search

meteorhacks / mup-frontend-server

Frontend Server for Meteor Up
37 stars 35 forks source link

Integrate Let's Encrypt for TLS certificate generation #10

Open carlosbaraza opened 8 years ago

carlosbaraza commented 8 years ago

Hi @arunoda,

I integrated Let's Encrypt for the generation of TLS free certificates within this image. Maybe you had a better idea about how to do this.

This feature is linked to a PR that I will submit now to meteor-up x, making use of it. I tested that it is backwards compatible with some of my projects. However, it may have some bugs or small tweakings.

Automatic renewal of certificates

We should invest a bit more of time integrating the webroot plugin of let's encrypt.

My idea was to create a volume to bundle.crt and private.key to persist the generated certificates. Then, if the certificate is existing and the generation is on, it should try to generate a new certificate if the current certificate is about to expire and overwrite the bundle.crt and private.key files.

I have set up the location in nginx.conf for webroot (not tested) and some logic in the start.sh to start the generation with webroot if the certificates are present.

The reason for doing this is that nginx would not boot up if the certificates are not present, therefore I though that if the certificates are not present, we should generate them with the standalone plugin before booting nginx.

Suggestions

If you have any suggestions to improve it, I am open to discuss it.

carlosbaraza commented 8 years ago

An issue I discovered is that if it fails to generate a certificate and the param --restart=always is given to the run command, then it will infinitely request certificates that will fail, and finally Let's Encrypt will ban the domain for next requests.

Error after the domain is banned:

Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --agree-tos -c /generated-tls/config.ini
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: example.com
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to example@example.com.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

We should implement a mechanism to know that the certificate request failed, in order to stop the container for further requests. This could be useful also to give feedback to the user in the CLI when they deploy.