-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom port + SSL install seems broken in redirection and LetsEncrypt request #214
Comments
@michiels The reason it is empty, is because the cert was not issues yet. Also, how many times did you try with the michiel.intercity.io domain in the past week? |
@jvanbaarsen Ok, I tried 4 times or so. Shall I try and reproduce with a new domain name? |
From: https://letsencrypt.org/docs/rate-limits/
|
And yeah, their rate limiting is awful |
@jvanbaarsen Great, thanks for the pointer. I'll try and reproduce with a new domain name. I think point 1: the redirection issue is still applicable tho. |
@michiels You can use a different subdomain :-) Also, is the domain reachable for Let's Encrypt? I'll look into the first point |
@jvanbaarsen in the first test it was, because on the subsequent installs (without custom port setting) everything worked perfect. I'll now test with If it succeeds for me, I think the user that reported this issue initially, hit the rate limiting by LetsEncrypt too. For a future improvement: would it be an option to first see if we can request the cert via LetsEncrypt before we set up nginx to use it? |
@michiels There is no real way of checking that :( Every check will also count as a request. |
@jvanbaarsen Okay, but how are you receiving/putting the certificate in the file at the moment? That can be the final verification right? |
We tell acme.sh where it needs to store the SSL cert, and acme.sh does all the magic under the good (https://github.com/Neilpang/acme.sh) |
@jvanbaarsen ok, but then we could periodically poll for the contents of the expected certificate file, right? |
@michiels Where do you want to poll this? We have nothing running on the system to check this? |
@jvanbaarsen and I had a call and I think we have concluded that custom ports + SSL are currently not supported and this bug should be turned into some kind of enhancement/feature request that takes a bit more work than just fixing a bug. |
@michiels Yes, sounds about right! |
@michiels I have been playing around with Docker / Let's encrypt a little, and came to the following idea. Let me know what you think: We install Nginx on the host machine, rip out the nginx config out of the Intercity-docker container. That way we can easily manage restarts of the SSL etc on the host machine. The benefit of having NGINX on the host machine, is that we can add a nginx.conf file to tell nginx to redirect traffic to |
@jvanbaarsen I think it sounds sensible. How will you combine the nginx on the host machine with what Dokku installs as host nginx? Is that the same thing? Eventually you want Dokku to manage the nginx after it being installed, or at least not clash with the custom letsencrypt setup that you will make. If they can live alongside 👍 |
@michiels I just create a custom nginx config file (The same as Dokku does) for Intercity. We might need to build some plumbing around it to make it all click correctly. But I think this is the way to go :) |
@jvanbaarsen great! If it's just a matter of adding a |
There's a dokku plugin nowadays for Letsencrypt that works, with a few caveats. The most important issue is that you need to have your app deployed already before requesting a certificate. I don't think it'd be all that difficult to add support for LE this way. I guess you already tackled this in #48? |
@ariejan I wonder if there is a way we can check if the app is deployed or not. Because there is a very low number throttle on the amount of request you can do to LE (At least that used to be the case). |
There is, using
|
Oh nice! We also need to have some check in place to see if the domain is reachable, right? So the following checks need to pass:
If those pass, LE can be enabled for that specific app. |
A custom domain is not a requirement IMHO. You could use the (ugly) generated subdomain vhost. |
@ariejan Are you sure? I know in the past that didn't work (for reasons that I don't know anymore). I have the feeling a lot has changes with LE since the last time we tried this, so it might indeed be good to give the whole LE plugin another go :) |
I just tested enabling SSL via LetsEncrypt and enabling custom port on my instance. It appears that when enabling both options there are two problems:
http://
tohttps://
when SSL is enabled. It still does that but it redirects to the samehttp
port. So for examplehttp://michiel.intercity.io:8880
is redirected tohttps://michiel.intercity.io:8880
but that should be to port8843
./shared/ssl/michiel.intercity.io.cer
seems empty. Making nginx trigger the following error:Perhaps LetsEncrypt needs the server to be available on
:80
or we need to set a custom port number when requesting the cert at:8880
or something?The text was updated successfully, but these errors were encountered: