Skip to content

Sample setup for running Traefik in Nomad with static certs from HashiCorp Vault with certs managed by certbot

License

Notifications You must be signed in to change notification settings

Xerkus/traefik-nomad-vault-certbot

Repository files navigation

traefik-nomad-vault-certbot

Sample setup for running Traefik in Nomad with static certs from HashiCorp Vault with certs managed by certbot

This setup was not run once, expect errors on typos and other stupid mistakes.

Assumptions:

  • Certbot is setup to use AWS Route 53 dns challenge. Vault is expected to provide AWS STS AssumeRole token at aws/sts/certbot-iam with IAM policy giving access to Route53 Zone(s) for managed certs
  • kv2 secrets engine mounted as secrets
  • secrets/acme/account imported manually from certbot after LE account registration:
    • account_id: LE account in the format https://acme-v02.api.letsencrypt.org/acme/acct/1234567
    • id: certbot account id that could be found in /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
    • meta: meta.json from certbot account folder
    • private_key: private_key.json from certbot account folder
    • regr: regr.json from certbot account folder
  • secrets/acme/certs/{cert_name} Could be created by certbot hook using oneshot job to issue cert. cert_name is the value that is used in traefik job template
    • cert: content of cert.pem
    • chain: content of chain.pem
    • fullchain: content of fullchain.pem
    • privkey: content of privkey.pem
    • renewal: certbot renewal config, it is not actually used and new one is generated in certbot-vault-setup.sh script
    • domains: list of domains that was used to issue or renew cert. Informational

About

Sample setup for running Traefik in Nomad with static certs from HashiCorp Vault with certs managed by certbot

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published