-
Notifications
You must be signed in to change notification settings - Fork 822
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: standalone certs with LETSENCRYPT_HOST #1128
base: main
Are you sure you want to change the base?
Conversation
This commit enables the creation of standalone certificates using the environment variable `LETSENCRYPT_HOST` without using `VIRTUAL_HOST`.
This comment was marked as outdated.
This comment was marked as outdated.
The intent is to create standalone certificates with
Without this change we have to use the file |
@pini-gh while I do get the idea and the easier / more user friendly approach, I'm not at ease with the shift in project scope that change would introduce by removing the clear separation between the original scope of the project (obtaining ACME SSL certificate for containers proxied by nginx-proxy) and a secondary feature added by request (obtaining SSL certificate not tied to specific containers or containers proxied by nginx-proxy, ie standalone certificate). |
I fail to see it as a shift because the feature exists already with For a web app you often need to glue a few containers together into a docker-compose file. Some of them with no HTTP may need certificates as well (SMTP, IMAP, LDAP, ...). When looking at the related docker-compose file it's weird that one container can have its certificate with |
If we set aside the project scope discussion which is kinda debatable, I'm not opposed to this in theory as it make sense and would be a nice usability improvement. What concern me with the concrete implementation is the fact that now every certificate we request trigger this function: function add_standalone_configuration {
local domain="${1:?}"
if grep -q "server_name ${domain};" /etc/nginx/conf.d/*.conf; then
# If the domain is already present in nginx's conf, use the location configuration.
if parse_true "${ACME_HTTP_CHALLENGE_LOCATION:=false}"; then
add_location_configuration "$domain"
fi
else
# Else use the standalone configuration.
cat > "/etc/nginx/conf.d/standalone-cert-$domain.conf" << EOF
server {
server_name $domain;
listen 80;
access_log /var/log/nginx/access.log vhost;
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files \$uri =404;
break;
}
}
EOF
fi
} Doesn't that mean that everyone who runs acme-companion without sharing the grep: /etc/nginx/conf.d/*.conf: No such file or directory
bash: /etc/nginx/conf.d/standalone-cert-test.domain.tld.conf: No such file or directory Additionally when I originally wrote this code I was okay with "if we grep the domain in the rendered nginx conf generate a I think it might be possible to identify which |
Your concerns about the implementation are valid. The current status of this PR is POC and it needs some work. |
That's a yes then, let me know if you need help to refine this. |
This commit enables the creation of standalone certificates using the environment variable
LETSENCRYPT_HOST
without usingVIRTUAL_HOST
.@buchdag would you be open to such an idea?