Hacker News new | ask | show | jobs
by certera 2038 days ago
> How do I retrieve certificates on my servers? Do I have to use the Certera API for that?

Yes, and it's very simple & basic. A single CURL to get it like so: curl https://<your_certera>/api/certificate/<cert_name> \ -H "apiKey:<your_api_key>"

You can pipe that out to a file directly as it's in PEM format by default. More info here: https://docs.certera.io/#certificates-api

The thing that's unique about Certera is that it's not opinionated on your existing setup. It doesn't care whether it's Traefik, apache, nginx or IIS. The "glue" is a standard PEM file format, the way it should be. It's up to you how to tell whatever system cares about the PEM and do the "reload" of the cert.

I'm not sure how Traefik would communicate with it as I'm not familiar with Traefik in general. I'm assuming that you'd like Traefik to simply say: "gimme the cert for xyz domain" and have some endpoint/system take care of the rest, right? Don't hesitate to create an issue in GitHub and we can discuss further. Sometimes I lose track of HN comments due to a lack of notifications.
1 comments
ryan29 2038 days ago
Hey. Thanks for replying. FYI, I just noticed the store link on your site is broken.

Having a non-opinionated system using a simple http call makes sense to me. I would say the main drawback is that a lot of automated certificate management has, in effect, standardized around ACME and hook points for integrating anything else seem like an afterthought. For Traefik specifically, it's not possible to cleanly reload TLS certificates:

https://github.com/traefik/traefik/issues/5495

So with an ACME provider, Traefik deals with scheduling of renewals and reloading TLS certificates as needed and I don't have to think about it. Obviously that has the downside of being a hard to debug (for me) black box, but I think a lot of people are willing to accept opaque systems if it saves them any amount of effort / thought.

That said, when I started using Traefik for TLS termination a year or two ago, it would have been much easier to set up cron or systemd timers to request certificates from Certera than to learn Traefik's manual config for terminating non-docker endpoints. In fact I might be using Certera and HAProxy for all my TLS termination had I known about it back then.

I'll definitely create an issue on GitHub if I try it and run into problems, but I'll try the existing setup first. I actually prefer HAProxy to Traefik and IIRC the only reason I'm using Traefik is that I didn't have an easy way to solve LE challenges in HAProxy. If I can have Certera playing that role I could drop Traefik and it's one less thing to keep up with.

link
mholt 2038 days ago
Genuine question, have you considered using Caddy? With the third party caddy-docker-proxy plugin you get essentially the same benefits of Traefik in that regard, without the frustrations/limitations you've experienced with Traefik.
link
ryan29 2035 days ago
I didn't know that existed. I skimmed it and it looks like it would be good, but Traefik is working well enough for me that I don't have a reason to change it. To be really honest, I'd have to get some kind of noticeable improvement vs my current setup to make it worth building Caddy to get that plugin.

BTW, I've used Caddy before and I like it. It's the first name that pops into my head when I need a webserver. I mocked out my own plugin to add auth to GitLab pages a couple years ago and remember thinking it (Caddy) was pretty slick.

link