traefik: Manually trigger Traefik to generate letsencrypt certificate using API

Do you want to request a feature or report a bug?

Feature

What did you expect to see?

The idea is I want to be able to ask Traefik to generate certificates based on an API call. Our system has a lot of domain names that are dynamically pointed to Traefik, so to make sure we don’t exceed letsencrypt we want to manually trigger traefik.

About this issue

  • Original URL
  • State: open
  • Created 6 years ago
  • Reactions: 64
  • Comments: 32 (4 by maintainers)

Most upvoted comments

Beside the mentioned API-call I’d really wish to see a button (per cert) in the dashboard which allows to force-renew individual certs.

+52
b0r1sp on Mar 3, 2020

If you are going to be manually managing your LE certificates, why not use a tool like Certbot to generate certificates, then just dynamically add them to Traefik?

+23
dtomcej on Jul 20, 2018

Quick workaround:

  1. delete either complete acme.json or individual certs inside file
  2. restart traefik
+12
b0r1sp on Mar 3, 2020

@bodomic2 wrote:

Struggled some time, trying to use this example, finally, I did this: Opened acme.json and cleared all the array Certificates: [] - leaving in place my private key and url to my account.

This can be done with jq like this.

$ cp -p acme.json acme.json.bk
$ cat acme.json | jq 'del(.letsencrypt.Certificates)' | jq '.letsencrypt |= .+ {"Certificates":[]}' > acme-new.json
$ mv acme-new.json acme.json

And don’t forget that acme.json requires 600 permission. (like me 😃

$ chmod 600 acme.json
+7
benok on Jan 27, 2022

I bet everyone wishes this had been implemented today after the intermediate cert expired. Anyone else stuck in a “now what” moment?

+7
Fmstrat on Sep 30, 2021

I came across the same need. My scenario: I run a GKE cluster with a traefik-ingress-controller.

The traefik-ingress-controller-service creates a LoadBalancer on GCE and routes traffic into traefik and from there it gets forwarded to my services.

The issue: When LoadBalancer is created it has a health check attached. No traffic gets through the LoadBalancer until the HealthCheck is green. Since traefik requests the LE certificates immediately after launch (and does not retry in error case) there is not enough time for the health check to get green and allow initial traffic into the cluster for the http challenge.

Currently I have to kill the pod and hope that the newly created one is ready fast enough to do the challenge.

A wait time for the LE process, a retry or API endpoint to trigger would really help

+7
soupdiver on Aug 16, 2019

Actually, I just want to trigger Traefik and let it do the rest. Otherwise, I’ll have to take care of the setup for the challenge.

+6
hussam-almarzoq on Jul 20, 2018

@ptruman I encountered the same issue, so I replaced acme.json with the following:

{
  "le": {
    "Account": {
      "Email": "mail@example.com",
      "Registration": {
        "body": {
          "status": "invalid",
          "contact": [
            "mailto:mail@examplel.com"
          ]
        }
      }
    }
  }
}

And traefik did correctly re-generate all certificates.

+4
Austreelis on Oct 5, 2021

I’m going to repeat my post because I’m afraid people who need a quick fix won’t see it because of the discussion

For people that need help to clean their acme.json file, I quickly created a simple tool to help to remove your certificates from the acme.json (Traefik v2 only).

https://github.com/ldez/traefik-certs-cleaner/

The process:

  • run the tool with the right arguments
  • copy the content of the generated file to your acme.json file
  • restart Traefik

The readme contains examples for all the options (only 3 options).

https://github.com/traefik/traefik/issues/3652#issuecomment-1022423896

+2
ldez on Jan 26, 2022

For people that need help to clean their acme.json file, I quickly created a simple tool to help to remove your certificates from the acme.json (Traefik v2 only).

https://github.com/ldez/traefik-certs-cleaner/

The process:

  • run the tool with the right arguments
  • copy the content of the generated file to your acme.json file
  • restart Traefik

@darkl0rd for Traefik v1, the clean is a bit more complex but there are possibilities. In all cases, you will have to restart your Traefik instances.

FYI I’m a Traefik maintainer, I’m currently off but I took a few times to create this tool.

+2
ldez on Jan 26, 2022

It’s more complex because the only information that I can use is the acme.json file, and the TLS challenge requires exposing a temporary certificate for the domain on 443.

Ah, yes. Didn’t think about that. Sorry!

+1
jgerken on Jan 26, 2022

Thanks for that - my problem is, I run a large scale enterprise grade service - I can’t have our customers end up with warnings either; that will cause a sh*tstorm with our support department. I can’t remove the existing certificates either, because then I will have downtime, so I am really looking for a way to tell traefik - renew the certificates which are here; regardless of the expiry date.

+1
darkl0rd on Jan 26, 2022

Thanks for the solution @Austreelis, but I think there is no way to reissue 100+ certificates in one account in so short timeframe anyways… I feel like bunch of websites will go nuts these days. (came here after a letter about TLS-ALPN-01 validation method revocation)

+1
bodomic2 on Jan 26, 2022

I deleted acme.json to try to force a regen, but it’s only generating one cert (and then I got rate limited). Nearly all of my routers just have sans defined (which worked before) - only one has a main and that’s the only one being requested when I have a blank acme.json file…

+1
ptruman on Oct 3, 2021

FTR, there seems to be a separate issue https://github.com/containous/traefik/issues/2174 for the problem described by @soupdiver above.

+1
porridge on Dec 2, 2019
Read more comments on GitHub
← traefik: Malformed/garbled HTML response when compress is enabled
traefik: Marathon backend with CNI Plugin doesn't work →