example.com
. You may follow the steps outlined in this blog post to create and configure a load balancer for the Oracle Application Express (APEX) instance running on an Oracle Autonomous Database./tmp/
directory on the Compute instance.IMPORTANT
As stated in the LICENSE file, the code in this repository is provided as-is and without warranty and support. You are expected to have basic Linux and OCI proficiency to perform these tasks, adapt the instructions to your environment and ability to troubleshoot any potential issues.
Create a policy, e.g. LoadBalancerManagementPolicy, to allow the dynamic group to create certificates and update load balancer's listeners in the specified compartment. The simplest statement to get started with, is this:
allow dynamic-group WebServers to use load-balancers in compartment MyCompartment
NOTE
I will update this document with the minimal required policy statements at a later time.
The script assumes that you have a public load balancer created. In addition, you must:
HTTP
protocol and listens on port 80
.TCP
protocol and then specify SSH port (usually 22
). Make sure that the security lists are updated to allow communication between the load balancer and Compute instance's subnets.8000
. For simplicity, allow the OCI console to create the security list rules automatically./.well-known
APP_HOME=/opt/docker/oci-le-cert-manager
TENANCY_OCID=ocid1.tenancy.oc1.....
REGION=us-ashburn-1
APP_HOME
directory. You should have the following:
/opt/docker/oci-le-cert-manager
├── Dockerfile
├── LICENSE
├── README.md
├── app
│ ├── cert-manager
│ ├── deploy-cert-to-lb
│ └── requirements.txt
├── build.sh
├── cert-manager.sh
├── domain.env.sample
└── logs
cd $APP_HOME
.oci
directory for storing the required OCI configuration file:
mkdir -p $APP_HOME/.oci
.oci/config
) with the required information:
cat << EOF > $APP_HOME/.oci/config
[DEFAULT]
tenancy=$TENANCY_OCID
region=$REGION
EOF
.oci
directory and its contents have the correct permissions:
chmod -R go-rwx $APP_HOME/.oci
./build.sh
Create a file, e.g. example-com.env
. This file must be created in the directory defined by APP_HOME
and should have the following variables defined:
DOMAIN=example.com,www.example.com
EMAIL=johndoe@example.com
DEPLOY_TARGET=LB
LB_OCID=ocid1.loadbalancer.oc1...
LISTENER_NAME=listener_https
DRY_RUN=Y
IMPORTANT
- If you don't already have a listener setup for HTTPS, then exclude the
LISTENER_NAME
variable for now. Once the certificate has been deployed to the load balancer specified by the OCID, you may use that certificate to create the required listener supporting SSL communications.- You may add more than one domains to the certificate. Assign them as a comma-delimited list to the
DOMAIN
variable.
LISTENER_NAME
is defined, then the new certificate will be assigned to the listener as well.
$APP_HOME/cert-manager.sh -a generate -f example-com.env -p 8000
0 2 * * * opc /opt/docker/oci-le-cert-manager/cert-manager.sh -a renew -f example-com.env -p 8000 >> /opt/docker/oci-le-cert-manager/logs/le-example-com.log