up acme certs and making persistent #31
Comments
|
ok the |
|
@rawmind0 do you think it will be all right if I am just mounting in the And if that is all right, what do you think about it being shared to many alpine traefik containers spawned on many front-end hosts with public IP addresses talking to various clustered services in the backend? I think the obvious first worry is multiple instances trying to open the acme.json at once. Right now I'm getting pretty good results. i.e. I've got enforced SSL on a domain, and restarting the container does not get me rate-limit banned at letsencrypt. But I only have one alpine-traefik front end running using that particular volume. |
|
|
|
Hey @joshuacox ... Sharing At this point, i see two ways, use a shared volume or distributed key/value:
What do you think?? |
|
@rawmind0 I kind of like the idea of using the kv store, your choice on which one consul, etcd, zookeper, boltdb. I've got more experience with etcd and consul, but I'm open to the other two as well. @mcnilz I have a fork with a branch here that can be added to a rancher and you can have I'd love feedback of any sort as I'm already using this method in a 'production' instance, for better or worse (much better now that I have acme.json persistent and not hitting the rate limits). |
|
@joshuacox , which kv store is not a problem, which ever could work just fine... I guess that all are already on the rancher community catalog... :) I've took a look at your-catalog and i think that it shouldn't work. Don't you have file permission issues?? Due to traefik is running with user Anyway, just as advice, don't add the volume directly to the traefik container, is a bad practice. I think is much better provide the volume through another container and add it to traefik volumes_from section.... ;) Code for traefik.....(also add rawmind/alpine-volume, is a container just to do this kind of thinks easily. It creates the volume and set |
|
I've published a version with the optional acme volume from another container at my repo... Take a look.. :) |
|
Merged into community catalog.... |
|
KV is the best option for production, I tried https://github.com/rawmind0/service-catalog but its not creating any service. I think the reason is that I am still with rancher 1.3.5 (never change a running system) |
|
Hey folks, sorry for waking this old issue up again. I ran into the same issue like @joshuacox and I also would like to setup a kv-store for traefik. Could you guys give me a hint on how to do it? Thank you so much! |
|
@Hermsi1337 if you enable acme then the community catalog traefik will use the VOLUME_NAME and VOLUME_DRIVER variable to use a file based store with acme file. I've been using this for months with the rancher-nfs driver and a pair of traefik frontends (*it should be noted that if you are using many frontends you definitely need to move up to consul or zookeeper). I have a catalog where the defaults are exactly how I deploy on my personal cluster. I just updated that to use an enum to allow you to choose the traefik version from @rawmind0 's dockerhub. I'm going to test 1.4.1-2 now, I've been using 1.3.6 up until this point. Notice the catalog item is deprecated for 2.0 as the whole stack is retooling for kubernetes. This includes the kubernetes version (in fact anything >1.39 for the kubernetes version) So it might be best at this point to look at the helm template. I'd love to hear @rawmind0 opinion on the subject. |
|
Hey @joshuacox , many thanks for your answer. I also thought about using NFS for sharing the certificates between my nodes. Actually I don't want to move to Kubernetes since it is a bit oversized for my needs. I hope, that @rawmind0 has an idea. |
|
Hi guys, @joshuacox, Rancher v2.0 is in alpha state, and eventually catalog could be eventually outdated but not deprecated, we'll update all packages to this version. In rancher v2.0 you could use helm packages if you want or like, but you still could use rancher catalog packages using compose style. @Hermsi1337, if you want to share certificates, you could use nfs (not recommended for wan environments) but best traefik approach would be use a k/v store and configure it in ha mode. By the moment, this package doesn't support this configuration, just nfs. As an alternative, you could disable traefik acme support and use rancher "let's encrypt" integration published in the community-catalog https://github.com/rancher/community-catalog/tree/master/templates/letsencrypt Best regards... |
|
@rawmind0 As far as I can see, there is also no support for kv. Am I missing a point? |
|
@Hermsi1337, the main difference is that with rancher integration, all services could get letsencrypt certificates, not just traefik. I already wrote in my previous comment, that this package doesn't support k/v configuration by the moment, just nfs |
|
@rawmind0, okay.. I think I will give that configuration a shot. Nevertheless I would really love to use your traefik-setup along with kv-store. |
|
So busy....Pull requests are very welcomed.. ;) |
|
@rawmind0 how do I make the rancher letsencrypt stack from the community catalog work with this? |
|
@jonahlau to make letsencrypt stack work with this, traefik acme support needs to be disabled. Take a look to https://www.digitalocean.com/community/tutorials/how-to-secure-your-rancher-web-app-with-let-s-encrypt-on-ubuntu-16-04 |
So I have hit the dreaded:
Because I have restarted traefik too many times this week on a few of my domains. So I decided to dig in and find the certs. @rawmind0 please correct me if I'm mistaken on any of this. But it looks like all the certs are stored in
acme.jsonwhich is in the/opt/traefik/acmedirectory.My question is can I volume mount in this directory? Perhaps using convoy-NFS? I'm going to give it a shot, but I'd welcome any comments or suggestions?
here's an example in PR form, feel free to reject. I'm going to test this out on a test environment.
The text was updated successfully, but these errors were encountered: