rix Posted October 29, 2015 Posted October 29, 2015 EDiT: The following container works flawlessly! I just created a new container with Nginx and letsencrypt built-in. I have been testing it for the last few days and it seems to work pretty well. It is fully ephemeral as rara1234 requested At start-up and every 9 days (cron) it checks whether the certificates exist and are still valid. If they don't exist, or if they are to expire within 30 days, it creates/renews the certificates. Nginx config is already set up to utilize the most recent certificate (through a symlink) All the config files, as well as the www folder are available in the config folder. You can find it in the Community Applications listed as Nginx-Letsencrypt Just browse the Community Apps as suggested above or visit: https://hub.docker.com/r/aptalca/nginx-letsencrypt/ Those of us lucky enough to have gotten an invite to Let's Encrypts Closed Beta (and those soon joining the Open one) would surely be interested in a running container version of their tool. What I am looking for: -Simple way to give letsencrypt the information required of my server -Access to my webroot dir (nginx) for authentification -Access to my certificates folder (for letsencrypt to automatically renew them) -Implementation of recurring cert renewal
lonix Posted October 29, 2015 Posted October 29, 2015 Im interested, but can't do much here untill we get a invite or it becomes public
Rukongai Posted December 4, 2015 Posted December 4, 2015 Lonix, Went open beta yesterday! https://letsencrypt.readthedocs.org/en/latest/using.html#installation Love your work, btw
pinion Posted December 5, 2015 Posted December 5, 2015 From another thread I was pointed to their Docker Container: As people are thinking about containers for these things I would like to suggest you think about adding support for Let's Encrypt https://letsencrypt.org/ Let's Encrypt already has an official docker here and instructions on how to use it here
rix Posted December 8, 2015 Author Posted December 8, 2015 any success on creating a template for this? ideally it would store the certificate files to /mnt/cache/appdata/nginx/cert (a path accessible by nginx docker) and run on port 80/443 so one would just have to stop nginx to run lets encrypt once every three months. that would be ideal
Jammie Posted December 9, 2015 Posted December 9, 2015 My best hope for it at the moment is for this pull request to go through on the nginx-proxy docker container. I managed to get nginx-proxy working on unRAID. I'll post my config in the other thread.
plupien79 Posted December 16, 2015 Posted December 16, 2015 Just throwing this out here... CaddyServer has let's encrypt built in and has a current docker image as well. https://caddyserver.com https://github.com/mholt/caddy
sparklyballs Posted December 16, 2015 Posted December 16, 2015 Just throwing this out here... CaddyServer has let's encrypt built in and has a current docker image as well. https://caddyserver.com https://github.com/mholt/caddy what docker ? on first quick looks seems to be a web server
plupien79 Posted December 16, 2015 Posted December 16, 2015 It's a webserver, with reverse proxy and built in Let's Encrypt support. Docker repos are listed in the github link. 2 Fish 1 Barrel
rix Posted December 16, 2015 Author Posted December 16, 2015 This sounds super cool! Care to share a working template? The git page links to 5 different docker images that vary from recently updated to months old with only one referencing lets encrypt at all...
plupien79 Posted December 16, 2015 Posted December 16, 2015 I'm not that guy, I was just sharing info about the project I stumbled upon.
aptalca Posted December 18, 2015 Posted December 18, 2015 I just used letsencrypt to create a certificate for my custom domain that points to my home server. I can connect to all my unraid docker gui's with a legit SSL connection. It was very easy and straightforward once you figure out how it works. You don't need a docker to do that. All you need is a (preferably linux) machine that your url of choice points to. I used an Amazon aws instance running ubuntu to do that. But you can easily use the nginx container for unraid. Here's how you do it: 1) point your custom domain to your machine, or a dynamic dns domain that points to your machine (I have one from duckdns, updated by the duckdns docker container) 2) Forward the ports 80 and 443 on your router to your unraid server (to the ports nginx reports to the host) 3) docker exec into the nginx container 4) git clone https://github.com/letsencrypt/letsencrypt 5) go into its folder 6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80) 7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com 8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates) 9) Modify nginx config and point to the certificate/key 10) Restart nginx That's all
rara1234 Posted December 20, 2015 Posted December 20, 2015 ... 3) docker exec into the nginx container 4) git clone https://github.com/letsencrypt/letsencrypt 5) go into its folder 6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80) 7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com 8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates) 9) Modify nginx config and point to the certificate/key 10) Restart nginx ... won't that entire configuration get lost when the container updates?
trurl Posted December 20, 2015 Posted December 20, 2015 ... 3) docker exec into the nginx container 4) git clone https://github.com/letsencrypt/letsencrypt 5) go into its folder 6) sudo service nginx stop (letsencrypt needs to set up its own webserver to authenticate and it needs to use port 80) 7) ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com 8- get the certificate/key from the "live" folder and place it wherever you like (preferably somewhere under /config so it persists through updates) 9) Modify nginx config and point to the certificate/key 10) Restart nginx ... won't that entire configuration get lost when the container updates? Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore.
