-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Lets Encrypt SSL #26
Comments
I use Let's Encrypt for just about everything these days. I don't think you want that in your app container though. You want that at the proxy or load balancer level. My favorite these days is this one... https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion (which works with |
Do you happen to run it with docker-compose, with automatic certificate generation? Edit: I found one in examples: |
I don't usually use docker-compose for that because the Let's Encrypt container requires a somewhat longer than normal startup time and the app container would start before the LE container is ready. So... # start Nginx proxy
docker run -d -p 80:80 -p 443:443 \
--name nginx-proxy \
--restart always \
-v /opt/certs:/etc/nginx/certs:ro \
-v /etc/nginx/vhost.d \
-v /usr/share/nginx/html \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
jwilder/nginx-proxy:latest
# start Let's Encrypt helper
docker run -d \
--restart always \
-v /opt/certs:/etc/nginx/certs:rw \
--volumes-from nginx-proxy \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
jrcs/letsencrypt-nginx-proxy-companion:latest Then make sure to hop into the logs for the LE container and watch for it to be done setting up. Once it's ready, you can start your app container with the two required env vars. docker run -d \
-e VIRTUAL_HOST="example.com" \
-e VIRTUAL_PORT="3000" \ # default port for meteor-launchpad
-e LETSENCRYPT_EMAIL="me@example.com" \
-e LETSENCRYPT_HOST="example.com" \
-e ROOT_URL="https://example.com" \
-e MONGO_URL="mongodb://..." \
me/myapp:latest You can then hop back into the logs for the LE container and you should see it generate the certs. Assuming your domain name is already pointed at your server, it should work within a few seconds. Renewals will then happen automatically. You could obviously put all of that into a docker-compose.yml file, but you'd have to make sure that things come up in the right order and that the app container doesn't start before the LE container is ready. Note that in my example above, your certs will be persisted to |
But if you really wanted to use docker-compose... nginx-proxy:
image: jwilder/nginx-proxy:latest
ports:
- 80:80
- 443:443
restart: always
volumes:
- /opt/certs:/etc/nginx/certs:ro
- /etc/nginx/vhost.d
- /var/run/docker.sock:/tmp/docker.sock:ro
- /usr/share/nginx/html
lets-encrypt:
image: jrcs/letsencrypt-nginx-proxy-companion:latest
restart: always
volumes:
- /opt/certs:/etc/nginx/certs
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes_from:
- nginx-proxy
app:
image: me/myapp:latest
restart: always
environment:
- VIRTUAL_HOST=example.com
- VIRTUAL_PORT=3000
- LETSENCRYPT_EMAIL=me@example.com
- LETSENCRYPT_HOST=example.com
- ROOT_URL=https://example.com
- MONGO_URL=mongodb://... Then just start them one at a time. # start nginx
docker-compose up -d nginx-proxy
# start LE helper
docker-compose up -d lets-encrypt
# watch logs and wait to be ready...
docker-compose logs -f lets-encrypt
# start app
docker-compose up -d app |
Is there a way to make meteor-launchpad host on port 80 rather than 3000? |
But if you're running nginx proxy in front of it, that's irrelevant anyway. You run nginx on 80 and set the backend port that nginx should talk to with |
I am trying to make it work with |
You can't have two containers exposing the same port on the same server. |
I know, thats not the problem. If I try sample app (https://github.com/docker/dockercloud-hello-world) it works fine. If I try my meteor web app, and expose I'd like to use |
I don't know. Sounds like a config issue or your app possibly isn't responding to requests. It's not anything to do with this image though. I and many others use it every day to do the same exact thing you're trying to do. Either way, you shouldn't need to expose port 80 on the app container to make haproxy work. Just point haproxy at 3000. Or use any of the stuff I wrote out above. It works as-is. You can literally copy/paste it and add your own app container details. |
Im sure it is not So far, it looks like haproxy won't listen on public 80 port, so I'd perhaps need to do something like:
Which is why I asked if I tried setting haproxy I have literally no clue of what I'm doing, sorry if Im bugging you with questions much. |
Ok, I've given up on haproxy, and decided to try 503 Service Temporarily Unavailable
nginx/1.11.3 My docker config: lets-encrypt:
image: 'jrcs/letsencrypt-nginx-proxy-companion:latest'
restart: always
tags:
- steemsports
volumes:
- '/opt/certs:/etc/nginx/certs'
- '/var/run/docker.sock:/var/run/docker.sock:ro'
volumes_from:
- nginx-proxy
nginx-proxy:
image: 'jwilder/nginx-proxy:latest'
ports:
- '80:80'
- '443:443'
restart: always
tags:
- steemsports
volumes:
- '/opt/certs:/etc/nginx/certs:ro'
- /etc/nginx/vhost.d
- '/var/run/docker.sock:/tmp/docker.sock:ro'
- /usr/share/nginx/html
web:
autoredeploy: true
environment:
- LETSENCRYPT_EMAIL=hidden
- LETSENCRYPT_HOST=preview.steemsports.com
- 'MONGO_URL=hidden'
- 'ROOT_URL=https://preview.steemsports.com/'
- VIRTUAL_HOST=preview.steemsports.com
- VIRTUAL_PORT=3000
image: 'furion/steemsports-web:latest'
restart: always
tags:
- steemsports
I've started LE output:
|
Sounds like a problem with your app - which I don't have access to. |
Isn't that always how it is? :) Glad to hear it's working. |
Just for kicks of it, I got it to work on haproxy as well (on port 3000). The trick is to set
|
I have run into this same issue. I'm curious why a misconfiguration in cloudflare would cause the container to not think the directories are mounted. I use cloudflare but only for dns. I don't route any ssl/traffic through them. I can log into the container and navigate to the directories that it says aren't mounted. Any insight on this? |
Are there any plans to add Lets Encrypt SSL support as an option to deployment.
I think this would be a killer feature.
If not, do you happen to know any good ways to setup nginx or other reverse proxy in combination with meteor-launchpad?
The text was updated successfully, but these errors were encountered: