-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to enable ACME generation of SSL Certs #228
Conversation
b8616b3
to
ebeb813
Compare
With the additons from Islandora-Devops/isle-dc#228 requesting certificates via ACME / Let's Encrypt has changed, and should be easier for users to utilize.
With the additions from Islandora-Devops/isle-dc#228 requesting certificates via ACME / Let's Encrypt has changed, and should be easier for users to utilize.
f5c8979
to
cd9e9f7
Compare
I just rebased with the latest changes in development |
@misilot I tried to test this on macOS, but I am not sure if I followed the correct steps. I first ran
Then I followed your recommended testing steps...
I was able to load up Islandora with xyz.com (not the actual domain), but I got a cert error. When I opened in the cert in macOS keychain app the domain said it was for traefik.me. Though I had to reset my set up to test another PR, so I want to give this another shot and will save the cert to look at it more closely. In the meantime how does my workflow look so far? Can this only be tested on an actual server or can I build "make custom" on my macOS machine to try to test this? Also, I tried using a ".com" domain that I actually already own, but not sure if that really matters to let's encrypt. |
@ysuarez the domain needs to resolve to a public IP Address and have appropriate firewall ports open. Since the default way acme works is it tries and access a file on the webserver (Traefik) over HTTP, and once it verifies that you are in control of the site it will than generate the SSL certificate for you. |
@misilot thanks for explaining how acme works. I was reading up on how "Let's Encrypt" & acme works, but some things were still not clear and at it seemed too easy to abuse. (Though I assumed I was wrong in that impression.) Now it makes a lot more sense that acme being able to connect from outside to verify the domain resolves to a public IP is the key check to proceed with creating the corresponding cert. Regretfully at this time I am not able to have the set up needed to test this PR. I was hoping I could help review this PR, AND also learn more about Let's Encrypt. At least I learned a lot thanks to you. Hopefully someone else could test it so this PR gets approved, since it would be a great improvement. |
Rebased with latest merge |
If the user enables USE_ACME, Traefik will attempt to acquire an SSL Certificate for ${DOMAIN} Added the following variables with the defaults USE_ACME=false ACME_EMAIL-your-email ACME_SERVER=https://acme-v02.api.letsencrypt.org/director TRAEFIK_LOG_LEVEL=ERROR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for testing! Just curious what modifications did you have to make? |
Look here. The 2 lines following There was nothing wrong with this PR, it's a known issue with isle-dc currently. |
Thanks @DonRichards! |
With the additions from Islandora-Devops/isle-dc#228 requesting certificates via ACME / Let's Encrypt has changed, and should be easier for users to utilize.
With the additions from Islandora-Devops/isle-dc#228 requesting certificates via ACME / Let's Encrypt has changed, and should be easier for users to utilize.
If the user sets
ACME_SERVICE=true
, Traefik will attempt to acquire an SSL Certificate for ${DOMAIN}Added the following variables with the defaults:
The last 2 variables, I did not add to
sample.env
, do they need to be?To test this:
DOMAIN=customdomain.com
make -B docker-compose.yml
make up
ordocker-compose up -d
Corresponding documentation update: Islandora/documentation/pull/2051