Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add auto certification support #9

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

add auto certification support #9

wants to merge 4 commits into from

Conversation

rezemble
Copy link

add support for automatic SSL host certification.
letsencrypt support included

@boutell
Copy link
Member

boutell commented Dec 7, 2017

This is very cool stuff. Sorry for the delay in responding.

A few concerns:

  • Talk to me about preConfig and postConfig. Currently we just tell nginx to reload, which avoids downtime. Why is it necessary to stop and start fully by default?
  • What's the minimum version of nodejs for the ES6 features you're using? 4.x is still receiving maintenance.

Thanks!

@abea
Copy link
Contributor

abea commented Dec 7, 2017

It seems that ensuring letsencrypt is on the server should be included if the rest is automatic. Could creating a cron task for renewal be as well?

@rezemble
Copy link
Author

rezemble commented Dec 7, 2017
edited
Loading

  • Object rest and spread ... is supported from version 8.6 upward, the same functionality can be achieved using Object.assign (or, of course, lodash defaults)
  • Array rest and spread ... is supported from version 5.12 upward, the same functionality can be achieved using [].concat()
  • template literals are supported from version 4.8.6, however I would not rely on it. replacing with 'old-style' string concatenation
  • let and const are supported in version 4.x only inside strict mode, which breaks octal literals used in the original code for directory permissions, can of course be omitted in favour of var
  • it's not strictly necessary to fully restart, any ACME mechanism can be used for certification, standalone was simply the easiest (and on my setup with redundant nodes this does not affect uptime, I see your point though). Different mechanisms such as webroot would likely require a modification within the automatically generated nginx config, with which I'm not comfortable enough to tamper with.

I've added sanity checks for letsencrypt existence. if it does not exist, the default certification provider will not be set.
and yes, a cron job could certainly take care of renewal, however you'd run into the same issue with the handshake, since for standalone certification, nginx needs to be stopped, it is possible to create custom mechanisms, that would however require involvement of somebody very familiar with letsencrypt certbot scripting.

edit: my suspicions have been comfirmed, it is apparently indeed possible to include a configuration similar to this:

location /.well-known/acme-challenge/ {
    root   /var/acme;
}

in pretty much any host (which could be done either by adding it to the base template or by dynamically including it as an external conf file for hosts that require it)
which would then allow (given the directory /var/acme exists) certification using letsencrypt webroot with no restart required.

@abea abea self-assigned this May 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@abea abea

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rezemble @boutell @abea