Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider generating letsencypt certificates instead of self-signed certificates? #78

Closed
cboettig opened this issue Dec 9, 2015 · 11 comments

Comments

@cboettig
Copy link

@cboettig cboettig commented Dec 9, 2015

See:

(apologies if this issue should go to one of the upstream Jupyter repos rather than here in docker-stacks, not sure at what level in the stack this part is being handled).

@parente

This comment has been minimized.

Copy link
Member

@parente parente commented Dec 10, 2015

I think this idea is better suited to a recipe of how to run letsencrypt (in a container or not) to generate a key+cert that can then be mounted by the notebook container. Mixing it into the minimal-notebook container image feels like a violation of separation of concerns.

What do others think?

@ellisonbg

This comment has been minimized.

Copy link

@ellisonbg ellisonbg commented Dec 10, 2015

I am using letsencrypt now, but it does require a fqdn/dns setup. I can
imagine many usages of the docker images where that won't be the case.

On Wed, Dec 9, 2015 at 6:10 PM, Peter Parente notifications@github.com
wrote:

I think this idea is better suited to a recipe
https://github.com/jupyter/docker-stacks/wiki/Docker-Recipes of how to
run letsencrypt (in a container or not) to generate a key+cert that can
then be mounted by the notebook container. Mixing it into the
minimal-notebook container image feels like a violation of separation of
concerns.

What do others think?


Reply to this email directly or view it on GitHub
#78 (comment)
.

Brian E. Granger
Associate Professor of Physics and Data Science
Cal Poly State University, San Luis Obispo
@ellisonbg on Twitter and GitHub
bgranger@calpoly.edu and ellisonbg@gmail.com

@parente

This comment has been minimized.

Copy link
Member

@parente parente commented Dec 11, 2015

Definitely only works for FQDN. Still, I think we can doc how to do it and make it a bit easier to configure. I'm looking at adding some simple automation into PR #80.

@cboettig

This comment has been minimized.

Copy link
Author

@cboettig cboettig commented Dec 11, 2015

Hmm, was just introduced to https://caddyserver.com as an alternative to nginx. Does https via letsencrypt right out of the box with no config. pretty slick.

@parente

This comment has been minimized.

Copy link
Member

@parente parente commented Dec 11, 2015

PR #80 now has an example recipe for doing the LE certificate request and configuring the Jupyter tornado server to use the key and full-chain cert.

  • Pro: only one container: the docker-stack.
  • Con: not nearly as slick or secure as other solutions (RC4 anyone?)

I was pleasantly surprised that it was entirely doable without any changes to the current docker-stacks images.

@parente

This comment has been minimized.

Copy link
Member

@parente parente commented Dec 29, 2015

The examples/make-deploy folder now has a makefile show the full workflow for:

  • requesting a first cert for a fqdn from lets encrypt
  • writing the cert and key to a docker volume
  • mounting that volume where the certificate and key can be used by jupyter notebook
  • renewing the certificate using cron

The README walks through the commands if someone wants to use the Makefile directly. If not, the letsencrypt.makefile serves as documentations of the commands that need to be run.

Of course, there's more than one way to skin this cat. We can add more into that examples folder or the wiki over time.

@parente

This comment has been minimized.

Copy link
Member

@parente parente commented Jan 12, 2016

I added a pointer to the make-deploy in the recipes wiki: https://github.com/jupyter/docker-stacks/wiki/Docker-Recipes#lets-encrypt-a-notebook-server

@cboettig If you do wind up using caddyserver successfully, please do doc it on the wiki. I think we can close this issue, however, since switching to Let's Encrypt in place of self-signed certs by default is pretty much off the table since they require a FQDN and quite a few additional params. Agreed?

@cboettig

This comment has been minimized.

Copy link
Author

@cboettig cboettig commented Jan 12, 2016

@parente agreed. Closing this.

For the record, I did fix my nginx config, so that's working nicely using my LE credentials.

No luck on my caddy config unfortunately. Gets very close, everything seems to work, say kernel is connected, but then Notebook cell just hangs forever without evaluating anything or throwing and error to the log. very weird.

@cboettig cboettig closed this Jan 12, 2016
@sirgogo

This comment has been minimized.

Copy link

@sirgogo sirgogo commented Jun 27, 2016

Did you ever figure this out? I'm running jupyter with no-ssl behind a router, but using caddy to forward request.

The page loads fine, but no terminal ever shows up, and cells don't execute ( I think cannot connect to python kernel ). Any advice?

@minrk

This comment has been minimized.

Copy link
Member

@minrk minrk commented Jun 27, 2016

@sirgogo that generally means that websocket connections aren't working. You will need to make sure the proxy config is properly relaying websocket connections.

@cboettig

This comment has been minimized.

Copy link
Author

@cboettig cboettig commented Jun 27, 2016

@sirgogo I never got it working. @minrk I did play with the websockets configuration for Caddy; e.g. like so: https://gist.github.com/cboettig/18e1becaa8974139adff

rochaporto pushed a commit to rochaporto/docker-stacks that referenced this issue Jan 23, 2019
check state field in oauth callback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.