ACME file format description

[Vad1mo]

What version of Traefik are you using (traefik version)?

1.1.2

What is your environment & configuration (arguments, toml...)?

I need to get the private key to sign a token in a downstream service. I need to get the private key in the .pem format or convert it into this format.

What is the format of the acme.json private keys?
Why are there 2 private keys?
Is there a way to get a key in the pem format?

[Vad1mo]

I am still trying to figure out the format of the private key. I need to use the key in another service to encrypt the token.

Does maybe traefik offer an option store the keys as files in pem format?

[farodin91]

I would like traefik automatic generate pem files after updating acme.json.

What is the format of the acme.json private keys?
All keys are base64 encode, after encoding the keys are in default pem format.
Why are there 2 private keys?
Their are two types of private keys.

• One for your account at letsencrypt based on your email address
• One for each domain.
  Is there a way to get a key in the pem format?
  See my first answer.

Shell script to get the pem files.

cat acme/acme.json | head -n {line} | tail -n 1 | cut -d ":" -f 2 | cut -d "\"" -f 2 | base64 --decode > certs/private.pem
cat acme/acme.json | head -n {line} | tail -n 1 | cut -d ":" -f 2 | cut -d "\"" -f 2 | base64 --decode > certs/certificate.pem

[brianredbeard]

To make this a more stable process, I just submitted a PR for a script to /contrib:

#1484 - contrib: Dump keys/certs from acme.json to files

[kachkaev]

I'm also wondering how to get a folder with Let’s Encrypt certs so that the they could be reused inside the services (gitlab and docker-mailserver in particular). These services are declared with docker-compose.yml, which has something like this:

services:
  gitlab:
    #...
    volumes:
      #...
      - 'certs:/etc/gitlab/ssl'

volumes:
  certs:
    external:
      name: acme_certs

In my current setup, a global docker volume called acme_certs corresponds to a folder that nginx-proxy with docker-letsencrypt-nginx-proxy-companion have provided; it contains a bunch of files and subfolders for all verified Let’s Encrypt domain names.

@brianredbeard is your PR generating such a folder? If yes, how can I tell traefik to always keep it up-to-date so that I could use it as a volume for my other dockerized services?

[flesser]

@kachkaev See #2418 (comment) for a (hacky) solution to create such volume from acme.json

[tompson]

Is there a way to to the opposite? I want to migrate from nginx to traefik and I want to import the existing PEM files from Letsencrypt into the acme.json file

[bswinnerton]

@tompson: it looks like it's just a base64 encoding of the .pems. If you have an existing acme.json file, you could do something like this:

base64 /path/to/cert.pem | tr -d '\n'
base64 /path/to/key.pem | tr -d '\n'

And then pate those value into the relevant sections below (Certificate and Key) respectively:

"Certificates": [
  {
    "Domain": {
      "Main": "",
      "SANs": null
    },
    "Certificate": "",
    "Key": ""
  }
]