When you’re running Pangolin with Traefik as a reverse proxy, SSL certificates are automatically managed through Let’s Encrypt. These certificates are stored in a single JSON file called acme.json
. However, sometimes you might need these certificates in a more accessible format - perhaps for use with another service, for backup purposes, or for inspection.
Today, I’m sharing a script that makes extracting your Let’s Encrypt certificates from Pangolin incredibly simple.
Why You Might Need This Script
As a Pangolin user, there are several scenarios where extracting your certificates can be useful:
- Setting up additional services that need direct access to certificates
- Creating backups of your certificates separate from the Traefik setup
- Troubleshooting SSL certificate issues by examining the actual certificates
- Using the certificates with services that don’t integrate with Traefik directly
- Inspecting certificate expiration dates without parsing the JSON manually
Prerequisites
To use this script, you’ll need:
- A running Pangolin installation with Let’s Encrypt certificates
- Access to the server where Pangolin is installed
- Basic command-line skills
- The
jq
command installed (for JSON parsing)
Getting Started
1. Install the Script
First, download the certificate extraction script to your server:
wget -O extract_certs.sh https://gist.githubusercontent.com/hhftechnology/ef311f830cbf5c1717bf5ea8bfd82725/raw/10003cd17c3156a786fb4f7006ace351e4f15d3b/extract_certs.sh
Make the script executable:
chmod +x extract_certs.sh
If you don’t already have the jq
tool installed (required for processing JSON), install it:
# For Debian/Ubuntu
sudo apt-get install jq
# For RHEL/CentOS
sudo yum install jq
2. Using the Script
The script can be run with default settings, which assumes your acme.json
file is located at /root/config/letsencrypt/acme.json
:
./extract_certs.sh
You can also specify a custom path to your acme.json
file:
./extract_certs.sh /path/to/your/acme.json
If you want to save the certificates to a specific directory:
./extract_certs.sh /path/to/your/acme.json /path/to/output/directory
3. What Happens When You Run It
The script will:
- Find all domains in your Traefik certificate store
- Create a separate folder for each domain
- Extract the certificate, private key, and create a combined fullchain file
- Apply appropriate permissions to the files
- Verify certificates and show expiration dates if OpenSSL is available
Pangolin-Specific Use Cases
Backing Up Certificates Before Updates
Before updating your Pangolin stack (as described in the “Updating Versions” documentation), it’s a good practice to back up your certificates:
./extract_certs.sh /your-pangolin-directory/config/letsencrypt/acme.json /backup/certificates-$(date +%Y-%m-%d)
Using Certificates with External Services
If you’re running additional services alongside Pangolin that need access to the same certificates but don’t use Traefik, you can extract them:
./extract_certs.sh
ln -s /path/to/certificates/your-domain.com/fullchain.pem /path/to/your-service/certs/
Wildcard Certificate Management
If you’ve set up wildcard certificates for your Pangolin installation (as described in the “Wildcard Certificates with Let’s Encrypt” documentation), the script handles these correctly, replacing the *
with _wildcard_
in the folder names.
Troubleshooting
Certificate Not Found
If the script doesn’t find any certificates, verify:
- The path to your
acme.json
file is correct - You have proper permissions to read the file
- Your Pangolin installation has successfully obtained certificates
Invalid JSON Format
If you see an error about invalid JSON, your acme.json
file may be encrypted or corrupted. Verify that:
- You’re running the script as the same user that runs Traefik
- Your Traefik version uses the expected JSON format
Conclusion
This certificate extraction script makes it easy to access and manage the SSL certificates that Pangolin and Traefik handle for you automatically. Whether you’re backing up certificates or integrating with other systems, having your certificates in standard PEM format can be incredibly useful.
Remember that Pangolin will continue to manage certificate renewals through Traefik, so any extracted certificates should be considered a snapshot in time. For the most up-to-date certificates, you’ll want to re-run the extraction script after renewals occur.
Happy Pangolin hosting!