Commit f5aab3ca authored by Mathieu Giraud's avatar Mathieu Giraud

Merge branch 'feature-sc/cerbot-in-docker' into 'dev'

Cerbot in docker

See merge request !770
parents 04a10603 fc4fcfd3
Pipeline #159751 passed with stages
in 9 minutes and 4 seconds
......@@ -170,9 +170,24 @@ You can achieve this with the following steps:
+ If you are using the `postfix` container you may want to generate certificates (using the same process) and place them in `postfix/ssl`.
The certificates must bear the name of your mail domain (<maildomain>.crt and <maildomain>.key)
- A better option is to use other certificates, for example by configuring free [Let's Encrypt](https://letsencrypt.org/) certificates;
In `docker-compose.yml`, update `nginx.volumes`, line `./vidjil-client/ssl:/etc/nginx/ssl`, to set the directory with the certificates.
The same can be done for the `postfix` container.
- A better option is to use other certificates, for example by configuring free [Let's Encrypt](https://letsencrypt.org/) certificates.
One solution is to use `certbot` on the host to generate the certificates and to copy them in the right directory so that the container
can access it.
See [Nginx and Let’s Encrypt with Docker](https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71).
To check the integrity of the host, `certbot` needs to set up a challenge.
Thus, Nginx needs to provide specific files that are generated by `certbot`.
To do so, you should tell `certbot` to put those files in the `/opt/vidjil/certs`
directory (this can be changed in the `docker-compose.yml` file.
You can generate the certificates with the command `certbot certonly --webroot -w /opt/vidjil/certs -d myvidjil.org`.
Then
```shell
cp /etc/letsencrypt/live/vdd.vidjil.org/fullchain.pem vidjil-client/ssl/web2py.crt
cp /etc/letsencrypt/live/vdd.vidjil.org/privkey.pem vidjil-client/ssl/web2py.key
```
The certificates can be renewed with `certbot renew` but beware to copy the certificates after that.
If necessary, in `docker-compose.yml`, update `nginx.volumes`, line `./vidjil-client/ssl:/etc/nginx/ssl`, to set the directory with the certificates.
The same can be done for the `postfix` container.
If you would prefer to use the vidjil over HTTP (not recommended outside of testing purposes), you can
......
......@@ -56,6 +56,7 @@ services:
command: bash /entrypoints/nginx-entrypoint.sh
volumes:
- /opt/vidjil/log/nginx:/var/log/nginx
- /opt/vidjil/certs:/etc/letsencrypt/well-known
- ./vidjil-client/ssl:/etc/nginx/ssl
- ./vidjil-client/conf:/etc/vidjil
- ../germline:/usr/share/vidjil/germline
......
......@@ -28,4 +28,9 @@ server {
include /etc/vidjil/server_location.conf;
include /etc/vidjil/client_location.conf;
# Used for Let's Encrypt challenges
location /.well-known {
root /etc/letsencrypt/well-known;
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment