search

sagemathinc / cocalc-docker

DEPRECATED (was -- Docker setup for running CoCalc as downloadable software on your own computer)
https://cocalc.com
Other
398 stars 103 forks source link

Trouble using certbot to get a letsencrypt certificate #129

Closed ohcfe closed 1 year ago

ohcfe commented 2 years ago

After installing the docker image as described in README.md I decided to install a proper certificate so that my users won't have their browsers yelling at them every time they try to sign-in.

I opened up an interactive terminal to the image:

sudo docker exec -it cocalc bash

I installed the letsencrypt package:

apt install letsencrypt

and finally I tried to use certbot to get a certificate:

root@a4da9db0f545:~# certbot certonly --standalone --agree-tos --preferred-challenges http -d my.Domain
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): my@email.address

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.Domain
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Certbot needs to be able to talk to letsencrypt.org on port 80 as well as port 443... so I am unable to get proper certs... What is the proper way to get non self-signed certificates for my docker image?

Thanks.

belonesox commented 2 years ago

I think you should use nginx reverse proxy to get letsencrypt cert, without even touching docker container.

belonesox commented 2 years ago

Like this. Run nginx trivial site like this

server {
    listen       80;
    server_name  calc.onyour.domain; 

    root   /var/data/cocalc-test-root;
    location / {
        autoindex on;
    }
}

and run certbot certonly, answering your domain and /var/data/cocalc-test-root on certbots question.

then, after getting certs, replace this config to something like 

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}

server {
    listen 443 ssl;

    server_name  calc.onyour.domain; 
    ssl_certificate         /etc/letsencrypt/live/calc.onyour.domain/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/calc.onyour.domain/privkey.pem;

    location / {
        # push traffic through the proxy to the port you mapped above, in this case 9090, on the localhost:
        proxy_pass https://localhost:9443;

        # this enables proxying for websockets, which cocalc uses extensively:
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
    }
}

(of course, then your run docker, map 9443 to 443 on container).

williamstein commented 1 year ago

Seems solved.