New certbot setup #23
No reviewers
Labels
No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: kosmos/chef#23
Loading…
Reference in New Issue
No description provided.
Delete Branch "feature/1-lets_encrypt"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I have also switched back to the nginx cookbook, we were still using the deprecated chef_nginx fork, the official cookbook is nginx again
Let's merge this one, then I can add the Let's Encrypt setup to the ejabberd PR. I have already executed this on andromeda, and created the initial cert for the kosmos.org cert manually with it. On the automated renewal (done by the systemd timer set up by the package) the cert will be concatenated and the permissions set, and the ejabberd service will be reloaded using the
ejabberdctl reload_config
command after a successful deploy (/etc/letsencrypt/renewal-hooks/deploy/ejabberd
on andromeda, coming up in the ejabberd PR once this is merged)For an example of a nginx vhost, see
site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
Refs #1
I found a few issues with this:
Resolved:
Open:
New certbot setupto WIP: New certbot setupThanks for the review, I'm going to create a resource to remove the duplication and take care of the questions about ports too
Re: opening up port 5444 for IPFS, it's what Kredits is using to connect to ipfs-cluster
Kredits is not supposed to connect to ipfs-cluster. It is supposed to
only connect to ipfs via the nginx proxy site, and only via the
methods/URLs exposed in that.
Yes, that's exactly what this is, through the nginx vhost that exposes only selected URLs to port 5444. It's connecting to ipfs-cluster instead of ipfs so the pins are done on the cluster
Ah, I see. That makes sense then. But it's not clear from the code really, as proven by my confusion.
17f1b2a20a
is very cool! So much cleaner now. 👏What's the WIP task that's left?
WIP: New certbot setupto New certbot setupI think this is good to go, I forgot to remove the WIP tag
Did you run this against one or more servers already? Code lgtm.
I successfully ran it against andromeda, but it only had one vhost. dev is where all the vhosts are right now, once I run it there I think we can merge this
New certbot setupto WIP: New certbot setupIf it's not safe to merge right now, then it's still WIP. I added the tag back to the title.
WIP: New certbot setupto New certbot setupI ran it successfully on dev. I edited
/etc/letsencrypt/renewal/wiki.kosmos.org.conf
,/etc/letsencrypt/renewal/sockethub.kosmos.org.conf
, and/etc/letsencrypt/renewal/kosmos.social.conf
manually to change the root directory to the new one (now standardized to/var/www/#{domain.ltd}
)I also had to install certbot without using the PPA on 15.04 (
5fa0fa6
)Good. Please don't forget to add kredits labels before merging pull requests.