I want to configure a TLSA-record within my DNS (for DANE).
Where can I find my private certs?
Is the renewal of the LE-Certs well configured to keep the private cert?
like certbot --reuse-key
Sincerely, Marko
I want to configure a TLSA-record within my DNS (for DANE).
Where can I find my private certs?
Is the renewal of the LE-Certs well configured to keep the private cert?
like certbot --reuse-key
Sincerely, Marko
The LE certs are saved in the nodes traefik container in one json file.
The path to the volume is (assuming the traefik instance is named traefik1 which usually is the case on the first node)
/home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json
It should contain the certificates and keys.
Yes, it seems traefik reuses the key by default, see also Support disabling private key reuse in certificate renewal · Issue #10103 · traefik/traefik · GitHub
Hello Markus, I cannot use the certificate part contained in the file provided. I need a certificate in PEM (X.509) format.
Do you have any idea how I can get it? Is there any way to convert it?
@stephdl : Is it not also possible to provide such a TLSA record for the mail server in the same way as the DKIM record?
Sincerely, Marko
Maybe it would be enough to copy the certificate string to a file and name it correctly but there’s also a tool to export the certs in pem format:
Download:
wget https://github.com/ldez/traefik-certs-dumper/releases/download/v2.8.3/traefik-certs-dumper_v2.8.3_linux_386.tar.gz
Extract:
tar -xzvf traefik-certs-dumper_v2.8.3_linux_386.tar.gz
Run the export:
You can find the results in the ./dump
directory. You may need to adapt traefik1
to the traefik instance name of your NS8 node.
Method to export pem:
Creates a directory per certificate and exports certificate.pem and privatekey.pem.
./traefik-certs-dumper file --source /home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json --domain-subdir --crt-ext=.pem --key-ext=.pem --version v2
Alternative Method:
Creates a certs and a private directory and exports like domain.crt and domain.key.
./traefik-certs-dumper file --source /home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json --version v2
I tried that - without success. I think it’s a different format.
Just now I will try the traefik-certs-dumper.
many thanks!
I tried this and it works fine.