docker-flow-letsencrypt icon indicating copy to clipboard operation
docker-flow-letsencrypt copied to clipboard

Published 20 hours ago verified publisher icon hamburml

Running in warm + multiple dynamic certs

Open oronoa opened this issue 7 years ago • 2 comments

Hi, I'm building a solution where I add domains on the fly to a running system, I need a way to acquire new certs and renew old ones by getting some events from another container. What's the best approach for that ? is there a branch where someone is working on it already and I can join?

oronoa avatar Nov 01 '17 05:11 oronoa

Hi there!

Thanks for your request. Currently I am full with work but I like your request, I will try to find some time to work on this. If you want you can fork this project and do some testing.

I have two ideas:

  1. DFL could use netcat to listen on a port. On this port requests like 'create cert for <domain>' arrive and DFL creates them (which simply means 'hey certbot, create a cert for <domain>') and sends them to DFP. What I don't like about this idea is that when you restart/scale/update the running DFL-Container via docker ci (like docker service update) the newly created DFL-Container only knows about the domains specified as environment variables and the domains successfully created in the past (because stored in the /etc/letsencrypt/... files). That would mean when you send a request 'create cert for <domain>' which does not work and you relocate the DFL-Container it's like the relocated container doesn't know that such a request ever existed (so he can't retry). Or maybe certbot does store details for failed cert-creations also in /etc/letsencrypt/... I don't know that right now. I will check this later.

  2. The container who should send the event 'create cert for domain' to DFL should get access to the docker ci (https://forums.docker.com/t/how-can-i-run-docker-command-inside-a-docker-container/337/9). The container can now remove the running DFL-Container (don't worry, DFP still accepts https-connections for domains the certificate was already send to it) and recreate it with the domain added as an additional env-var. The DFL-Container will create the certs (and check the old certs if they should be renewed), saves them in the /etc/letsencrypt folder and sends them via http request (https://proxy.dockerflow.com/certs/#adding-certificates-through-http-requests) to DFP. DFL prefers HTTP Requests and NOT docker secrets because the running DFP-Container will be restarted when docker secrets change on the fly (and this is a downtime and current open connections will be killed like websockets).

@vfarcic what do you think? Which way would you prefer? By the way: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html This will be great 👍 When acme v2 comes I will also try to switch to the certbot docker image.

hamburml avatar Nov 01 '17 10:11 hamburml

Hello,

I'm new to this project and will try it today. But I would really love this feature. Currently I'm adding proxy routes with curl call using public dockerflow api. Would be great to have the same feature.

Thanks a lot.

no-more avatar Nov 12 '18 05:11 no-more