Open KattMingMing opened 5 years ago
I realized that there's a way to avoid shutting down the nginx service when going through the certbot steps. After Step 4:
Once created copy the certificates into the Sourcegraph directory
cp /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem /root/.sourcegraph/config
Certbot will be running on port 80 (as designed) user's can run a slightly modified docker run command to avoid shutting down the nginx service (omit --publish 80:7080
)
1. docker run -d --publish 443:7443 --publish 2633:2633 --restart unless-stopped --volume /root/.sourcegraph/config:/etc/sourcegraph --volume /root/.sourcegraph/data:/var/opt/sourcegraph sourcegraph/server:3.1.1
I'm not 100% if that's the best way to do this.. User's would still need to perform a restart of the sourcegraph/server docker container after renewing certificates.
It looks like the default expiration is 3 months so if there's a better way to handle this we should document that as well. cc/ @keegancsmith any feedback on the above issue and this possible improvement would be appreciated.
I've added how to create a self-signed cert that can be validated by browsers - https://docs.sourcegraph.com/admin/ssl_https_self_signed_cert_nginx
Next up is Let's Encrypt docs
I went through the Nginx and Let's Encrypt documentation and ran into several issues. Below is documentation on the steps I followed to configure Nginx with a self signed cert and using cert bot.
Deploying on GCP and accessing your instance
sudo su;
cd /root/.sourcegraph
Create admin account
Navigate to the External IP address of the VM. You may need to wait a few minutes for it to be accessible.
Update DNS Records
There can be a delay when updating DNS records, so I did this step earlier than expected.
Setting up SSL / TLS
There are a few ways to configure SSL / TLS.
Option A: Self signed certificate
Generate the certificate
Inside the VM run the following commands:
sudo su;
cd /root/.sourcegraph/config
If you don't already have a TLS certificate and key, you can generate them with the following command. Note: Replace sourcegraph.example.com with your domain.
Update
nginx.conf
Update the
nginx.conf
that is in the same directory. Replacesourcegraph.example.com
with your domain.The three lines in the
nginx.conf
need to be updated with your domain:Restart container
Since we do not have access to the command line of the NGINX container directly, we cannot use the
nginx
command to control NGINX. Fortunately, Docker provideskill
command for sending signals to the container.docker ps | grep sourcegraph | awk '{print $1}'
docker rm -f <container ID>
docker run -d --publish 80:7080 --publish 443:7443 --publish 2633:2633 --restart unless-stopped --volume /root/.sourcegraph/config:/etc/sourcegraph --volume /root/.sourcegraph/data:/var/opt/sourcegraph sourcegraph/server:3.1.1
Your instance should now be accessible with a self signed certificate.
Option B: Let's Encrypt
Let’s Encrypt automatically provisions TLS certificates so that your server is accessible via HTTPS.
To do this, I followed the Using Let’s Encrypt with nginx on Ubuntu 16.04 instructions.
Let's Encrypt needs to access port 80 which is currently in use by Sourcegraph, so it was necessary to stop the container. Inside the VM run the following commands:
docker ps | grep sourcegraph | awk '{print $1}'
docker rm -f <container ID>
Next, I needed to install certbot.
sudo su;
certonly
sudo certbot --nginx certonly
cp /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem /root/.sourcegraph/config
service nginx stop
nginx.conf
Update nginx.conf with certbot
The three lines in the
nginx.conf
need to be updated with your domain.By default fullchain.pem and privkey.pem are names generated by certbot.
docker run -d --publish 80:7080 --publish 443:7443 --publish 2633:2633 --restart unless-stopped --volume /root/.sourcegraph/config:/etc/sourcegraph --volume /root/.sourcegraph/data:/var/opt/sourcegraph sourcegraph/server:3.1.1
Now your instance should be accessible via HTTPS with your signed certificate generated by certbot.