Late for something because just as I was about to leave I remembered my https certificates expire today.
Post created with https://rhiaro.co.uk/sloph
Late for something because just as I was about to leave I remembered my https certificates expire today.
Post created with https://rhiaro.co.uk/sloph
Woah woah woah! I just added an SSL certificate to my new Dreamhost account. Check this out:
Beat that every other web host, I dare you.
Post created with https://rhiaro.co.uk/sloph
Navigated to where I previously installed the letsencrypt cli client (note to self as this took me a while to remember: /home/rhiaro/letsencrypt
).
Ran ./letsencrypt-auto renew --agree-tos --manual-public-ip-logging-ok
When I ran with --dry-run
it looped through the three domains I previously generated certs for, failed on the first two because it tried to do the acme-challenge without giving me a chance to copypaste the code, but the last one waited for my input before proceeding, so I was able to copy the code to a file on the server and press enter, and it continued successfully. But then when I ran it for real (without --dry-run
) it waited for my input after each one, so I was able to do them all at once.
Then I went through cPanel, deleted the existing private keys (which deleted the corresponding certs automatically), uploaded the new privkey.pem
files for each domain to Private Keys and the cert.pem
files to Certificates. In "Install and Manage SSL for your site" I clicked 'Update certificate' by each domain in the list, chose the certs from the GUI (which prefilled the private keys) and pasted the chain.pem
contents into the input for the CA bundle. All set!
i hate everything i hate everything i hate everything i hate everything i hate everything i'm going for vegan corn dogs
Following on from a terrible experience, I discovered that indeed Gold had taken over port 443. As soon as I kicked it off, I could launch the nginx proxy container with -p 80:80
and -p 443:443
. So now the proxy knows where to find the key and cert, and is trying to load the subdomain over https, but is getting connection refused. The proxy docs say this might happen "if the container does not have a usable cert" so now I have to find out what is wrong with my cert?
Is it permissions? It's usually permissions. Nginx might reject things if they key is world readable? Tried setting to 0600 for the key and cert. No dice.
What next?
Specifically all apps running in Docker containers, served on subdomains through the nginx reverse proxy container.
tl;dr I didn't figure it out yet, if you're looking for a guide you're not in the right place.
Disclaimer:
Things I currently run through the reverse proxy:
Decided off the bat not to bother with Etherpad, as I haven't looked under the hood and don't know how I'd do domain validation at all. Figured the others would be doable.
Ran the letsencrypt Docker container. The current docs run it with -p 80:80 443:443
and the auth
command and no plugins. I left out the ports and used the manual
plugin, as I can't conceive of how it would do domain validation it across containers, so I'm not even going to try rig that up:
sudo docker run -it --rm --name letsencrypt \\\\\\\\
-v "/etc/letsencrypt:/etc/letsencrypt" \\\\\\\\
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \\\\\\\\
quay.io/letsencrypt/letsencrypt:latest certonly --manual
I gave it several subdomains, for each of the different apps I have running, and Worked through domain validation for all of them (putting a file in .well-known).
Down to three subdomains, I (finally!) generated one cert for all of them. It stored the files (cert.pem
, chain.pem
, fullchain.pem
and privkey.pem
) under the name of the first one on the list (in /etc/letsencrypt/live/sub.mydomain.tld
).
I had it on good advice that if I restarted the proxy container I wouldn't need to restart all of the other containers. The instructions for SSL in the docs for the proxy say:
$ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
It also says "The certificate and keys should be named after the virtual host with a .crt
and .key
extension". I had .pem
s so I threw caution to the wind and renamed:
fullchain.pem
-> sub.mydomain.tld.crt
privkey.pem
-> sub.mydomain.tld.key
Put them in a directory that I mounted to the proxy container when I relaunched it (above command). Given the rename, the proxy is supposed to just find them I guess?
Failure 1: port 443 is already in use. o.O I couldn't figure out what is already using it, but later wondered if Gold is maybe sneakily hijacking it. Otherwise I found this docker bug which may be it but I am in no position to upgrade docker right now (I know, I know). Faced with imminently needing to relocate to somewhere without wifi and not being able to cope knowing my Etherpad was down, I relaunched the proxy container as above, without -p 443:443
, but still with the path to certs. Whew, everything came back up.
Except... The first subdomain, the one that the certs are named after, is now serving Gold, not the Apache container it was supposed to point to. The subdomain that is supposed to be serving Gold is also serving Gold. Neither are using the correct cert.
So... that's where I'm at.
.pem
to .crt
by renaming the file. I will attempt to convert with openssl.fullchain
or one of the others? Since nginx only asks for cert and key, I assume fullchain
is the right one.. I've seen tutorials which cat the cert with the CA bundle, which I believe is what fullchain
is, so..CERT_NAME=sub.mydomain.tld
flag as they all point to one shared cert.If you've read this far and have the remotest clue about any of these puzzle pieces, please let me know all the things I'm getting totally wrong.
See also: HTTPS: Not a terrible experience
property
parameter and will be able to verify mentions marked up with RDFa.Installed letsencrypt on my local machine (a Chromebook running Ubuntu in crouton, didn't melt):
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Ran in manual mode:
./letsencrypt-auto certonly --manual
Followed instructions for domain validation (dealt with rogue .htaccess file that stopped .well-known being accessible).
fullchain.pem
, chain.pem
, cert.pem
and privkey.pem
were generated into /etc/letsencrypt/live/mydomain.tld
.
cPanel -> SSL/TLS Manager.
Uploaded privkey.pem
to Private Keys. Uploaded cert.pem
to Certificates.
Manage SSL Hosts -> Browse Certficates -> picked the cert (it prefilled domain automatically). First two boxes prefilled with private key and cert. Pasted CA bundle into the third box from the lets encrypt site.
Worked!