Be able to provide my own ssl certificate on route

[gaelL]

Hello,

I have many customer with several domain. Some of them can't/don't want to use let's encrypt.

I like the way that treafik can generate/get let's encrypt certificate for new route.

My question is : Is there a way to provide a custom certificate for a route.
By provide I mean give the certificate itself, a kubernetes secret name or even the path of the certificate.

To give you an example, in Openshift we can declare a route (ingress in kubernetes). When we create a new route, we can provide ssl certificate to use for this route : https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html#secured-routes

It would be great if traefik could use kubernetes secret or vault for ssl cert, ... but currently it seems we only can provide SSL in entrypoint config that force us to restart treafik to take care of them.

Is i t planned to implement the same behavior as let's encrypt ? be able to get a certificate from an external third party like vault for example ?

And would it be prod ready ?

[seeder]

Implementing Hashicorp Vault for PKI certs would be amazing!

[errm]

I agree, this sounds like a great feature to have

[sworisbreathing]

+1 for this. Can this feature also include route-specific clientCAFiles?

I also am dealing with a multi-tenant environment, only in my case the various apps behind traefik have different security requirements. Some need their own specific set of client certs, and others don't need client certs at all.

[gjonespf]

#990 is similar to this, btw. Would be great to have some generic approach, but with support for setting CA files per frontend in:

• Env vars
• TOML
• KV
  etc
  Could even have a hook for middleware on cert request, to support things like Hashicorp Vault.
  Understand technical hurdles due to SSL but some of them may have already been dodged/solved due to ACME support?

[denzuko]

Any update on this?

We're attempting to figure out if one can use docker secrets and traefik how to apply the labels to services deployed in docker 17.02ce's swarmmode.

Is one able to do this, does the files have to exist in secrets before the service deployment, does the entrypoints.https.tls.* labels get applied to the container service (ie myapp/whoami) or to traefik?

[gjonespf]

@denzuko this is just a reckon (I've not tried much of this) but I believe the labels are traefik/entrypoint rather than container currently. Example is here:
https://github.com/containous/traefik/blob/2cbf9cae718a29c31affc4676903016855b7d0c2/docs/user-guide/examples.md#http--https-with-sni

I think the docker secrets are mounted in-container as a filesystem? If so, I guess you could script creation of the endpoint TLS config TOML to include all the certs in the secret dir. The files would have to exist before traefik was (re)started too. I'd probably go with an include file that's generated, rather than changing the main TOML. And 'course you need to do this before traefik is started/restart it if not for it to be picked up currently. Sidecar or the alpine image version with a startup script, perhaps?

Thinking on this, I'm curious if you could use same idea with KV and endpoint setup... Still need a restart for it to take effect tho I'd imagine. Also, I'll have to look if there's an API call to flush/reconfigure endpoints, I'd imagine not. If there was, would make this easier.

[dtomcej]

Traefik's current implementation now allows for dynamic certificate generation. It also allows for kubernetes secrets to be loaded as well.

I will go ahead and close this issue.

If you have any further issues, feel free to open a new ticket.