Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to enable ACME generation of SSL Certs #228

Merged
merged 1 commit into from
Apr 5, 2022

Conversation

misilot
Copy link
Contributor

@misilot misilot commented Feb 11, 2022

If the user sets ACME_SERVICE=true, Traefik will attempt to acquire an SSL Certificate for ${DOMAIN}

Added the following variables with the defaults:

USE_ACME=false
ACME_EMAIL-your-email
ACME_SERVER=https://acme-v02.api.letsencrypt.org/directory
TRAEFIK_LOG_LEVEL=ERROR

The last 2 variables, I did not add to sample.env, do they need to be?

To test this:

  1. Ensure DNS points to custom domain and set it in .env file DOMAIN=customdomain.com
  2. run make -B docker-compose.yml
  3. run make up or docker-compose up -d
  4. Go to custom $DOMAIN, and verify you have a valid SSL certificate from Let's Encrypt.

Corresponding documentation update: Islandora/documentation/pull/2051

@misilot misilot force-pushed the acme-update branch 3 times, most recently from b8616b3 to ebeb813 Compare February 11, 2022 16:31
misilot added a commit to misilot/documentation that referenced this pull request Feb 11, 2022
With the additons from Islandora-Devops/isle-dc#228 requesting
certificates via ACME / Let's Encrypt has changed, and should be easier
for users to utilize.
misilot added a commit to misilot/documentation that referenced this pull request Feb 11, 2022
With the additions from Islandora-Devops/isle-dc#228 requesting
certificates via ACME / Let's Encrypt has changed, and should be easier
for users to utilize.
Makefile Show resolved Hide resolved
@misilot misilot force-pushed the acme-update branch 2 times, most recently from f5c8979 to cd9e9f7 Compare March 11, 2022 20:10
@misilot
Copy link
Contributor Author

misilot commented Mar 11, 2022

I just rebased with the latest changes in development

@ysuarez
Copy link
Contributor

ysuarez commented Mar 23, 2022

@misilot I tried to test this on macOS, but I am not sure if I followed the correct steps.

I first ran
A) make local so I would get a codebase folder
B) then I updated my /ect/hosts file to resolve a test domain (let's say it was xyz.com) to 127.0.0.1
C) then I updated the new .ENV' file values you created

USE_ACME=true
[email protected]
DOMAIN=xyz.com

Then I followed your recommended testing steps...

  1. Ensure DNS points to custom domain and set it in .env file DOMAIN=customdomain.com
  2. run make -B docker-compose.yml
  3. run make up or docker-compose up -d
  4. Go to custom $DOMAIN, and verify you have a valid SSL certificate from Let's Encrypt.

I was able to load up Islandora with xyz.com (not the actual domain), but I got a cert error. When I opened in the cert in macOS keychain app the domain said it was for traefik.me. Though I had to reset my set up to test another PR, so I want to give this another shot and will save the cert to look at it more closely.

In the meantime how does my workflow look so far? Can this only be tested on an actual server or can I build "make custom" on my macOS machine to try to test this?

Also, I tried using a ".com" domain that I actually already own, but not sure if that really matters to let's encrypt.

@misilot
Copy link
Contributor Author

misilot commented Mar 23, 2022

@ysuarez the domain needs to resolve to a public IP Address and have appropriate firewall ports open. Since the default way acme works is it tries and access a file on the webserver (Traefik) over HTTP, and once it verifies that you are in control of the site it will than generate the SSL certificate for you.

@ysuarez
Copy link
Contributor

ysuarez commented Mar 23, 2022

@misilot thanks for explaining how acme works. I was reading up on how "Let's Encrypt" & acme works, but some things were still not clear and at it seemed too easy to abuse. (Though I assumed I was wrong in that impression.) Now it makes a lot more sense that acme being able to connect from outside to verify the domain resolves to a public IP is the key check to proceed with creating the corresponding cert.

Regretfully at this time I am not able to have the set up needed to test this PR. I was hoping I could help review this PR, AND also learn more about Let's Encrypt. At least I learned a lot thanks to you. Hopefully someone else could test it so this PR gets approved, since it would be a great improvement.

@misilot
Copy link
Contributor Author

misilot commented Mar 24, 2022

Rebased with latest merge

If the user enables USE_ACME, Traefik will attempt to acquire an SSL Certificate for ${DOMAIN}

Added the following variables with the defaults

USE_ACME=false
ACME_EMAIL-your-email
ACME_SERVER=https://acme-v02.api.letsencrypt.org/director
TRAEFIK_LOG_LEVEL=ERROR
@DonRichards DonRichards self-requested a review March 30, 2022 17:47
@DonRichards DonRichards self-assigned this Mar 30, 2022
Copy link
Member

@DonRichards DonRichards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2022-03-31_16-43
Passed with some modifications because of a known issue with isle-dc. Commented [here](Best Chainsaw) for modifications. I registered a domain name @ Google Domains and spun up a Linode Ubuntu 20.10 server. The screenshots show the cert results and declared it as valid.
2022-03-31_16-58

@DonRichards DonRichards added the enhancement New feature or request label Mar 31, 2022
@misilot
Copy link
Contributor Author

misilot commented Mar 31, 2022

@DonRichards

Passed with some modifications because of a known issue with isle-dc. Commented [here](Best Chainsaw) for modifications. I registered a domain name @ Google Domains and spun up a Linode Ubuntu 20.10 server. The screenshots show the cert results and declared it as valid.

Thanks for testing! Just curious what modifications did you have to make?

@DonRichards
Copy link
Member

Look here. The 2 lines following echo "This is a tmp fix for a known error."

There was nothing wrong with this PR, it's a known issue with isle-dc currently.

@DonRichards DonRichards merged commit 9bfab80 into Islandora-Devops:development Apr 5, 2022
@misilot
Copy link
Contributor Author

misilot commented Apr 5, 2022

Thanks @DonRichards!

@misilot misilot deleted the acme-update branch April 5, 2022 15:55
misilot added a commit to misilot/documentation that referenced this pull request Apr 5, 2022
With the additions from Islandora-Devops/isle-dc#228 requesting
certificates via ACME / Let's Encrypt has changed, and should be easier
for users to utilize.
ysuarez pushed a commit to Islandora/documentation that referenced this pull request Apr 5, 2022
With the additions from Islandora-Devops/isle-dc#228 requesting
certificates via ACME / Let's Encrypt has changed, and should be easier
for users to utilize.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants