Improve security and reliability of traefik-certdumper #54

New Issue

3wordchant · 2021-03-25T09:46:21Z

3wordchant commented

2021-03-25 09:46:21 +00:00

Several services (CoTURN and Mailu so far, although I'm sure I remember others) want access to the Traefik-generated SSL certificates so that they can encrypt & decrypt traffic themselves.

The usual way to do this in Docker-land is a container which loads Traefik's certificate store, and dumps specified certificates in PEM format.

It seems like the existing forest of certdumper images all have wrinkles: for Mailu, I ended up adding a gnarly custom entrypoint to override behaviour, plus a separate post-run script in the Mailu recipe.

As well as being a lot (too much?) to add to each recipe, the security of this is pretty lol because a) certdumper dumps all certs on the swarm by default and b) it fails open -- I noticed the certdumper in workadventure is giving the workadventure-front container access to all certs 🙈

Improvements welcome!

Several services (CoTURN and Mailu so far, although I'm sure I remember others) want access to the Traefik-generated SSL certificates so that they can encrypt & decrypt traffic themselves. The usual way to do this in Docker-land is a container which loads Traefik's certificate store, and dumps specified certificates in PEM format. It seems like the existing forest of `certdumper` images all have wrinkles: for Mailu, I ended up adding [a gnarly custom `entrypoint` to override behaviour](https://git.autonomic.zone/coop-cloud/mailu/src/branch/main/compose.yml#L155-L176), plus [a separate post-run script in the Mailu recipe](https://git.autonomic.zone/coop-cloud/mailu/src/branch/main/certdumper_post.sh). As well as being a lot (too much?) to add to each recipe, the security of this is pretty lol because a) `certdumper` dumps _all_ certs on the swarm by default and b) it fails open -- I noticed the `certdumper` in `workadventure` is giving the `workadventure-front` container access to _all_ certs 🙈 Improvements welcome!

3wordchant added the

bug

enhancement

help wanted

labels 2021-03-25 09:46:21 +00:00

decentral1se added this to the (deleted) project 2021-04-30 07:32:25 +00:00

decentral1se added this to the (deleted) milestone 2021-09-09 14:31:03 +00:00

decentral1se commented

2022-02-14 17:10:16 +00:00

Another approach, unsure if "better":

		compose.yml
		Lines 89 to 98 in 4ae3b7ef2d
	
				  certs:

				    image: humenius/traefik-certs-dumper:1.5

				    volumes:

				      - traefik_letsencrypt:/traefik

				      - certs:/output

				    environment:

				      - ACME_FILE_PATH=/traefik/production-acme.json

				      - DOMAIN=${DOMAIN},groups.${DOMAIN},share.${DOMAIN}

				      - OVERRIDE_UID=101  # prosody

				      - OVERRIDE_GID=102  # prosody

Another approach, unsure if "better": https://git.coopcloud.tech/coop-cloud/snikket/src/commit/4ae3b7ef2d61c3bdbc1b33dc0385c162d43a6e0a/compose.yml#L89-L98

decentral1se added

security

and removed

bug

enhancement

labels 2022-10-22 12:11:28 +00:00

3wordchant referenced this issue from a commit

2023-09-23 00:44:30 +00:00

Properly delete irrelevant certs

Sign in to join this conversation.