[certera]

> Why not just use Let's Encrypt? ZeroSSL comes with significant advantages compared to Let's Encrypt, including access to a fully-featured SSL management console, an REST API for SSL management, SSL monitoring, and more.

This is where I shamelessly plug my project, Certera: https://docs.certera.io

I love LE, like really really love it. I was surprised to hear that certs were going from 2 to 1 year expiration and that made me really pause for a second to think about the lack of proper infrastructure around certificates, especially LE certs. I envision these short lived certs from LE/ZeroSSL needing some of the components that ZeroSSL mentioned above and much, much more. Eventually, if/when we have 1 week/1 day cert expirations, we'll need a certificate exchange system to better handle complex scenarios where other parties are involved (i.e. when doing client certs, SAML certs, etc.).

[ryan29]

I've looked at setting that up for my home lab a few times and when reading the docs I always get hung up on one thing. How do I retrieve certificates on my servers? Do I have to use the Certera API for that?

What I'd like to have is an ACME compatible endpoint so I can change the ACME endpoint in my Traefik config to `https://acme.certera.example.com` and not have to make any other significant changes.

Basically I'd like to have an ACME proxy with a dashboard like Certera.

[certera]

> How do I retrieve certificates on my servers? Do I have to use the Certera API for that?

Yes, and it's very simple & basic. A single CURL to get it like so: curl https://<your_certera>/api/certificate/<cert_name> \ -H "apiKey:<your_api_key>"

You can pipe that out to a file directly as it's in PEM format by default. More info here: https://docs.certera.io/#certificates-api

The thing that's unique about Certera is that it's not opinionated on your existing setup. It doesn't care whether it's Traefik, apache, nginx or IIS. The "glue" is a standard PEM file format, the way it should be. It's up to you how to tell whatever system cares about the PEM and do the "reload" of the cert.

I'm not sure how Traefik would communicate with it as I'm not familiar with Traefik in general. I'm assuming that you'd like Traefik to simply say: "gimme the cert for xyz domain" and have some endpoint/system take care of the rest, right? Don't hesitate to create an issue in GitHub and we can discuss further. Sometimes I lose track of HN comments due to a lack of notifications.

[ryan29]

Hey. Thanks for replying. FYI, I just noticed the store link on your site is broken.

Having a non-opinionated system using a simple http call makes sense to me. I would say the main drawback is that a lot of automated certificate management has, in effect, standardized around ACME and hook points for integrating anything else seem like an afterthought. For Traefik specifically, it's not possible to cleanly reload TLS certificates:

https://github.com/traefik/traefik/issues/5495

So with an ACME provider, Traefik deals with scheduling of renewals and reloading TLS certificates as needed and I don't have to think about it. Obviously that has the downside of being a hard to debug (for me) black box, but I think a lot of people are willing to accept opaque systems if it saves them any amount of effort / thought.

That said, when I started using Traefik for TLS termination a year or two ago, it would have been much easier to set up cron or systemd timers to request certificates from Certera than to learn Traefik's manual config for terminating non-docker endpoints. In fact I might be using Certera and HAProxy for all my TLS termination had I known about it back then.

I'll definitely create an issue on GitHub if I try it and run into problems, but I'll try the existing setup first. I actually prefer HAProxy to Traefik and IIRC the only reason I'm using Traefik is that I didn't have an easy way to solve LE challenges in HAProxy. If I can have Certera playing that role I could drop Traefik and it's one less thing to keep up with.

[mholt]

Genuine question, have you considered using Caddy? With the third party caddy-docker-proxy plugin you get essentially the same benefits of Traefik in that regard, without the frustrations/limitations you've experienced with Traefik.

[ryan29]

I didn't know that existed. I skimmed it and it looks like it would be good, but Traefik is working well enough for me that I don't have a reason to change it. To be really honest, I'd have to get some kind of noticeable improvement vs my current setup to make it worth building Caddy to get that plugin.

BTW, I've used Caddy before and I like it. It's the first name that pops into my head when I need a webserver. I mocked out my own plugin to add auth to GitLab pages a couple years ago and remember thinking it (Caddy) was pretty slick.