yuvipanda
commented
8 years ago Open yuvipanda opened 8 years ago
yuvipanda
commented
8 years ago 
rgbkrk
commented
8 years ago /cc @smashwilson @carolynvs
yuvipanda
commented
8 years ago I've a fairly decent idea on how to do this, but won't be able to get to it until second half of october. If someone else wants to take a shot at it I'll be happy to help too. It shouldn't be too hard!
carolynvs
commented
8 years ago I did something very similar for whale in a box, which is running nginx + jupyterhub. Maybe this can help get you jump started?
https://github.com/carolynvs/whaleinabox/tree/master/letsencrypt
The letsencrypt container waits until nginx is up, so that nginx can handle the ACME challenge, then it generates a certificate. The container has a cron job to reissue the certificate as needed.
yuvipanda
commented
8 years ago omg whale in a box sounds awesome and something I've always wanted <3
I want nchp to work regardless of external recurring things (like a cron), so I'm more inclined to integrate the lua based solution directly. That's 'in-process', and works super seamlessly wherever you are (containers, bare metal, etc).
On Mon, Sep 19, 2016 at 11:16 AM, Carolyn Van Slyck < notifications@github.com> wrote:
I did something very similar for whale in a box http://whaleinabox.com, which is running nginx + jupyterhub. Maybe this can help get you jump started?
https://github.com/carolynvs/whaleinabox/tree/master/letsencrypt
The letsencrypt container waits until nginx is up, so that it can handle the ACME challenge. Then it runs a cron job to reissue the certificate as needed.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/yuvipanda/jupyterhub-nginx-chp/issues/2#issuecomment-248075655, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB23nampAMF9ccl6C18dCdyvCSrgRRXks5qrtGRgaJpZM4HUtQH .
Yuvi Panda T http://yuvi.in/blog
carolynvs
commented
8 years ago I'm not familiar with the lua way and would be interested in seeing that when you have it working. 😄
The trick to getting renewal to work is that since jupyterhub is running on port 80, you need to tell the let's encrypt client that you want to have ngingx handle the challenge request, instead of having the letsencrypt client attempting to listen on port 80.
So when we reissue the cert these flags are used:
--authenticator webroot \
--webroot-path /etc/letsencrypt/webrootauth/ \That tells the lets encrypt client to put some magical files on the filesystem for nginx to serve. And our nginx config needs to handle the lets encrypt challenge, and return the magical files:
location /.well-known/acme-challenge {
alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
add_header Content-Type application/jose+json;
}
}The rest of the kit just handles wiring up the various containers and volumes. If you give the kit a try and have suggestions or feedback, I'd love to hear it!
yuvipanda
commented
8 years ago https://github.com/GUI/lua-resty-auto-ssl is the lua way. It intercepts first request to the configured domain over SSL, and basically 'holds' it while performing a lets encrypt challenge / response thing and caches the cert on disk. It also handles renewals easily, since it is running inside nginx and can do a lot of things automaticlaly :D
I will try out the box soon and provide feedback as well!
On Mon, Sep 19, 2016 at 12:20 PM, Carolyn Van Slyck < notifications@github.com> wrote:
I'm not familiar with the lua way and would be interested in seeing that when you have it working. 😄
The trick to getting renewal to work is that since jupyterhub is running on port 80, you need to tell the let's encrypt client that you want to have ngingx handle the challenge request, instead of having the letsencrypt client attempting to listen on port 80.
So when we reissue the cert https://github.com/carolynvs/whaleinabox/blob/master/letsencrypt/reissue.shthese flags are used:
--authenticator webroot \ --webroot-path /etc/letsencrypt/webrootauth/ \
That tells the lets encrypt client to put some magical files on the filesystem for nginx to serve. And our nginx config https://github.com/carolynvs/whaleinabox/blob/master/nginx/default.conf needs to handle the lets encrypt challenge, and return the magical files:
location /.well-known/acme-challenge { alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge; location ~ /.well-known/acme-challenge/(.*) { add_header Content-Type application/jose+json; } }
The rest of the kit just handles wiring up the various containers. If you give the kit a try and have suggestions or feedback, I'd love to hear it!
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/yuvipanda/jupyterhub-nginx-chp/issues/2#issuecomment-248094802, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB23qUvyxfKz7MO-0yX663Mpbfr5uNOks5qruBvgaJpZM4HUtQH .
Yuvi Panda T http://yuvi.in/blog
To auto provision SSL certs, based off https://github.com/smashwilson/lets-nginx.
Should help with https://github.com/jupyter/jupyterhub/pull/417