Manually reload tls certificates #5495
Comments
|
Hello, could you give more information about your Traefik configuration? |
|
Same issue for me, I have this configuration in place: tls:
certificates:
- certFile: /etc/letsencrypt/live/DOMAIN/fullchain.pem
keyFile: /etc/letsencrypt/live/DOMAIN/privkey.pem
stores:
default:
defaultCertificate:
certFile: /etc/letsencrypt/live/DOMAIN/fullchain.pem
keyFile: /etc/letsencrypt/live/DOMAIN/privkey.pemThe path is a NFS volume and the certificates are renewed outside of traefik (because not only used by traefik) |
|
could you give more information about your Traefik configuration (static and dynamic configuration)? |
|
Sure: global:
checkNewVersion: false
sendAnonymousUsage: false
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: tcp://docker-socket-proxy2:2375
exposedByDefault: false
watch: true
file:
directory: /configs/
watch: true
log:
level: DEBUG
accessLog: {}
api:
dashboard: true
entryPoints:
https:
address: :443
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "x.x.x.x"
proxyProtocol:
trustedIPs:
- "127.0.0.1/32"
- "x.x.x.x"
publicHttps:
address: :8443
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "x.x.x.x"
proxyProtocol:
trustedIPs:
- "127.0.0.1/32"
- "x.x.x.x"TLS: tls:
certificates:
- certFile: /etc/letsencrypt/live/DOMAIN/fullchain.pem
keyFile: /etc/letsencrypt/live/DOMAIN/privkey.pem
stores:
default:
defaultCertificate:
certFile: /etc/letsencrypt/live/DOMAIN/fullchain.pem
keyFile: /etc/letsencrypt/live/DOMAIN/privkey.pem
options:
default:
minVersion: VersionTLS12Dynamic example: labels:
- traefik.enable=true
- traefik.docker.network=${TRAEFIK_BACKEND_NETWORK}
- traefik.http.routers.grafana.rule=Host(`grafana.${PRIVATE_DOMAIN}`)
- traefik.http.routers.grafana.entryPoints=https
- traefik.http.routers.grafana.tls=true
- traefik.http.routers.grafana.tls.options=default
- traefik.http.services.grafana.loadBalancer.server.port=3000 |
|
How you mount the file? |
|
NFS on the host, then I map the folder in the container: volumes:
- ./traefik.yml:/traefik.yml:ro
- ./configs:/configs:ro
- ${DOCKER_DATA_NFS_FOLDER}/certbot/etc-letsencrypt:/etc/letsencrypt:ro |
|
Stack.yml version: "3.7"
services:
traefik:
image: traefik:v2.0
ports:
- "80:80"
- "443:443"
- "8080:8080"
- "8082:8082"
volumes:
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
- type: bind
source: /mnt/gfs/docker/traefik/traefik.yml
target: /etc/traefik/traefik.yml
- type: bind
source: /mnt/gfs/docker/traefik/certs
target: /certs
- type: bind
source: /mnt/gfs/docker/traefik/config
target: /config
- type: bind
source: /mnt/gfs/docker/traefik/acme
target: /acme
deploy:
placement:
constraints:
- node.role == manager
networks:
traefik-net: {}
networks:
traefik-net:
name: traefik-net
driver: overlayWhere traefik.yml entryPoints:
http:
address: ":80"
https:
address: ":443"
metrics:
address: ":8082"
providers:
docker:
swarmMode: true
network: traefik-net
exposedByDefault: false
file:
filename: /config/config.yml
# inotify does not work with network mounts
watch: false
# API and dashboard configuration
api:
insecure: true
debug: true
metrics:
prometheus:
entryPoint: metricsconfig.yml (mentioned above): tls:
certificates:
- certFile: /certs/_.example.com/_.example.com.cert
keyFile: /certs/_.example.com/_.example.com.key
http:
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
routers:
http-catchall:
priority: 0
entryPoints:
- http
middlewares:
- redirect-to-https@file
rule: 'hostregexp(`{host:.+}`)'
service: noop
services:
noop:
loadBalancer:
servers:
- url: 'http://127.0.0.1'Replacing |
dduportal
added
area/tls
kind/bug/possible
|
An interesting way to handle that would be to provide an API endpoint to reload certs. |
dduportal
added
kind/proposal
|
I just ran into this today as well when using a glusterfs volume for file configs. In my main config, I have it watch a directory in the glusterfs volume. That directory is where I store dynamic configurations. Some nodes in docker swarm seem to get the updated file config, and others don't, until I manually restart that instance. It seems that Traefik is unable to know when files are changed or added (when using the watch option) and the directory is a glusterfs volume. I wonder if this is what I am running into... |
|
@gtmadev I tried bind mounting using folder and that does not help. This is a pretty major blocker for me, and I'd like to help move this forward. My initial idea is to add support for a kill signal that would trigger a config reload, probably Thoughts? |
|
This is also something I'd like to see. While Traefik may feel this is covered though it's letsencrypt solution it does not cover all real world cases.
