Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate Let's Encrypt for TLS certificate generation #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Integrate Let's Encrypt for TLS certificate generation #10

wants to merge 1 commit into from

Conversation

carlosbaraza
Copy link

Hi @arunoda,

I integrated Let's Encrypt for the generation of TLS free certificates within this image. Maybe you had a better idea about how to do this.

This feature is linked to a PR that I will submit now to meteor-up x, making use of it. I tested that it is backwards compatible with some of my projects. However, it may have some bugs or small tweakings.

Automatic renewal of certificates

We should invest a bit more of time integrating the webroot plugin of let's encrypt.

My idea was to create a volume to bundle.crt and private.key to persist the generated certificates. Then, if the certificate is existing and the generation is on, it should try to generate a new certificate if the current certificate is about to expire and overwrite the bundle.crt and private.key files.

I have set up the location in nginx.conf for webroot (not tested) and some logic in the start.sh to start the generation with webroot if the certificates are present.

The reason for doing this is that nginx would not boot up if the certificates are not present, therefore I though that if the certificates are not present, we should generate them with the standalone plugin before booting nginx.

Suggestions

If you have any suggestions to improve it, I am open to discuss it.

@carlosbaraza carlosbaraza mentioned this pull request Feb 7, 2016
Closed
@carlosbaraza
Copy link
Author

An issue I discovered is that if it fails to generate a certificate and the param --restart=always is given to the run command, then it will infinitely request certificates that will fail, and finally Let's Encrypt will ban the domain for next requests.

Error after the domain is banned:

Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --agree-tos -c /generated-tls/config.ini
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: example.com
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected].
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

We should implement a mechanism to know that the certificate request failed, in order to stop the container for further requests. This could be useful also to give feedback to the user in the CLI when they deploy.

This was referenced Feb 8, 2016
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlosbaraza