ocis_wopi with embedded certificates - certificates get recreated on each compose up

[mmattel]

When the ocis_wopi deployment example is started with docker compose up, self signed certificates are created if no internet is available.

But when getting the example down and restarting it with up, the certificates are recreated.
This makes any formerly accepted certrifcates for *.owncloud.test useless and you must manually re-accept all certificates of the test-domain in the browser. This is bad for the easy entry docs.

Could the example be adapted in a way that if self signed certificates have been created, they do not get recreated on each startup?

@wkloucek do you have an idea?
@tbsbdr @micbar

[mmattel]

After a discussion with @dragonchaser the current behaviour is maybe intended (to be discussed) and as alternative, we could add manually created self signed certificates.

Q: With the current example, are LE certificates reused from the traefik volume defined or re-downloaded from LE post startup?

[wkloucek]

Without manual intervention there are no LetsEncrypt certificates at all. example@example.org is not a email you could get certificates for. (Please check the logs, those should state this)

I'm not sure if it is possible to stop Traefik from generating self signed certificates over and over again. Please not that this is only happening for self signed certificates, not when LetsEncrypt is involved.

[mmattel]

Seems that The certificates generated by Traefik cannot be stored.

[mmattel]

With a lot of searching, I have found a potential solution.

The way to go is to define own self signed certificates, where you need to tell traefik which certificates to use. As reference to derive from, we can take docker compose with traefik and certs.

Any additional configuration needed for self singend certs could be made in an extra compose file that gets defined in .env via COMPOSE_FILE like we do with monitoring. That would not interfere with the current example and is easy to be documented. Also see Merge Compose files.

[dragonchaser]

@mmattel Yes the can be stored but not as you might expect it. If you run multi-node traefik installations. You can use a persistent volume to share these certs between the nodes. But if you restart/upgrade the traefik-deployment it will still regenerate the certs. This is expected/intended behaviour with traefik and lets encrypt. For any other use-case you can configure traefik with your own bought certs or your own toolchain. But this is not a use-case for the example deployment and IMHO not relevant.

[dragonchaser]

Out of scope, Letsencrypt is the farthest we will document for the entry-level documentation.