From 1acd629e6f5fcd339c21aa0865b17d09de727127 Mon Sep 17 00:00:00 2001 From: Dario Ernst Date: Sun, 10 Mar 2019 12:15:14 +0000 Subject: [PATCH] Use ldez/traefik-certs-dumper in certificate dumper, and make more robust closes #820 --- optional/traefik-certdumper/Dockerfile | 9 ++++----- optional/traefik-certdumper/LICENSE | 21 -------------------- optional/traefik-certdumper/README.md | 27 -------------------------- optional/traefik-certdumper/run.sh | 25 +++++++++++------------- towncrier/newsfragments/820.bugfix | 1 + 5 files changed, 16 insertions(+), 67 deletions(-) delete mode 100644 optional/traefik-certdumper/LICENSE delete mode 100644 optional/traefik-certdumper/README.md create mode 100644 towncrier/newsfragments/820.bugfix diff --git a/optional/traefik-certdumper/Dockerfile b/optional/traefik-certdumper/Dockerfile index 92e5e900..bfafe245 100644 --- a/optional/traefik-certdumper/Dockerfile +++ b/optional/traefik-certdumper/Dockerfile @@ -1,11 +1,10 @@ -FROM alpine:3.8 +FROM ldez/traefik-certs-dumper -RUN apk --no-cache add inotify-tools jq openssl util-linux bash docker -# while not strictly documented, this script seems to always(?) support previous acme.json versions too -RUN wget https://raw.githubusercontent.com/containous/traefik/master/contrib/scripts/dumpcerts.sh -O dumpcerts.sh +RUN apk --no-cache add inotify-tools util-linux bash docker + +COPY run.sh / VOLUME ["/traefik"] VOLUME ["/output"] -COPY run.sh / ENTRYPOINT ["/run.sh"] diff --git a/optional/traefik-certdumper/LICENSE b/optional/traefik-certdumper/LICENSE deleted file mode 100644 index 259ccd34..00000000 --- a/optional/traefik-certdumper/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2018 Sven Dowideit - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/optional/traefik-certdumper/README.md b/optional/traefik-certdumper/README.md deleted file mode 100644 index f5434f62..00000000 --- a/optional/traefik-certdumper/README.md +++ /dev/null @@ -1,27 +0,0 @@ -# Single-domain traefik-certdumper for mailu - -This is based on the work by Sven Dowideit on https://github.com/SvenDowideit/traefik-certdumper - -## Fork? -This is a slight modification that is less flexible, but is adapted to the -usecase in mailu. If you wish to deploy mailu behind a traefik, you face many -problems. One of these is that you need to get the certificates into mailu in a -very defined manner. This will copy the certificate for the **Main:**-domain -given in the DOMAIN-environment onto `output`. - -If your output happens to be mailu-front-`/certs`, the certificate-watcher in -the front-container will catch it and reload nginx. This works for mailu -`TLS_FLAVOR=[mail, cert]` - - -``` - certdumper: - restart: always - image: Mailu/traefik-certdumper:$VERSION - environment: - - DOMAIN=$DOMAIN - volumes: - # your traefik data-volume is probably declared outside of the mailu composefile - - /data/traefik:/traefik - - $ROOT/certs/:/output/ -``` diff --git a/optional/traefik-certdumper/run.sh b/optional/traefik-certdumper/run.sh index 5d643670..6799946a 100755 --- a/optional/traefik-certdumper/run.sh +++ b/optional/traefik-certdumper/run.sh @@ -2,25 +2,22 @@ function dump() { echo "$(date) Dumping certificates" - bash dumpcerts.sh /traefik/acme.json /tmp/work/ || return - # private-keys are rsa, we need pem though - for key_file in $(ls /tmp/work/private/*); do - pem_file=$(echo $key_file | sed 's/private/pem/g' | sed 's/.key/-private.pem/g') - openssl rsa -in $key_file -text > $pem_file - done + traefik-certs-dumper dump --crt-name "cert" --crt-ext ".pem" --key-name "key" --key-ext ".pem" --domain-subdir=true --dest /tmp/work --source /traefik/acme.json > /dev/null - echo "$(date) Copying certificates" - cp -v /tmp/work/pem/${DOMAIN}-private.pem /output/key.pem - # the .crt is a chained-pem, as common for letsencrypt - cp -v /tmp/work/certs/${DOMAIN}.crt /output/cert.pem + if diff -q /tmp/work/${DOMAIN}/cert.pem /output/cert.pem >/dev/null && \ + diff -q /tmp/work/${DOMAIN}/key.pem /output/key.pem >/dev/null ; then + echo "$(date) Certificate and key still up to date, doing nothing" + else + echo "$(date) Certificate or key differ, updating" + mv /tmp/work/${DOMAIN}/*.pem /output/ + fi } -mkdir -p /tmp/work/pem /tmp/work/certs -# run once on start to make sure we have any old certs +mkdir -p /tmp/work dump while true; do - inotifywait -e modify /traefik/acme.json && \ - dump + inotifywait -qq -e modify /traefik/acme.json + dump done diff --git a/towncrier/newsfragments/820.bugfix b/towncrier/newsfragments/820.bugfix new file mode 100644 index 00000000..7831d0de --- /dev/null +++ b/towncrier/newsfragments/820.bugfix @@ -0,0 +1 @@ +Use ldez/traefik-certs-dumper in our certificate dumper to have a more robust solution