Extracting Let's Encrypt Certificates from Your Pangolin Installation

When you’re running Pangolin with Traefik as a reverse proxy, SSL certificates are automatically managed through Let’s Encrypt. These certificates are stored in a single JSON file called acme.json. However, sometimes you might need these certificates in a more accessible format - perhaps for use with another service, for backup purposes, or for inspection.

Today, I’m sharing a script that makes extracting your Let’s Encrypt certificates from Pangolin incredibly simple.

Why You Might Need This Script

As a Pangolin user, there are several scenarios where extracting your certificates can be useful:

  • Setting up additional services that need direct access to certificates
  • Creating backups of your certificates separate from the Traefik setup
  • Troubleshooting SSL certificate issues by examining the actual certificates
  • Using the certificates with services that don’t integrate with Traefik directly
  • Inspecting certificate expiration dates without parsing the JSON manually

Prerequisites

To use this script, you’ll need:

  • A running Pangolin installation with Let’s Encrypt certificates
  • Access to the server where Pangolin is installed
  • Basic command-line skills
  • The jq command installed (for JSON parsing)

Getting Started

1. Install the Script

First, download the certificate extraction script to your server:

wget -O extract_certs.sh https://gist.githubusercontent.com/hhftechnology/ef311f830cbf5c1717bf5ea8bfd82725/raw/10003cd17c3156a786fb4f7006ace351e4f15d3b/extract_certs.sh

Make the script executable:

chmod +x extract_certs.sh

If you don’t already have the jq tool installed (required for processing JSON), install it:

# For Debian/Ubuntu
sudo apt-get install jq

# For RHEL/CentOS
sudo yum install jq

2. Using the Script

The script can be run with default settings, which assumes your acme.json file is located at /root/config/letsencrypt/acme.json:

./extract_certs.sh

You can also specify a custom path to your acme.json file:

./extract_certs.sh /path/to/your/acme.json

If you want to save the certificates to a specific directory:

./extract_certs.sh /path/to/your/acme.json /path/to/output/directory

3. What Happens When You Run It

The script will:

  1. Find all domains in your Traefik certificate store
  2. Create a separate folder for each domain
  3. Extract the certificate, private key, and create a combined fullchain file
  4. Apply appropriate permissions to the files
  5. Verify certificates and show expiration dates if OpenSSL is available

Pangolin-Specific Use Cases

Backing Up Certificates Before Updates

Before updating your Pangolin stack (as described in the “Updating Versions” documentation), it’s a good practice to back up your certificates:

./extract_certs.sh /your-pangolin-directory/config/letsencrypt/acme.json /backup/certificates-$(date +%Y-%m-%d)

Using Certificates with External Services

If you’re running additional services alongside Pangolin that need access to the same certificates but don’t use Traefik, you can extract them:

./extract_certs.sh
ln -s /path/to/certificates/your-domain.com/fullchain.pem /path/to/your-service/certs/

Wildcard Certificate Management

If you’ve set up wildcard certificates for your Pangolin installation (as described in the “Wildcard Certificates with Let’s Encrypt” documentation), the script handles these correctly, replacing the * with _wildcard_ in the folder names.

Troubleshooting

Certificate Not Found

If the script doesn’t find any certificates, verify:

  • The path to your acme.json file is correct
  • You have proper permissions to read the file
  • Your Pangolin installation has successfully obtained certificates

Invalid JSON Format

If you see an error about invalid JSON, your acme.json file may be encrypted or corrupted. Verify that:

  • You’re running the script as the same user that runs Traefik
  • Your Traefik version uses the expected JSON format

Conclusion

This certificate extraction script makes it easy to access and manage the SSL certificates that Pangolin and Traefik handle for you automatically. Whether you’re backing up certificates or integrating with other systems, having your certificates in standard PEM format can be incredibly useful.

Remember that Pangolin will continue to manage certificate renewals through Traefik, so any extracted certificates should be considered a snapshot in time. For the most up-to-date certificates, you’ll want to re-run the extraction script after renewals occur.

Happy Pangolin hosting!

4 Likes

Thanks for the script! It works great.

What would be the easiest way to get these certificates to a service running as a container on the Newt side of the tunnel?

I have an MQTT broker with a database, Grafana, etc. running on the same network with Docker, and I would like to use these certificates for MQTT over TLS rather than self-signed ones. I usually just mount the .pem files generated by swag or another similar service to a volume on the compose.yml