Add support for certificates from Let's Encrypt. #13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds a new configuration option named `acme` and a new sub-command `montagu renew-certificate`. Using these will fetch a certificate from Let's Encrypt (or another ACME provider), inject it into the proxy container and finally reload nginx. The host machine needs to be configured to run the `renew-certificate` on a regular basis, using, for example, crontab or systemd timers. The ACME protocol is handled by running certbot as its own short-lived container. Alternatives could have been a long-running container running a cron-like daemon, installing certbot inside the nginx container and using `docker exec` to run it, installing and running certbot directly on the host, using a Python implementation of the ACME protocol directly inside the montagu tool process. The certbot container shares a volume with nginx to host the acme-challenge files on port 80. To allow nginx to start and serve these files before we have any certificate at all, the proxy generates a self-signed certificate on startup if none exist yet. This certificate would be replaced on the first renewal. See vimc/montagu-proxy#87 for the proxy side of this, mapping the `/.well-known/acme-challenge` path to a directory on the file system. While we support alternative ACME servers, in production we will probably stick to the default which uses Let's Encrypt. The configuration option makes it easier to trial the process using servers that aren't exposed publically, using a miniature ACME server such as [pebble][pebble] In the future the ACME configuration block may be extended to support DNS challenges instead, allowing us to use this even on internal-only services. If and when this happens, we won't even need nginx to host acme-challenges and may be able to remove the need for the transient self-signed certificates. Once we get more experience with this, we may also want to move some of this functionality into constellation, allowing it to be re-used in other projects. [pebble]: https://github.com/letsencrypt/pebble
plietar
commented
Dec 6, 2024
| DOCKER_MODE_SYMLINK = 0x8000000 | ||
|
|
||
|
|
||
| def read_file(container, path, *, follow_links=False): |
There was a problem hiding this comment.
This is similar to https://github.com/reside-ic/constellation/blob/master/constellation/docker_util.py#L184, but supports symbol links. I'll probably upstream that functionality at some point.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #13 +/- ##
==========================================
- Coverage 99.36% 96.87% -2.50%
==========================================
Files 4 5 +1
Lines 316 384 +68
Branches 36 51 +15
==========================================
+ Hits 314 372 +58
- Misses 0 5 +5
- Partials 2 7 +5 ☔ View full report in Codecov by Sentry. |
richfitz
approved these changes
Dec 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a new configuration option named
acmeand a new sub-commandmontagu renew-certificate. Using these will fetch a certificate from Let's Encrypt (or another ACME provider), inject it into the proxy container and finally reload nginx. The host machine needs to be configured to run therenew-certificateon a regular basis, using, for example, crontab or systemd timers.The ACME protocol is handled by running certbot as its own short-lived container. Alternatives could have been a long-running container running a cron-like daemon, installing certbot inside the nginx container and using
docker execto run it, installing and running certbot directly on the host, using a Python implementation of the ACME protocol directly inside the montagu tool process.The certbot container shares a volume with nginx to host the acme-challenge files on port 80. To allow nginx to start and serve these files before we have any certificate at all, the proxy generates a self-signed certificate on startup if none exist yet. This certificate would be replaced on the first renewal.
See vimc/montagu-proxy#87 for the proxy side of this, mapping the
/.well-known/acme-challengepath to a directory on the file system.While we support alternative ACME servers, in production we will probably stick to the default which uses Let's Encrypt. The configuration option makes it easier to trial the process using servers that aren't exposed publically, using a miniature ACME server such as pebble
In the future the ACME configuration block may be extended to support DNS challenges instead, allowing us to use this even on internal-only services. If and when this happens, we won't even need nginx to host acme-challenges and may be able to remove the need for the transient self-signed certificates.
Once we get more experience with this, we may also want to move some of this functionality into constellation, allowing it to be re-used in other projects.