问题
To use Traefik 1.7 on APIs for serving mobile apps that require the use of certificate pinning on the public key, it's necessary to configure the acme
section on the toml
file to reuse the same private/public key pair when renewing the certificates, but I don't find anywhere in the docs how I can do it.
So I am looking for the same behavior that I believe the --reuse-key
in certbot gives:
--reuse-key When renewing, use the same private key as the existing certificate. (default: False)
NOTE:
I know I can configure Traefik with the paths to the certificates that I would generate/renew with certbot, but that is not the solution I am asking for, because I already know how to implement it, but this approach does not give the seamlessly experience of the
acme
implementation, that only requires me to add some labels to the docker container I want to secure with TLS.
traefik.toml:
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedByDefault = false
[acme]
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
docker-compose.yml:
version: '2.3'
services:
traefik:
image: traefik:1.7
restart: always
ports:
- 80:80
- 443:443
networks:
- traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/traefik.toml
- ./acme.json:/acme.json
container_name: traefik
labels:
- "traefik.acme.email=${TRAEFIK_ACME_EMAIL:? Missing TRAEFIK_ACME_EMAIL env var.}"
- "traefik.docker.domain=${TRAEFIK_DOCKER_DOMAIN:? Missing TRAEFIK_DOCKER_DOMAIN env var.}"
networks:
traefik:
external: true
来源:https://stackoverflow.com/questions/62006529/how-to-renew-letsecncrypt-certificates-with-the-same-public-key