How to share LetsEncrypt certificates between Traefik instances on Docker Swarm?

We run Traefik as reverse proxy in our Docker Swarm, which works fabulous. For some domains we use LetsEncrypt, which will generate TLS/SSL certificates on the fly. It would make sense that a single container handles this and shares those with the other containers, otherwise we run into “too many requests” and get blocked for a while.

Our challenge is that Docker Swarm configs and secrets are not update-able or even write-able from within the container. How do you share changing configuration files between service containers?

Traefik 1.x used to support remote backends like consul to store the certificates and share them amongst the nodes.

With Traefik 2.x the feature got removed from the open source version and is only available in the enterprise version. That’s why some people running swarm clusters stick to Traefik 1.7 (which still gets bugfixes btw.)

Have you considered to issue wildcard certificates (assuming Traefik support dns-challenge for your dns service) to reduce the number of necessary certificates? Or less prefarable, add all domain names as subject alternative name to the issued certificates?

Indeed swarm secrets are immutable.