Merge pull request #965 from Nebukadneza/better_certdumper

Use ldez/traefik-certs-dumper in certificate dumper, and make more robust

optional/traefik-certdumper/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:3.8
+FROM ldez/traefik-certs-dumper
 
-RUN apk --no-cache add inotify-tools jq openssl util-linux bash docker
-# while not strictly documented, this script seems to always(?) support previous acme.json versions too
-RUN wget https://raw.githubusercontent.com/containous/traefik/master/contrib/scripts/dumpcerts.sh -O dumpcerts.sh
+RUN apk --no-cache add inotify-tools util-linux bash docker
+
+COPY run.sh /
 
 VOLUME ["/traefik"]
 VOLUME ["/output"]
 
-COPY run.sh /
 ENTRYPOINT ["/run.sh"]

optional/traefik-certdumper/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2018 Sven Dowideit
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

optional/traefik-certdumper/README.md

@@ -1,27 +0,0 @@
-# Single-domain traefik-certdumper for mailu
-
-This is based on the work by Sven Dowideit on https://github.com/SvenDowideit/traefik-certdumper
-
-## Fork?
-This is a slight modification that is less flexible, but is adapted to the
-usecase in mailu. If you wish to deploy mailu behind a traefik, you face many
-problems. One of these is that you need to get the certificates into mailu in a
-very defined manner. This will copy the certificate for the **Main:**-domain
-given in the DOMAIN-environment onto `output`.
-
-If your output happens to be mailu-front-`/certs`, the certificate-watcher in
-the front-container will catch it and reload nginx. This works for mailu
-`TLS_FLAVOR=[mail, cert]`
-
-
-```
-  certdumper:
-    restart: always
-    image: Mailu/traefik-certdumper:$VERSION
-    environment:
-      - DOMAIN=$DOMAIN
-    volumes:
-      # your traefik data-volume is probably declared outside of the mailu composefile
-      - /data/traefik:/traefik
-      - $ROOT/certs/:/output/
-```

optional/traefik-certdumper/run.sh

@@ -2,25 +2,22 @@
 
 function dump() {
     echo "$(date) Dumping certificates"
-    bash dumpcerts.sh /traefik/acme.json /tmp/work/ || return
 
-    # private-keys are rsa, we need pem though
-    for key_file in $(ls /tmp/work/private/*); do
-        pem_file=$(echo $key_file | sed 's/private/pem/g' | sed 's/.key/-private.pem/g')
-        openssl rsa -in $key_file -text > $pem_file
-    done
+    traefik-certs-dumper dump --crt-name "cert" --crt-ext ".pem" --key-name "key" --key-ext ".pem" --domain-subdir=true --dest /tmp/work --source /traefik/acme.json > /dev/null
 
-    echo "$(date) Copying certificates"
-    cp -v /tmp/work/pem/${DOMAIN}-private.pem /output/key.pem
-    # the .crt is a chained-pem, as common for letsencrypt
-    cp -v /tmp/work/certs/${DOMAIN}.crt /output/cert.pem
+    if diff -q /tmp/work/${DOMAIN}/cert.pem /output/cert.pem >/dev/null && \
+	    diff -q /tmp/work/${DOMAIN}/key.pem /output/key.pem >/dev/null ; then
+	echo "$(date) Certificate and key still up to date, doing nothing"
+    else
+	echo "$(date) Certificate or key differ, updating"
+	mv /tmp/work/${DOMAIN}/*.pem /output/
+    fi
 }
 
-mkdir -p /tmp/work/pem /tmp/work/certs
-# run once on start to make sure we have any old certs
+mkdir -p /tmp/work
 dump
 
 while true; do
-    inotifywait -e modify /traefik/acme.json && \
-        dump
+    inotifywait -qq -e modify /traefik/acme.json
+    dump
 done

towncrier/newsfragments/820.bugfix

@@ -0,0 +1 @@
+Use ldez/traefik-certs-dumper in our certificate dumper to have a more robust solution