Export Traefik Certificates

Introduction

Traefik saves its Let’s Encrypt certificates per default into a acme.json file. For each certificate it creates an object which includes the certificates and the private key. Those values are stored as a Base64 encoded string. These can be exported pretty easy through a bash script. I made my own version but took a lot from this stackoverflow question.

Requirements

You will need to install these linux packages:

  • jq
  • openssl (optional)

Script

Simply store your acme.json file and the getcertificates.sh script in the same directory and make sure you gave the file permission to be executed. The script will create a new directory called “certificates” for each domain it will store the certificate as a.cer and the private key as a .key file. You can choose to export as pfx as well.

#!/bin/bash

# Requirements: you will need to install jq and maybe openssl

# creates a directory for all of your certificates
mkdir -p certificates/

# reads the acme.json file, please put this file in the same directory as your script
json=$(cat acme.json)

export_cer_key () {
    echo $json | jq -r '.[].Certificates[] | select(.domain.main == "'$1'") | .certificate' | base64 -d > certificates/$1.cer
    echo $json | jq -r '.[].Certificates[] | select(.domain.main == "'$1'") | .key' | base64 -d > certificates/$1.key
}

export_pfx () {
        openssl pkcs12 -export -out certificates/$domain.pfx -inkey certificates/$domain.key -in certificates/$domain.cer -passout pass: 
}

read -p "Do you want to export as .pfx file as well [y]?" REPLY

# iterates through all of your domains
for domain in $(echo $json | jq -r '.[].Certificates[].domain.main')
do
    if [[ $REPLY =~ ^[Yy]$ ]]
    then
        export_cer_key "$domain"
        export_pfx "$domain"
    else
        export_cer_key "$domain"
    fi
done

1 thought on “Export Traefik Certificates”

  1. Pingback: Route SSTP through a Traefik instance – R4UCH IT Blog

Leave a Comment

Your email address will not be published. Required fields are marked *