Use ldez/traefik-certs-dumper in certificate dumper, and make more robust

closes #820
7 years ago · 1acd629e6f
parent da52c64cd8
commit 1acd629e6f
5 changed files with 16 additions and 67 deletions
--- a/optional/traefik-certdumper/Dockerfile
+++ b/optional/traefik-certdumper/Dockerfile
@ -1,11 +1,10 @@
-FROM alpine:3.8
+FROM ldez/traefik-certs-dumper
-RUN apk --no-cache add inotify-tools jq openssl util-linux bash docker
+RUN apk --no-cache add inotify-tools util-linux bash docker
-# while not strictly documented, this script seems to always(?) support previous acme.json versions too
+
-RUN wget https://raw.githubusercontent.com/containous/traefik/master/contrib/scripts/dumpcerts.sh -O dumpcerts.sh
+COPY run.sh /
 VOLUME ["/traefik"]
 VOLUME ["/output"]
 COPY run.sh /
 ENTRYPOINT ["/run.sh"]
--- a/optional/traefik-certdumper/LICENSE
+++ b/optional/traefik-certdumper/LICENSE
@ -1,21 +0,0 @@
 MIT License
 Copyright (c) 2018 Sven Dowideit
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/optional/traefik-certdumper/README.md
+++ b/optional/traefik-certdumper/README.md
@ -1,27 +0,0 @@
 # Single-domain traefik-certdumper for mailu
 This is based on the work by Sven Dowideit on https://github.com/SvenDowideit/traefik-certdumper
 ## Fork?
 This is a slight modification that is less flexible, but is adapted to the
 usecase in mailu. If you wish to deploy mailu behind a traefik, you face many
 problems. One of these is that you need to get the certificates into mailu in a
 very defined manner. This will copy the certificate for the **Main:**-domain
 given in the DOMAIN-environment onto `output`.
 If your output happens to be mailu-front-`/certs`, the certificate-watcher in
 the front-container will catch it and reload nginx. This works for mailu
 `TLS_FLAVOR=[mail, cert]`
 ```
  certdumper:
    restart: always
    image: Mailu/traefik-certdumper:$VERSION
    environment:
      - DOMAIN=$DOMAIN
    volumes:
      # your traefik data-volume is probably declared outside of the mailu composefile
      - /data/traefik:/traefik
      - $ROOT/certs/:/output/
 ```
--- a/optional/traefik-certdumper/run.sh
+++ b/optional/traefik-certdumper/run.sh
@ -2,25 +2,22 @@
 function dump() {
    echo "$(date) Dumping certificates"
    bash dumpcerts.sh /traefik/acme.json /tmp/work/ || return
-    # private-keys are rsa, we need pem though
+    traefik-certs-dumper dump --crt-name "cert" --crt-ext ".pem" --key-name "key" --key-ext ".pem" --domain-subdir=true --dest /tmp/work --source /traefik/acme.json > /dev/null
    for key_file in $(ls /tmp/work/private/*); do
        pem_file=$(echo $key_file | sed 's/private/pem/g' | sed 's/.key/-private.pem/g')
        openssl rsa -in $key_file -text > $pem_file
    done
-    echo "$(date) Copying certificates"
+    if diff -q /tmp/work/${DOMAIN}/cert.pem /output/cert.pem >/dev/null && \
-    cp -v /tmp/work/pem/${DOMAIN}-private.pem /output/key.pem
+	    diff -q /tmp/work/${DOMAIN}/key.pem /output/key.pem >/dev/null ; then
-    # the .crt is a chained-pem, as common for letsencrypt
+	echo "$(date) Certificate and key still up to date, doing nothing"
-    cp -v /tmp/work/certs/${DOMAIN}.crt /output/cert.pem
+    else
 	echo "$(date) Certificate or key differ, updating"
 	mv /tmp/work/${DOMAIN}/*.pem /output/
    fi
 }
-mkdir -p /tmp/work/pem /tmp/work/certs
+mkdir -p /tmp/work
 # run once on start to make sure we have any old certs
 dump
 while true; do
-    inotifywait -e modify /traefik/acme.json && \
+    inotifywait -qq -e modify /traefik/acme.json
    dump
 done
--- a/towncrier/newsfragments/820.bugfix
+++ b/towncrier/newsfragments/820.bugfix
@ -0,0 +1 @@
 Use ldez/traefik-certs-dumper in our certificate dumper to have a more robust solution
		`@ -0,0 +1 @@`
							`Use ldez/traefik-certs-dumper in our certificate dumper to have a more robust solution`