Is there a way of sharing Traefik-generated SSL with containers? #13

New Issue

3wordchant · 2020-09-13T16:50:10Z

3wordchant commented

2020-09-13 16:50:10 +00:00

CoTURN (for matrix-synapse) and SimpleSAML (for mediawiki) both want access to SSL certificates and keys - I could set up a separate LetsEncrypt container in both and do some elaborate routing dance to generate them, but I'm wondering if there's a way to make the Traefik-generated ones available to the containers? Tried some web searchin' but no dice so far.

CoTURN (for `matrix-synapse`) and SimpleSAML (for `mediawiki`) both want access to SSL certificates and keys - I could set up a separate LetsEncrypt container in both and do some elaborate routing dance to generate them, but I'm wondering if there's a way to make the Traefik-generated ones available to the containers? Tried some web searchin' but no dice so far.

3wordchant commented

2020-09-17 07:43:05 +00:00

Turns out SimpleSAML just needs self-signed certs generated using openssl (and now included, possibly incorrectly, in the simplesaml custom entrypoint script).

For CoTURN, I managed to get some initial certificates for testing by installing certbot on the host, stopping Docker, running certbot certonly -d turn..., then restarting Docker. It looks like setting up a separate container to run acme-sh shouldn't be too annoying though: https://github.com/b-venter/Matrix-Docker-install#9-adding-a-standalone-acme-for-non-http-certificates

Turns out SimpleSAML just needs self-signed certs generated using `openssl` (and now [included, possibly incorrectly, in the `simplesaml` custom entrypoint script](https://git.autonomic.zone/compose-stacks/mediawiki/src/branch/simplesaml/entrypoint.simplesaml.sh.tmpl#L29)). For CoTURN, I managed to get some initial certificates for testing by installing `certbot` on the host, stopping Docker, running `certbot certonly -d turn...`, then restarting Docker. It looks like setting up a separate container to run `acme-sh` shouldn't be too annoying though: https://github.com/b-venter/Matrix-Docker-install#9-adding-a-standalone-acme-for-non-http-certificates

3wordchant added the

question

label 2020-09-24 23:14:23 +00:00

3wordchant commented

2020-09-26 09:35:09 +00:00

https://github.com/ldez/traefik-certs-dumper

  certdumper:
    image: ldez/traefik-certs-dumper:v2.5.4
    command: "file --watch --domain-subdir=true --version v2"
    volumes:
      - /opt/docker.swarm/traefik/acme.json:/acme.json:ro
      - certs:/dump
    deploy:
      replicas: 1

.. and then I guess we can mount the certs volume into other services and give them access. Sweet!

Example from Mailcow: https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/

https://github.com/ldez/traefik-certs-dumper ``` certdumper: image: ldez/traefik-certs-dumper:v2.5.4 command: "file --watch --domain-subdir=true --version v2" volumes: - /opt/docker.swarm/traefik/acme.json:/acme.json:ro - certs:/dump deploy: replicas: 1 ``` .. and then I guess we can mount the `certs` volume into other services and give them access. Sweet! Example from Mailcow: https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/

3wordchant commented

2020-10-23 18:41:58 +00:00

https://git.autonomic.zone/coop-cloud/mailu/src/branch/main/compose.yml#L155-L177

3wordchant closed this issue

2020-10-23 18:41:58 +00:00

Sign in to join this conversation.