Missing documentation on having multiple acme certificate storages

[jansauer]

Do you want to request a feature or report a bug?

Bug

What did you do?

With traefik v2 it is possible to have more then one acme certificate resolver.
This is very useful for case where it is desired to use different mail addresses for different domains or to use tlschallenge with one and dnschallenge with another domain.
But this leads also to having to set a storage file for each of the certificate resolvers.

The documentation is missing any information on if it is possible to use the same storage file for both resolvers or why it may be not recommended.

So fare my first impression was that since it does not mention that this is not supported by the acme implementation and traefik does not display a warning or error an startup that it should be fine. But still then it feels fishy and a short mention in the documentation would give me more confidence in my setup.

What did you expect to see?

At least a note or info text in the documentation for the storage option at https://docs.traefik.io/https/acme/#storage

What did you see instead?

No mention of this case.

Output of traefik version: (What version of Traefik are you using?)

Version:      2.0.2
Codename:     montdor
Go version:   go1.13.1
Built:        2019-10-09T19:26:05Z
OS/Arch:      linux/amd64

Example setup

Here two resolver are configured with both using the same file.

docker run -it \
  --name traefik \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --publish 80:80 \
  --publish 443:443 \
  traefik:v2.0.2 \
    --certificatesresolvers.dns=true \
    --certificatesresolvers.dns.acme.dnschallenge \
    --certificatesresolvers.dns.acme.dnschallenge.provider=gcloud \
    --certificatesresolvers.dns.acme.email=jan@jansauer.de \
    --certificatesresolvers.dns.acme.storage=/letsencrypt/acme.json \
    --certificatesresolvers.tls=true \
    --certificatesresolvers.tls.acme.tlschallenge \
    --certificatesresolvers.tls.acme.email=jan@jansauer.de \
    --certificatesresolvers.tls.acme.storage=/letsencrypt/acme.json \
    --entrypoints.web.address=:80 \
    --entryPoints.tls.address=:443 \
    --providers.docker \
    --log.level=DEBUG 

[markus-seidl]

Just stumbled upon the same issue, because of #6084 . It could be a viable workaround to have two certificate resolvers to solve the problem mentioned there (or the design, as it's not clear if it's intended, a feature or a bug).

[aquaplanet]

Also not documented as far as I have seen:

2020/01/05 17:07:47 traefik.go:71: command traefik error: unable to initialize certificates resolver "acme2", all the acme resolvers must use the same email

Error message seem to come from (I hope line 71 above is the same as 240 I link to)
https://github.com/containous/traefik/blob/master/pkg/config/static/static_config.go#L240

It would be very good if this was mentioned as well (and an explanation...I solved my problem by sticking a friends email on my certificate resolver as well - despite we have different domains it works but it is uggly)