There two solutions that will work here as I see it:
Given that this is a barrier of entry for Traefik I would like to see a solution given a priority. |
|
We also desperately need this feature, as the current strategies for triggering certificate reload leave a lot to be desired. |
|
I badly need a similar solution too, hope this is getting looked into :-) |
|
Same here with traefik 1.x helm chart. Edit: Seems our problem was that we had several secrets wiht the same name "my-tls-wildcard-secret" in different namespaces. We had to update all of them before traefik used it. |
|
Same issue here. Traefik version 2.2.0 built on 2020-03-25T17:32:57Z with docker Before changing certificates : When changing certificates : And here is the directory : Traefik config : |
|
We are generating certificates on request and move them to the right file position. This replaces the inode, which (I believe) breaks traefiks automatic discovery of certificates. |
|
Any word on this possible bug? We programmatically generate our certificates from a known authority and they are replaced for which Traefik cannot see happen. We have to manually bounce trafik to get it to pick up the new certificates. |
|
We generate out certificates from another authority too, and when we replace the certificates Traefik doesn't see the change. I have discovered if I touch the configuration file it does reload the new certificates, ie "touch certificates.toml" |
Really? That did not work for me last time I tried. I think Traefik caches the parsed config files and if it's still the same it doesn't re-apply them. |
|
Hi, is there any update for this? |
|
Hi, I've the same problem here when everything is stored on NFS share provided by netapp. Have a good day. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
There is also the issue of docker swarm setup. Let's say you have 3 manager nodes, you can touch the cert config yml on one of them, and it will work great, but the other two will know nothing about the updated cert...hence, issues. Same with acme. Only thing resolving it is a restart of the service stack. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@Ajedi32 is spot on, also about the cert configured in default certs only not being enough. What is absolutely baffling to me is that Traefik devs are so ignorant towards implementing a simple signal for reloading the configuration as pretty much every other daemon does. Sure, touching a dynamic config file works, but it's a horrible workaround - next time they'll implement configuration caching so only changes propagate and it'll stop working or something. I'm on Traefik v3 now and #8243 doesn't seem to solve it for me (I have the certs mounted in a directory and not separately), a reload or restart is still needed. But my testing was limited as it's hard to test properly without accidentally reloading the configuration.
@MartinMuzatko you can do something like |
@bkraul I ended up doing a touch on the config files, then rsync to the other nodes. Then they all pick up the changes. |
|
Sounds legit...though a bit hacky. At that point I might just set up an Ansible playbook to do just what you described. |
|
Any updates on this? I'm struggling the same, but the touch workaround didn't work for me... I touch /etc/traefik/traefik.yml in my manager node traefik instance but none of config seems to change, the only thing that works it's reloading the service, which is not an option because traefik it's supposedly designed for, detect changes automatically in the file provider directory! |
|
Hello, We have recently merged a PR that allows reloading the configuration when Traefik receives a SIGHUP signal. Is it enough for your use cases? |
|
Na man...endpoint call would have been nice. |
|
Hi, SIGHUP can be a great option for "non containers" deployed instances. If certs files are generated by others internals tools and pushed in a shared (or not) space also mounted in the traefik container.... how to do a SIGUP and keep everything safe and isolated between traefik process and certs generators ? I also think and endpoint (with auth) in the traefik API can be more secure. Have a good day. |
|
Not to mention that Windows does not have SIGHUP |
|
Just trying to sum this up :
I'm sure that's useful for some use case, but definitely leaves a lot of people aside that were hoping for a simple monitoring of the cert files |
|
Hello, A configurable HTTP endpoint to trigger configuration reloads of the file provider is a good enhancement. We would love some help from the community on this, if any community member would like to contribute to this, let us know, and we will work with you to make sure you have all the information needed before starting, and ensure that we are aligned and can move quickly with the review and merge process. |
rtribotte
added
kind/enhancement
|
Yes, an endpoint can be great. More simple... a flag ! |
|
Hi ! When I change it or just touch the file, I have this log Is that normal that TLS certificate are not mentionned in the "Configuration received" ? |
Not great with multiple Traefik instances using the same folder of certificates. Only 1 will be able to update |
|
I looked around the code, and I'm not super-golang-capable, but I think with the way Providers are separate from DynamicConfig that it'd be hard to implement a way to ask the FileProvider to reload itself from the api package, as the api doesn't have access to the AggregateProvider (or its internal FileProvider instance), and FileProvider doesn't expose a way to reload its configuration externally - just fsnotify and at load time. I did consider adding a time.Ticker routine and reevaluate every watched file every x seconds, but didn't really like the resulting code. I also considered seeing if the RestProvider could "call in" with its own channel to AggregateProvider to "ask FileProvider, if valid, to reload itself" as AggregateProvider does have a reference to it (if using that provider), but I also felt that was very hacky and definitely didn't fit the way traefik is architected. I ended up building a docker image with supervisord, with XML-RPC enabled, so I can call the endpoint there to SIGHUP the traefik process. It isn't ideal, but it's a valid workaround until someone can implement an API endpoint directly in traefik. |
and others
Do you want to request a feature or report a bug?
Feature
What did you expect to see?
My tls certificates are generated with Let's Encrypt remotely and are used by Traefik through a glusterfs mount. For that reason, Traefik is unable to properly monitor file changes and thus never knows when certificates are renewed (so it will serve an expired certificate). Having a way to tell Traefik to reload new certificates (or file configs in general) would allow the user to circumvent cases when Traefik is unable to use inotify.
Traefik Version
2.0
Similar to #1623
The text was updated successfully, but these errors were encountered: