Open carlosbaraza opened 8 years ago
An issue I discovered is that if it fails to generate a certificate and the param --restart=always
is given to the run command, then it will infinitely request certificates that will fail, and finally Let's Encrypt will ban the domain for next requests.
Error after the domain is banned:
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --agree-tos -c /generated-tls/config.ini
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: example.com
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to example@example.com.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
We should implement a mechanism to know that the certificate request failed, in order to stop the container for further requests. This could be useful also to give feedback to the user in the CLI when they deploy.
Hi @arunoda,
I integrated Let's Encrypt for the generation of TLS free certificates within this image. Maybe you had a better idea about how to do this.
This feature is linked to a PR that I will submit now to
meteor-up x
, making use of it. I tested that it is backwards compatible with some of my projects. However, it may have some bugs or small tweakings.Automatic renewal of certificates
We should invest a bit more of time integrating the
webroot
plugin oflet's encrypt
.My idea was to create a volume to
bundle.crt
andprivate.key
to persist the generated certificates. Then, if the certificate is existing and the generation is on, it should try to generate a new certificate if the current certificate is about to expire and overwrite thebundle.crt
andprivate.key
files.I have set up the location in
nginx.conf
forwebroot
(not tested) and some logic in thestart.sh
to start the generation with webroot if the certificates are present.The reason for doing this is that nginx would not boot up if the certificates are not present, therefore I though that if the certificates are not present, we should generate them with the
standalone
plugin before booting nginx.Suggestions
If you have any suggestions to improve it, I am open to discuss it.