Https via Letsencrypt

[belfhi]

Traefik allows for automatic issuance of TLS certificates from letsencrypt via a few configuration options.
Https should not be optional even in a test setup.

[consolethinks]

This cannot be done with "localhost" addresses (backend.localhost, rabbitmq.localhost, localhost... etc.) because they do not end in valid public TLD suffixes (eg. .com, .org, .ch), which is a rule estabilished by Letsencrypt.

If we really need TLS on localhost services, we could set up a private certificate authority (CA) and use our own signing keys, while also making sure that the user's browser or OS has the CA added to its database. But this would be very complicated to set up.

For reference, here's the error generated by Letsencrypt:

time="2024-04-15T14:48:24Z" level=error msg="Unable to obtain ACME certificate for domains \"backend.localhost\": unable to generate a certificate for the domains [backend.localhost]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for \"backend.localhost\": Domain name does not end with a valid public suffix (TLD)" rule="Host(`backend.localhost`)" routerName=backend@docker providerName=mainresolver.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"

[minottic]

yes, this won't work with localhost as letsenrcypt will be unable to do the callback from its ca to the service. We can brainstorm on this offline, but what I had in mind was mostly a "documentation" improvement, basically what it's partially covered here.

[consolethinks]

Ohh, okay, I have only seen the description of this issue so I wasn't sure if it was really a good idea, but that might make more sense