-
Notifications
You must be signed in to change notification settings - Fork 825
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for default certificates signed by Let's Encrypt #1062
Comments
This is creating huge issues with things like Bugcrowd's VDP program. They scan services and when a container is down, the error is served with the self-signed certificate. DEFAULT_HOST does not currently work because the certificate would correspond to DEFAULT_HOST and not to VIRTUAL_HOST (or LETSENCRYPT_HOST). I tried to do something like this but it doesn't solve the issue: nginx-proxy docker compose version: '3'
services:
nginx-proxy:
image: nginxproxy/nginx-proxy
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- conf:/etc/nginx/conf.d
- vhost:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: always
environment:
DEFAULT_HOST: mydomain.com
networks:
- webproxy
acme-companion:
image: nginxproxy/acme-companion
container_name: nginx-proxy-acme
environment:
- DEFAULT_EMAIL=xxxx
volumes_from:
- nginx-proxy
restart: always
volumes:
- certs:/etc/nginx/certs:rw
- acme:/etc/acme.sh
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- webproxy
volumes:
conf:
vhost:
html:
certs:
acme:
networks:
webproxy:
name: webproxy
external: true default host docker compose version: "3.8"
services:
forbidden:
image: nginx:alpine
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
networks:
- webproxy
environment:
VIRTUAL_HOST: mydomain.com
VIRTUAL_PORT: 80
LETSENCRYPT_HOST: mydomain.com,app1.mydomain.com,app2.mydomain.com
LETSENCRYPT_SINGLE_DOMAIN_CERTS: true
LETSENCRYPT_EMAIL: xxxxx
networks:
webproxy:
name: webproxy
external: true nginx.conf events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name app1.mydomain.com;
root /usr/share/nginx/html;
index index.html;
location / {
return 403 "Forbidden";
}
}
} The idea was that if app1 stack is down, then the request fall backs to DEFAULT_HOST (mydomain.com) and is served with a certificate that would work with app1.mydomain.com. Any ideas? |
@pini-gh I'd like you advice on this. I feel like the creation of a default certificate by acme-companion might have been a mistake caused by my misunderstanding of the ACME RFC at the time, ie thinking that ACME HTTP challenge validation can in some case be attempted over HTTPS first, which is not true. With this in mind I'm not certain that the creation of a default self signed certificate for nginx-proxy is really desirable, as it appears to me to do little more than favor certificate errors by default. Aside from the "should we automatically create a self signed default certificate" question, I think this issue should be easier and/or make more sense to fix on nginx-proxy's end, with something like a |
About the OP's question I think the @vialcollet's approach is correct. It should work after removing @buchdag I agree on the first part of your post. But I fail to see how a new variable |
The idea was to provide user a way to designate to nginx-proxy a "real" certificate created and handled by acme-companion to use as a default certificate, because it seemed easier to do something like this on nginx-proxy's template (very basic and incomplete example just so you can get the idea) :
This should implement the feature asked by @Exagone313 |
Indeed. Thanks for the details. EDIT Wouldn't it make sense to use the |
Agreed, I consider this to be an "easy" fix to those default cert issues more than a long term, scalable solution.
That's what crossed my mind too, I'll look into it. |
Hello,
Currently, acme-companion generates a self-signed certificate in
/etc/nginx/certs/default.crt
(CN=letsencrypt-nginx-proxy-companion
). This certificate is used when a certificate is missing, e.g. when a container is down.It should be possible to use a default certificate that is valid and signed by Let's Encrypt, once it is created by acme-companion.
A possible implementation is to follow standalone certificate creation steps to handle the
default
identifier in a special manner so that symbolic links are created to pointdefault.crt
(anddefault.key
) to the appropriate standalone certificate.Relates to #1061
The text was updated successfully, but these errors were encountered: