With the inclusion of the script hook it has opened up lots of opportunities to build on the exported certificates. Where systems need to convert the certificates, most scenarios can leverage openssl. To prevent needing to manually add the apk for each new image, or building a new image from the updated ones, can this be included in the image please? It's a small size (6MB) increase that will make it even more useful in projects.

Example Scenario: Plex requires a PKCS12 certificate to be installed. This can be done with some environmental variables and a simple script that calls openssl.

Thanks
Lee

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

go: github.com/labbsr0x/[email protected]: unknown revision 8b16b4848295

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

Dependabot couldn't parse the go.mod found at /go.mod.

The error Dependabot encountered was:

go: github.com/traefik/traefik/[email protected] requires
	github.com/vulcand/[email protected] requires
	launchpad.net/[email protected]: bzr branch --use-existing-dir -- https://launchpad.net/~niemeyer/gocheck/trunk . in /opt/go/gopath/pkg/mod/cache/vcs/f46ce2ae80d31f9b0a29099baa203e3b6d269dace4e5357a2cf74bd109e13339: exit status 3:
	bzr: ERROR: http://bazaar.launchpad.net/~niemeyer/gocheck/trunk/.bzr/repository/packs/493dff95bdd61c99b76f340530c61b8d.pack is redirected to https://launchpad.net

View the update logs.

Is it possible to also extract the CA-chain for a given domain?

I have tried to export the certs from my acme.json file on multiple machines, both in Windows and Ubuntu with the same result each time. The only thing it creates is a dump directory with the certs and private subdirectories.

Dumper Version: 'dev'
Traefik Version: 2.5.5

acme.json

{
  "cloudflare": {
    "Account": {
      "Email": "[email protected]",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:[email protected]"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/00000000"
      },
      "PrivateKey": "<private key here>",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "example.com",
          "sans": [
            "*.example.com"
          ]
        },
        "certificate": "<cert here>",
        "key": "<key here>",
        "Store": "default"
      }
    ]
  }
}

Hi,

first of all thanks for your work and that you are sharing it. I have tried it but I cannot get it to work on my server.

I'm using traefik v2.0 and the docker image ldez/traefik-certs-dumper:latest with the following command:

  certdumper:
    image: ldez/traefik-certs-dumper:latest
    command: "file --watch --domain-subdir=true --version v2"
    volumes:
      - "/XX/XX/XX/acme.json:/acme.json:ro"
      - "/XX/XX/certs:/dump"

I'm getting the following log after the acme.json changed:

2019/09/25 07:15:54 file.go:96: error: EOF,
dump,
└──private,

If I check the output folders they are empty. It would be kind if someone could give me a hint what I'm doing wrong.

Best regards

Originally posted by @rezor92 in #34 (comment)

Watch support has been implemented for kv stores as part of #10. Would be great to get watch support for file mode, too. This would allow to replace DanielHuisman/traefik-certificate-extractor with a pure go version.

Update I'm gonna give it a try ;)

Thank you for this ! Exactly what I was looking for !

If you want to use traefik-certs-dumper for other services, you might want to add
this Dockerfile and docker-compose snippet to the repository.

Once the certs are extracted, you can mount the volume certs from another container,
such as tvial/docker-mailserver for postifix .

FROM alpine:latest

RUN apk add --no-cache git make musl-dev go

RUN git clone https://github.com/ldez/traefik-certs-dumper.git
WORKDIR traefik-certs-dumper
RUN make build

  certdump:
    build: .
    command: ./traefik-certs-dumper dump --source /acme.json --dest /dump/certs
    volumes:
      - ./acme.json:/acme.json:ro
      - certs:/dump
    restart: "no"

When running traefik-certs-dumper with --watch, --post-hook and file, an initial dump happens when the program gets launched but the hook does not get executed.

I see 2 solutions:

1. Do not run an initial dump in watch mode (this is how kv behaves)
2. Always run an initial dump and always execute the post-hook if it is provided

Please note that at the moment, file and kv do not behave the same way (see above). Whichever solution is chosen above should be reflected in both file and kv for consistency.

I'm trying to generate traefik certificates for my socket io app . but it needs the public key too .
I have generated the fullchain and private key file and I don't want to do it manually to keep this whole thing automatic in future.

Hi

i have a certificate wildcard in traefik (.n-ess.it) and the dump produce a file in "not usable name":
./certs/certs
'.n-ess.it.crt'
./certs/private/:
'*.n-ess.it.key'
(really, with single quotes)

some hacking to correct that?

When using file, an initial dump is done at the beginning. kv mode should have a similar behavior as file and also run the initial dump.

Hi,

In my Traefik setup I manage a variety of domains and I keep domains from different "organizations" in different JSON files. Currently, I do not see a way to make this work with the traefik-certs-dumper.

Am I overlooking something or is this not possible at this time? If the latter, could this be made possible?

I'm trying to set up an email server with poste.io, using this cert dumper -- but it produces cert.pem/key.pem as its output format. Poste expects ca.crt, server.crt, and server.key. It would be awesome to add support for outputting these, or at least documentation on a workaround.

Or something like that?

I need to move the dumped certs to my XMPP and IRC server, which involves copying them and changing the file permissions.

Anyone got an convenient option to (semi-)automate that?

Thanks :)

Any chance you can add the ability to automatically create the .pem crt/key files?

is there a way to dump the CSR? or locate the CSR traefik is using?

I can't stop wondering. should this line be cert.Key and not cert.Certificate ?

I've the impression that the two are inverted ...

hi, someone knows how to install it, I'm new in the GoWorld..
thanks in advance,

I was wondering if you would consider doing the cleanup AFTER the certificates are issues and only delete folders/files that did not renew?

My problem right now is that I use the --domain-subdir and --watch flag and mount a domain output folder to a docker container. However when the cert dumper runs it deletes all folders first and then creates them which screws with dockers folder mount and empties out the mounted cert folder within the running docker container.

Please let me know if you want to know more about my usecase.

Having some sort of flag such as traefik-certs-dumper --domain www.site.com for dumping specific domains.

Traefik updates acme.json as it goes along. Given several subdomains for example, I might have to wait several times for acme.json to update to contain the specific letsencrypt key I'm waiting for. Only when this key exists do I want to dump and copy the files to the service requiring those for that specific subdomain certificate. There are a few use-cases I can list where a wildcard cert wouldn't work in this instance.

It would be great to come up with some sort of configuration option that would allow users to say "when mysubdomain.domain.com appears, give me that certificate and key for it in this place".

As of right now I'll have to write a not-so-nice script to handle this. It'd be great if traefik-certs-dumper could handle it.

Alongside this would be the useful ability to extract specific certs / keys and place them in something much nicer than dump/, say the cert and key file for this domain in a specific directory, but maybe you won't like that. It'd be a nice to have anyway!

Command executed in the container with acme.json mounted at /data folder:

/data # traefik-certs-dumper file
dump
├──certs
└──private
/data # cat acme.json 
{
  "lets-encr": {
    "Account": {
      "Email": "[email protected]",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:[email protected]"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/xx"
      },
      "PrivateKey": "...",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "*.blabla.duckdns.org",
          "sans": [
            "blabla.duckdns.org"
          ]
        },
        "certificate": "...",
        "key": "...",
        "Store": "default"
      }
    ]
  }
}

my bad:

Note: to dump data from Traefik v2, the CLI flag --version v2 must be added.

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

go: github.com/labbsr0x/[email protected]: unknown revision 60aa50bcbca7

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

Cross post from: https://community.containo.us/t/using-le-with-mosquitto-container-traefik/2479

I want to protect my mosquitto container with certificates preferably not using self-signed certificates. Therefore i have the question if it would be possible with Traefik to extract the MQTT certificates from the acme.json (cafile/certfile/keyfile) and save it to a different docker volume upon changes (probably using a bash script on the docker host)

I think i can use your docker container to do this; however; i am missing some 'docker-compose' file example in your repo.

I think i need to have some sort of setting to tell your docker image where my Traefik acme.json is. I am running Traefik v2.0.2.

Then i would be only interested in exporting a 'single' domain (mqtt.mydomain.com) to a temp directory; hoping that it would only be overwritten if changed, so i can detect renewal of the certificate and only then restart my Mosquitto docker container.

Would something like this be possible and if so, can you please provide instructions on how to set something like this up?

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

go: github.com/go-acme/lego/[email protected]: unknown revision v3.0.1-1

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

File dumper dumps private keys with permission 0644. Please restrict private keys file permission to owner only rw access (0600).

Perhaps this is more of a request rather than a bug, however it would be great to have option to set owner:group and/or mode.
My usage case is running Collabora docker that inserts the certificates however the certs either need to be owned by the lool:lool user or have 644 permission (both the cert and key).

Thanks for considering this.

Just tried building the Dockerfile.

root@machine:/home# docker build certdumper
Sending build context to Docker daemon  3.584kB
Step 1/12 : FROM golang:1-alpine as builder
1-alpine: Pulling from library/golang
9d48c3bd43c5: Already exists
7f94eaf8af20: Pull complete
9fe9984849c1: Pull complete
43c4d47973b8: Pull complete
9aaad45c37b5: Pull complete
Digest: sha256:84349ee862d8bafff35e0d2bfd539da565b536b4dfce654773fc21a1db2da6d7
Status: Downloaded newer image for golang:1-alpine
 ---> 33fbbc2ca571
Step 2/12 : RUN apk --update upgrade     && apk --no-cache --no-progress add git make gcc musl-dev
 ---> Running in d3597d5eeba1
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/2) Upgrading libcrypto1.1 (1.1.1c-r0 -> 1.1.1d-r0)
(2/2) Upgrading libssl1.1 (1.1.1c-r0 -> 1.1.1d-r0)
Executing ca-certificates-20190108-r0.trigger
OK: 6 MiB in 15 packages
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/17) Installing binutils (2.32-r0)
(2/17) Installing gmp (6.1.2-r1)
(3/17) Installing isl (0.18-r0)
(4/17) Installing libgomp (8.3.0-r0)
(5/17) Installing libatomic (8.3.0-r0)
(6/17) Installing libgcc (8.3.0-r0)
(7/17) Installing mpfr3 (3.1.5-r1)
(8/17) Installing mpc1 (1.1.0-r0)
(9/17) Installing libstdc++ (8.3.0-r0)
(10/17) Installing gcc (8.3.0-r0)
(11/17) Installing nghttp2-libs (1.39.2-r0)
(12/17) Installing libcurl (7.65.1-r0)
(13/17) Installing expat (2.2.7-r1)
(14/17) Installing pcre2 (10.33-r0)
(15/17) Installing git (2.22.0-r0)
(16/17) Installing make (4.2.1-r2)
(17/17) Installing musl-dev (1.1.22-r3)
Executing busybox-1.30.1-r2.trigger
OK: 118 MiB in 32 packages
Removing intermediate container d3597d5eeba1
 ---> e7522d5a71b3
Step 3/12 : WORKDIR /go/src/github.com/ldez/traefik-certs-dumper
 ---> Running in 9046c9f90ea6
Removing intermediate container 9046c9f90ea6
 ---> 18738efae570
Step 4/12 : ENV GO111MODULE on
 ---> Running in dba1b77b77ac
Removing intermediate container dba1b77b77ac
 ---> c9d456560990
Step 5/12 : COPY go.mod go.sum ./
COPY failed: stat /var/lib/docker/tmp/docker-builder498622939/go.mod: no such file or directory

Is there a way to import a dump back into consul? I deleted a domain in both certs and private and want to push that back up to consul.

First, thanks for your code!

When I run this on a Windows Filesystem my wildcard certificates and keys will get a cryptic filename since *.example.com is not a valid filename.
Would it be possible to change the code or provide a runtime flag to change wildcard filenames into #.example.com instead?

I figured out that the following line makes trouble when you have more than one certresolvers activated in your traefik setup:

here a quick way to understand:

I modified the test to the following jq command:

My complete solution:

  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:v2.7.4
    entrypoint: sh -c 'set -x; apk add jq; while ! [ -e /data/acme.json ] || ! [ `jq ".http | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest ./data/certs'
    volumes:
      - /opt/docker-volumes/traefik:/data

Otherwise, jq ".[] | .Certificates | length" returns "22 1", and then ... ! [ jq ".[] | .Certificates | length" /data/acme.json != 0 ] ... is evaluated to: ... ! [ 22 1 != 0 ] ... an you get an Error sh: 1: unknown operand (reference the issue #128) or as I was playing around to find this issue: ./bla.sh: line 3: [: too many arguments

hope this helps, someone who has same issues.

Thanks for this project 👍

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

howett.net/[email protected]: unrecognized import path "howett.net/plist" (https fetch: Get https://howett.net/plist?go-get=1: EOF)

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

Dependabot couldn't parse the go.mod found at /go.mod.

The error Dependabot encountered was:

go: github.com/abronan/[email protected] requires
	gopkg.in/[email protected]: reading gopkg.in/redis.v5/go.mod at revision v5.2.9: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /opt/go/gopath/pkg/mod/cache/vcs/d6ae72d29d04debb4b3d5299366ac160d06d2a085ee48375d4805f4586230f6d: exit status 128:
	fatal: The remote end hung up unexpectedly

View the update logs.

sudo traefik-certs-dumper file --source ../traefik/data/acme.json --dest . --domain-subdir --crt-name=fullchain --key-name=privkey

Does this not work with traefik v2 acme.json yet?

The module path github.com/containous/traefik/v2 found in your /go.mod doesn't match the actual path github.com/traefik/traefik/v2 found in the dependency's go.mod.

Updating the module path in your go.mod to github.com/traefik/traefik/v2 should resolve this issue.

View the update logs.

My issue was that all my old files located on directories (something/certs, something/private) after traefik-certs-dumper execution were removed because dumper.go always removes certsSubDir and keysSubDir content completely.

Command executed:

~> traefik-certs-dumper file --source ./acme.json --dest ./something

dumper.go:

Please add a description about it in the README file too.

it seems "someone" set ours to not-the-default

(I've just forked your repo, and will take a look - obviously this is unusual :)

Hi using traefik version 2.3.2 along with docker and trying to run your script via a docker compose:

Here is the relevant portion of my docker-compose.yml file:

  traefik-certs-dump:
    image: ldez/traefik-certs-dumper:latest
    container_name: certs-dumper
    hostname: certs-dump
    restart: unless-stopped
    entrypoint: sh -c '
      apk add jq
      ; while ! [ -e /data/acme.json ]
        || ! [ `jq ".Certificates | length" /data/acme.json` != 0 ]; do
          sleep 1
      ; done
      && traefik-certs-dumper file --watch --source /data/acme.json --dest /data/certs --version v2 --domain-subdir=true --crt-ext=.pem --key-ext=.pem --crt-name=cert --key-name=key'
    volumes:
      - /etc/letsencrypt/certificates:/data

My docker logs for the container are the following:

$ sudo docker logs certs-dumper
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/2) Installing oniguruma (6.9.4-r1)
(2/2) Installing jq (1.6-r0)
Executing busybox-1.30.1-r3.trigger
OK: 7 MiB in 16 packages
sh: 0: unknown operand
sh: 0: unknown operand
sh: 0: unknown operand
sh: 0: unknown operand
sh: 0: unknown operand 

I've mounted the host directory: /etc/letsencrypt/certificates within the container and confirm via a docker exec -it .... that the directory is mounted within the container.

If I shell into the container and run:

traefik-certs-dumper file --watch --source /data/acme.json --dest /data/certs --version v2 --domain-subdir=true --crt-ext=.pem --key-ext=.pem --crt-name=cert --key-name=key

and kill the process (since I selected watch) -- the process will run and output the certificates.

My only problem ?? -- Nothing appears in the output directory. /data/certs is empty. I don't find any certificates being dumped. I don't think this is correct?? Is there a problem with my syntax?

hi. i use this program but. I have a problem.
This program turn "Segmentation fault (core dumped)"

Thanx for help.

Hey there,

first of all let me thank you for this great replacement of dumpcerts.sh!

I want to propose to change

Hey,

thanks for this useful project. One thing that would be tremendously useful in automating certificate distribution in docker/docker-compose hosted environments is the ability to trigger some external thing (a small script, restarting a container, …) either on successful extraction, or even only if the extracted certificate changed. I realize the latter might be a bit out of scope for a mere dumper (in the classical unix philosophy). That case is also fine: a user-supplied script could run the check on content-change, and only restart/trigger/… its target service when needed.

Best & Thanks,
-Dario

Sometimes one needs the certificate body file [1] besides private key and the full chain. Is there a way to generate the certificate body file?

[1] https://docs.aws.amazon.com/en_pv/IAM/latest/UserGuide/id_credentials_server-certs#upload-server-certificate

I'm running a small stack with traefik (v2.0b1) configured to request a wildcard cert. traefik-certs-dumper is then asked to extract these certs. However, this segfaults.
I have run this same setup without a wildcard cert, which runs just fine, so I suspect it has to do with the naming of the certs. I saw that #20 fixes this for windows, but not for linux.

