Open pasgou opened 7 years ago
YannickB
commented
7 years ago Hello,
We already have a working process with LetsEncrypt inside clouder proxy. Since this tool is based on another docker image I don't really see the added value :/. Is there any point I missed ?
pasgou
commented
7 years ago I found this project interesting as it permits to have images on the server (physically) with letsencrypt and nginx for all the others apps needing SSL or TLS. Instead of having one gear per app, we have one gear per node.
lasley
commented
7 years ago @YannickB - do we have an existing strategy for the LetsEncrypt renewals?
@pasgou - For internal CA, we are working on #180
YannickB
commented
7 years ago @lasley Yes, you have a cron which renew it 15days before the end of the certificate. Still a little buggy though.
lasley
commented
7 years ago @YannickB - I assume this is at the proxy level yeah? I think that would in effect accomplish the same thing that this does, even in terms of architecture placement.
@pasgou Maybe we're missing something?
YannickB
commented
7 years ago @lasley yep, in proxy container
pasgou
commented
7 years ago @lasley I think that somethings doesn't have to be reinvented. Work with the Project I mentionned should permit to have immediatly a non buggy utility to have a letsencrypt client with Monthly automatic renewal. No need to have a private CA, or only for pki in a mail or doc signature context.
pasgou
commented
7 years ago See description : https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/
lasley
commented
7 years ago @pasgou - From what I understand, LetsEnrypt will not allow the issuance of certificates for private hosts. This means we cannot secure our internal communication using it, and thus the internal CA is still required for many TLS/SSL purposes - such as Logstash.
Seems like this would help from a renewal perspective for the ones that are using LetsEncrypt though. I still need to study our current implementation more to understand the ramifications- I'm still learning the edges of core such as proxy.
pasgou
commented
7 years ago Letsencrypt is a CA for the web server, Mail server, or everything needing SSL/TLS communication. I don't know if it could be use for ssh communication, but why not IFCB servers have domain name ?
Major use is https.
pasgou
commented
7 years ago In faq on https://letsencrypt.org/docs/faq/ : """ Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?
Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue. """
What about using https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion to include letsencrypt as a CA with clouder dns template and clouder proxy?
I don't know how to do that but it seems to make sense.