rara1234 Posted December 20, 2015 Posted December 20, 2015 Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore. The certificates are only valid for a short period - 90 days I think. One of the principles of lets encrypt is that certificates are short lived but renewed automatically.
aptalca Posted December 22, 2015 Posted December 22, 2015 Doesn't matter. He is only doing this to generate the certificate to use. Once the certificate has been generated and put where needed you don't need the container changes anymore. The certificates are only valid for a short period - 90 days I think. One of the principles of lets encrypt is that certificates are short lived but renewed automatically. Well, when you git clone, use a folder under /config so it persists. Instead of moving the certificates, leave them where they are and point the nginx config file to that location. To automate it, you can add a crontab entry for letsencrypt-auto. That way, if you update the container, you will only have to add the crontab entry again. Everything else should work . . . theoretically :-)
rara1234 Posted December 23, 2015 Posted December 23, 2015 Yes but it also violates a key "rule": https://docs.docker.com/engine/articles/dockerfile_best-practices/#containers-should-be-ephemeral Which makes it harder for users to safely consume - a user might be hesitant to update if they think they have some config to do, and for something like a web server or ssl certificate that could be an important issue…
aptalca Posted December 24, 2015 Posted December 24, 2015 Yes but it also violates a key "rule": https://docs.docker.com/engine/articles/dockerfile_best-practices/#containers-should-be-ephemeral Which makes it harder for users to safely consume - a user might be hesitant to update if they think they have some config to do, and for something like a web server or ssl certificate that could be an important issue… Violate is such a strong word [emoji14] Remember I didn't create a docker container so I don't have to abide by those rules. [emoji6] Plus the rules say "absolute minimum set up and configuration". Adding a single crontab entry is pretty minimal to me. You only have to do it if the nginx container is updated. How frequently is that, really? If that really bothers you, the nginx container source is open, feel free to fork it and add the instructions I listed above and share with the world [emoji6]
aptalca Posted December 29, 2015 Posted December 29, 2015 I just created a new container with Nginx and letsencrypt built-in. I have been testing it for the last few days and it seems to work pretty well. It is fully ephemeral as rara1234 requested At start-up and every 9 days (cron) it checks whether the certificates exist and are still valid. If they don't exist, or if they are to expire within 30 days, it creates/renews the certificates. Nginx config is already set up to utilize the most recent certificate (through a symlink) All the config files, as well as the www folder are available in the config folder. You can find it in the Community Applications listed as Nginx-Letsencrypt
aptalca Posted December 31, 2015 Posted December 31, 2015 No one tried it yet? [emoji17] Well, happy new year everyone
Waseh Posted December 31, 2015 Posted December 31, 2015 I was planning to but new year got in the way I do however plan to try it out in the next couple of days! Happy new year to you as well
kal Posted January 1, 2016 Posted January 1, 2016 I just stop my apache instance, and run the following on my server: docker run -it --rm -p 443:443 -p 80:80 --name letsencrypt \ -v "/mnt/cache/.custom/apache/config/letsencrypt/etc:/etc/letsencrypt" \ -v "/mnt/cache/.custom/apache/config/letsencrypt/lib:/var/lib/letsencrypt" \ quay.io/letsencrypt/letsencrypt:latest auth prompts for domain name(s) and a contact email address, and then generates certs etc it works, but I suppose one built into an existing apache docker would be more ideal (preferred by letsencrypt too I believe). It could automatically renew as needed etc Your one sounds ideal aptalca, but Ive not used nginx before, and have apache working pretty well at the mo. Maybe once I get a bit of time, I might try a changeover
rix Posted January 2, 2016 Author Posted January 2, 2016 No one tried it yet? [emoji17] Well, happy new year everyone New Years kept me busy I have just replaced your nginx with this docker. It works perfectly well! Just had to move my previous www/ dir and my site.conf and THAT's IT! Thank you so very much. Never again am I paying a dime for a basic SSL certificate. No more hassle to get through startssl's procedure. It works perfectly well (see attachment)!
aptalca Posted January 2, 2016 Posted January 2, 2016 No one tried it yet? [emoji17] Well, happy new year everyone New Years kept me busy I have just replaced your nginx with this docker. It works perfectly well! Just had to move my previous www/ dir and my site.conf and THAT's IT! Thank you so very much. Never again am I paying a dime for a basic SSL certificate. No more hassle to get through startssl's procedure. It works perfectly well (see attachment)! Nice [emoji3] Glad to hear it worked
Waseh Posted January 2, 2016 Posted January 2, 2016 How would i go about creating a certificate which is also valid for xxx.example.com and xyz.example.com? Right now when i try to pass multiple domains in the setting nothing happens. The log says: Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 --email [email protected] --agree-tos -d example.com -d www.example.com -d xxx.example.com -d xyz.example.com Jan 2 20:00:04 b5ad9d44859e syslog-ng[123]: syslog-ng starting up; version='3.5.3' I tried both without and with the -d parameter. Cheers
Recommended Posts
Archived
This topic is now archived and is closed to further replies.