The segfault in question:

destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x7175c7]
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | goroutine 1 [running]:
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/dumper.extractPEMPrivateKey(0x0, 0xf, 0x1ed, 0x0)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/dumper/dumper.go:89 +0x37
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/dumper.Dump(0xc00011ed50, 0xc0001304d0, 0xc00011ed50, 0x0)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/dumper/dumper.go:42 +0xfb
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/dumper/file.dump(0x7ffd50154f2b, 0x10, 0xc0001304d0, 0xc0000a35a8, 0xc0000eea00)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/dumper/file/file.go:38 +0x70
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/dumper/file.Dump(0x7ffd50154f2b, 0x10, 0xc0001304d0, 0xc000097900, 0x7ffd50154f43)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/dumper/file/file.go:19 +0x43
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/cmd.glob..func2(0xc0001304d0, 0x11c9f60, 0x0, 0x0)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/cmd/file.go:17 +0x7d
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/cmd.runE.func1(0x11c9f60, 0xc000023dc0, 0x0, 0x4, 0x0, 0x0)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/cmd/root.go:100 +0x6d
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/spf13/cobra.(*Command).execute(0x11c9f60, 0xc000023d00, 0x4, 0x4, 0x11c9f60, 0xc000023d00)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/pkg/mod/github.com/spf13/[email protected]/command.go:762 +0x465
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/spf13/cobra.(*Command).ExecuteC(0x11c9840, 0xc000129f68, 0x4e00a7, 0xc000094000)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/pkg/mod/github.com/spf13/[email protected]/command.go:852 +0x2ec
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/spf13/cobra.(*Command).Execute(...)
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/pkg/mod/github.com/spf13/[email protected]/command.go:800
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | github.com/ldez/traefik-certs-dumper/v2/cmd.Execute()
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/cmd/root.go:45 +0x2e
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    | main.main()
destiny_traefik-certs-dumper.1.dmljzrdxvnf0@test    |   /go/src/github.com/ldez/traefik-certs-dumper/main.go:11 +0x3c

Looking at #20, it would probably make sense to have the same logic apply to both windows and linux to begin with, as this now introduces different behavior depending on what type of host you are running on... it should likely also fix this issue.

I can't seem to get --post-hook to trigger a shell script. I do get a dump/ directory created so that's clearly working.

In my docker-compose file:

command: "
            file \
            --version v2 \
            --source /certs/acme.json \
            --dest /certs/dump \
            --clean \
            --watch \
            --post-hook sh myscript.sh"

I get no errors, nothing in the logs. I've tried ./myscript.sh placing the script in /usr/bin, but I get a file / directory not found error (it's definitely there).

My shell script:

#!/bin/sh
echo "TEST" > /var/log/test.log

There's nothing appearing in /var/log in the container.

What is the proper way to use --post-hook. Should I just pass the name of the script without the sh? I can't seem to get that working as it always says not found, though.

as per title, any chance to add these architectures?
I have tried building from Dockerfile but it fails on step 6:
COPY go.mod go.sum ./ displaying no such file or directory
plus do provide docker-compose file

If I use a docker-compose.yml file with the following configuration, I get this error message:

certdump_1  | Error: unlinkat ./dump: device or resource busy
certdump_1  | Usage:
certdump_1  |   traefik-certs-dumper file [flags]
certdump_1  | 
certdump_1  | Flags:
certdump_1  |   -h, --help            help for file
certdump_1  |       --source string   Path to 'acme.json' file. (default "./acme.json")
certdump_1  | 
certdump_1  | Global Flags:
certdump_1  |       --clean             Clean destination folder before dumping content. (default true)
certdump_1  |       --config string     config file (default is $HOME/.traefik-certs-dumper.yaml)
certdump_1  |       --crt-ext string    The file extension of the generated certificates. (default ".crt")
certdump_1  |       --crt-name string   The file name (without extension) of the generated certificates. (default "certificate")
certdump_1  |       --dest string       Path to store the dump content. (default "./dump")
certdump_1  |       --domain-subdir     Use domain as sub-directory.
certdump_1  |       --key-ext string    The file extension of the generated private keys. (default ".key")
certdump_1  |       --key-name string   The file name (without extension) of the generated private keys. (default "privatekey")
certdump_1  |       --watch             Enable watching changes.
certdump_1  | 
certdump_1  | 2019/04/25 11:38:40 root.go:46: unlinkat ./dump: device or resource busy
test_certdump_1 exited with code 1

version: "2"

services:
  certdump:
    image: ldez/traefik-certs-dumper:v2.2.0
    command: file --domain-subdir=true
    volumes:
      - ./acme.json:/acme.json:ro
      - ./letsencrypt:/dump

I fixed this with a new not relative dest path:

command: file --domain-subdir=true --dest /dump

This is my Docker version on a macOS 10.14.4:

Client: Docker Engine - Community
 Version:           18.09.2
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        6247962
 Built:             Sun Feb 10 04:12:39 2019
 OS/Arch:           darwin/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 04:13:06 2019
  OS/Arch:          linux/amd64
  Experimental:     false