Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Dump certificates from Traefik's acme.json
#!/usr/bin/env python
import argparse
import base64
import json
import os
import shlex
import subprocess
import sys
def main(raw_args=sys.argv[1:]):
parser = argparse.ArgumentParser(
description="Grab a certificate out of Traefik's acme.json file")
parser.add_argument('acme_json', help='path to the acme.json file')
parser.add_argument('domain', help='domain to get certificate for')
help='path to the directory to store the certificate')
'--post-update', required=False,
help='command to run after updating the certificate')
args = parser.parse_args(raw_args)
new_privkey, new_fullchain = read_domain_certs(args.acme_json, args.domain)
old_privkey = read_cert(args.dest_dir, 'privkey.pem')
old_fullchain = read_cert(args.dest_dir, 'fullchain.pem')
if new_privkey != old_privkey or new_fullchain != old_fullchain:
print('Certificates changed! Writing new files...')
write_cert(args.dest_dir, 'privkey.pem', new_privkey)
write_cert(args.dest_dir, 'fullchain.pem', new_fullchain)
if args.post_update is not None:
print('Running post update command "%s"' % (args.post_update,))
print('Certificates unchanged. Skipping...')
def read_cert(storage_dir, filename):
cert_path = os.path.join(storage_dir, filename)
if os.path.exists(cert_path):
with open(cert_path) as cert_file:
return None
def write_cert(storage_dir, filename, cert_content):
cert_path = os.path.join(storage_dir, filename)
print (cert_content)
with open(cert_path, 'wb') as cert_file:
os.chmod(cert_path, 0o600)
def read_domain_certs(acme_json_path, domain):
with open(acme_json_path) as acme_json_file:
acme_json = json.load(acme_json_file)
certs_json = acme_json['letsencrypt']['Certificates']
domain_certs = [cert['certificate'] for cert in certs_json
if cert['domain']['main'] == domain]
domain_keys = [cert['key'] for cert in certs_json
if cert['domain']['main'] == domain]
if not domain_certs:
raise RuntimeError(
'Unable to find certificate for domain "%s"' % (domain,))
elif len(domain_certs) > 1:
raise RuntimeError(
'More than one (%d) certificates for domain "%s"' % (domain,))
[domain_cert] = domain_certs
[domain_key] = domain_keys
return (base64.b64decode(domain_key),
def post_update(command):
if __name__ == '__main__':

This comment has been minimized.

Copy link
Owner Author

@dmnt3d dmnt3d commented Aug 29, 2020

Modified to work with Traefik 2.2 and letsencrypt wildcard

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment