Note to self... tomorrow my LetsEncrypt cert and travel insurance expire. Renew both.
letsencrypt (4 out of 4)
- A simple standalone python webapp2 app.
- One Apache server.
- Another Apache server.
- Gold (a Solid server written in Go).
- Etherpad.
- Apache servers were easy.
- Spent far too long figuring out the best way to route the python app to serve .well-known because I am dumb, but got there.
- Creating the .well-known for Gold was super easy, but it wasn't accessible over http as Gold forces https even without a cert, so I dropped that until I can make it serve on http.
fullchain.pem
->sub.mydomain.tld.crt
privkey.pem
->sub.mydomain.tld.key
- A cursory search suggests that one does not simply convert
.pem
to.crt
by renaming the file. I will attempt to convert with openssl. - I'm not totally sure if I'm supposed to be using
fullchain
or one of the others? Since nginx only asks for cert and key, I assumefullchain
is the right one.. I've seen tutorials which cat the cert with the CA bundle, which I believe is whatfullchain
is, so.. - Get Gold out of my port 443 shiz and see if that stops confusing nginx.
- Cry.
- Try launching the other two subdomains with the
CERT_NAME=sub.mydomain.tld
flag as they all point to one shared cert.
Renewing LetsEncrypt certs for my shared hosting
Navigated to where I previously installed the letsencrypt cli client (note to self as this took me a while to remember: /home/rhiaro/letsencrypt
).
Ran ./letsencrypt-auto renew --agree-tos --manual-public-ip-logging-ok
When I ran with --dry-run
it looped through the three domains I previously generated certs for, failed on the first two because it tried to do the acme-challenge without giving me a chance to copypaste the code, but the last one waited for my input before proceeding, so I was able to copy the code to a file on the server and press enter, and it continued successfully. But then when I ran it for real (without --dry-run
) it waited for my input after each one, so I was able to do them all at once.
Then I went through cPanel, deleted the existing private keys (which deleted the corresponding certs automatically), uploaded the new privkey.pem
files for each domain to Private Keys and the cert.pem
files to Certificates. In "Install and Manage SSL for your site" I clicked 'Update certificate' by each domain in the list, chose the certs from the GUI (which prefilled the private keys) and pasted the chain.pem
contents into the input for the CA bundle. All set!
HTTPS: What a terrible experience
Digital Ocean droplet with Docker all the things
Specifically all apps running in Docker containers, served on subdomains through the nginx reverse proxy container.
tl;dr I didn't figure it out yet, if you're looking for a guide you're not in the right place.
Disclaimer:
Things I currently run through the reverse proxy:
Decided off the bat not to bother with Etherpad, as I haven't looked under the hood and don't know how I'd do domain validation at all. Figured the others would be doable.
Generating certs
Ran the letsencrypt Docker container. The current docs run it with -p 80:80 443:443
and the auth
command and no plugins. I left out the ports and used the manual
plugin, as I can't conceive of how it would do domain validation it across containers, so I'm not even going to try rig that up:
sudo docker run -it --rm --name letsencrypt \\\\\\\\
-v "/etc/letsencrypt:/etc/letsencrypt" \\\\\\\\
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \\\\\\\\
quay.io/letsencrypt/letsencrypt:latest certonly --manual
I gave it several subdomains, for each of the different apps I have running, and Worked through domain validation for all of them (putting a file in .well-known).
Down to three subdomains, I (finally!) generated one cert for all of them. It stored the files (cert.pem
, chain.pem
, fullchain.pem
and privkey.pem
) under the name of the first one on the list (in /etc/letsencrypt/live/sub.mydomain.tld
).
Installing certs
I had it on good advice that if I restarted the proxy container I wouldn't need to restart all of the other containers. The instructions for SSL in the docs for the proxy say:
$ docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
It also says "The certificate and keys should be named after the virtual host with a .crt
and .key
extension". I had .pem
s so I threw caution to the wind and renamed:
Put them in a directory that I mounted to the proxy container when I relaunched it (above command). Given the rename, the proxy is supposed to just find them I guess?
Failure 1: port 443 is already in use. o.O I couldn't figure out what is already using it, but later wondered if Gold is maybe sneakily hijacking it. Otherwise I found this docker bug which may be it but I am in no position to upgrade docker right now (I know, I know). Faced with imminently needing to relocate to somewhere without wifi and not being able to cope knowing my Etherpad was down, I relaunched the proxy container as above, without -p 443:443
, but still with the path to certs. Whew, everything came back up.
Except... The first subdomain, the one that the certs are named after, is now serving Gold, not the Apache container it was supposed to point to. The subdomain that is supposed to be serving Gold is also serving Gold. Neither are using the correct cert.
So... that's where I'm at.
Next?
If you've read this far and have the remotest clue about any of these puzzle pieces, please let me know all the things I'm getting totally wrong.
See also: HTTPS: Not a terrible experience
HTTPS: Not a terrible experience
Shared hosting with cPanel
Installed letsencrypt on my local machine (a Chromebook running Ubuntu in crouton, didn't melt):
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Ran in manual mode:
./letsencrypt-auto certonly --manual
Followed instructions for domain validation (dealt with rogue .htaccess file that stopped .well-known being accessible).
fullchain.pem
, chain.pem
, cert.pem
and privkey.pem
were generated into /etc/letsencrypt/live/mydomain.tld
.
cPanel -> SSL/TLS Manager.
Uploaded privkey.pem
to Private Keys. Uploaded cert.pem
to Certificates.
Manage SSL Hosts -> Browse Certficates -> picked the cert (it prefilled domain automatically). First two boxes prefilled with private key and cert. Pasted CA bundle into the third box from the lets encrypt site.
Worked!