Path to the certs?

capote · June 15, 2024, 5:40pm

I want to configure a TLSA-record within my DNS (for DANE).

Where can I find my private certs?

Is the renewal of the LE-Certs well configured to keep the private cert?
like certbot --reuse-key

Sincerely, Marko

mrmarkuz · June 15, 2024, 7:50pm

The LE certs are saved in the nodes traefik container in one json file.

The path to the volume is (assuming the traefik instance is named traefik1 which usually is the case on the first node)

/home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json

It should contain the certificates and keys.

Yes, it seems traefik reuses the key by default, see also Support disabling private key reuse in certificate renewal · Issue #10103 · traefik/traefik · GitHub

capote · June 16, 2024, 3:44pm

Hello Markus, I cannot use the certificate part contained in the file provided. I need a certificate in PEM (X.509) format.
Do you have any idea how I can get it? Is there any way to convert it?

@stephdl : Is it not also possible to provide such a TLSA record for the mail server in the same way as the DKIM record?

Sincerely, Marko

mrmarkuz · June 16, 2024, 4:14pm

Maybe it would be enough to copy the certificate string to a file and name it correctly but there’s also a tool to export the certs in pem format:

Download:

wget https://github.com/ldez/traefik-certs-dumper/releases/download/v2.8.3/traefik-certs-dumper_v2.8.3_linux_386.tar.gz

Extract:

tar -xzvf traefik-certs-dumper_v2.8.3_linux_386.tar.gz

Run the export:

You can find the results in the ./dump directory. You may need to adapt traefik1 to the traefik instance name of your NS8 node.

Method to export pem:

Creates a directory per certificate and exports certificate.pem and privatekey.pem.

./traefik-certs-dumper file --source /home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json --domain-subdir --crt-ext=.pem --key-ext=.pem --version v2

Alternative Method:

Creates a certs and a private directory and exports like domain.crt and domain.key.

./traefik-certs-dumper file --source /home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json --version v2

capote · June 16, 2024, 4:26pm

I tried that - without success. I think it’s a different format.

Just now I will try the traefik-certs-dumper.

many thanks!

capote · June 16, 2024, 4:47pm

I tried this and it works fine.