patrickleet
commented
7 years ago Just to clarify, the certs are lost by DFP.. they still exist when running docker secret ls
Closed patrickleet closed 7 years ago
patrickleet
commented
7 years ago Just to clarify, the certs are lost by DFP.. they still exist when running docker secret ls
n1b0r
commented
7 years ago could you provide the stack file ?
n1b0r
commented
7 years ago The secret feature is quite experimental, while its correctly working on my production server.
When DFPLE receive a /reconfigure request, it tries to generate or renew certs. In secret mode, a new secret is created for new certs. Then we check if DFP has these secrets loaded, if not we attach each secret to it. If secrets have been updated, the DFP service will also restart and generate its new configuration based on secrets.
What did you try ? Once DFP service is created and has secrets attached, they should not be removed.
patrickleet
commented
7 years ago How is DFP is aware of the secrets? I thought you would need to configure that.
n1b0r
commented
7 years ago DFPLE updates DFP secrets usign docker-py with an ugly POST request against docker socket. (docker-py workaround written at this time)
Once update is done, DFP is automatically restarted by docker engine (as a docker service update --secret-add would do)
n1b0r
commented
7 years ago did you get any chance to get it working ?
hopkins-tk
commented
7 years ago Not sure, if it is the case for you, but I was struggling with getting it work as well - in the end the root cause for me was using of an upper-case stack name PROXY and not setting DF_PROXY_SERVICE_NAME correctly.
If you are using stack deploy, you need to use lowercase stack name and set DF_PROXY_SERVICE_NAME including the stack name and with matching case (there is exact match being performed).
patrickleet
commented
7 years ago I had it working, but when I added a new service with a different subdomain, the ssl certs were lost.
I then switched to using volumes instead because that worked for me.
n1b0r
commented
7 years ago Did you set the le-certs:/etc/letsencrypt volume on dfple service ? You have to set it in case you recreate dfple service.
Hey just tried out secret mode, and ended up reverting to using volumes. It seems like the current configuration in the README is missing something. When the proxy reloads, the certs are lost. Wouldn't a secrets key be required in the DFP config to tell it where to mount the cert secret?