-
-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement automatic Let's Encrypt certificate renewal #829
base: master
Are you sure you want to change the base?
Conversation
The code is currently just a fast proposal I have written. I would be happy to receive some feedback if a change like this is wanted, if yes I would work further on it and test it in detail to get the PR ready. (:+1: ) If it is an unwanted feature, please let me know and I will try to find another solution for me. (:-1: ) |
Hey, @stcz . First, very highly appreciated you contribute your solution upstream! Thank you very much! You properly identified If I read your proposal correctly, you move the whole logic to handle certificates renewal cron on the host. In a perfect universe I would prefer to have all this logic within the docker-compose configuration. One project achieving something similar is https://hub.docker.com/r/gordonchan/auto-letsencrypt/ . Personally I never had time to investigate deeper what we can do here. As for giving full path to your certificates to support external ones, I am fully ok with that. |
Hi @suricactus, Just to be sure: I not sure what you mean with:
To explain it in detail:
I would like it, when there is no change in the docker-compose-file is needed to change the certificate source. That's why I prefer the I would prefer to not use images like the proposed auto-letsencrypt, as it doesn't look well maintained. If the proposed way is fine i would go for testing and improving. |
I worked again on it and changed a few things:
From my point of view, this PR is now working as intended. Can you review it and let me know if more changes are needed? I set up a test Server and will check if the renewal is working. For merging, I would recommend squashing my commits to one. |
Hey! Xmas time allowed me to have a look and it was looking quite solid, also understood why my question earlier was a bit weird. I also want to setup an internal server with this branch before merging. We might not merge it very soon, but it will become part of upstream in the next weeks. |
Thanks, that sounds good. When set up my testserver I changed as few as possible, I figured out #843. I would suppose to quote all variables in Further, I thought about hardining What do you think about this when loading .env?
It is from here. But i would like to avoid. |
29db557
to
70c6c73
Compare
I added an unrelated change in README by changing Infrastructure to h2. I or you can remove if this is unwanted. |
Internally we double quote the envvars with special chars in them:
Been there. Fails in certain cases unfortunately... |
Co-authored-by: Ivan Ivanov <suricactus@users.noreply.github.com>
Hey @stcz . We are willing to merge this, can we make the tests pass. See https://github.com/opengisch/qfieldcloud/actions/runs/7861265082/job/21449439806?pr=829#step:5:12 . We have some envvars that are not available in the |
Should be fixed now.
|
One last question: In theory, there should be no issues. If it is merged, I would directly deploy it on my production server. |
Do you have any ideas about the flanky test? |
Not yet, planning to do this on our internal staging server and if all good, straight to prod in few weeks.
Forget about it, it is flaky for reasons beyond your immediate control. Thanks, will keep this PR open for some time while testing, will inform you if any issues are spotted. |
OK. Is master your staging branch and release the production branch? |
Both are using the same |
Problem
Currently, if you are using certbot and a Let's Encrypt Certificate, the certificate will be renewed by certbot, but it will not be copied to nginx. This needs to be done by manually running
scripts/init_letsencrypt.sh
.Further, it is currently not possible to use a own certificate from another source.
Solution
In this PR i propose a solution where you can manually set the path that NGINX is using for the Certificate.
Further, I added the certbot certificates directly to the NGINX container.