-
-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DietPi-LetsEncrypt | Support multiple domains #1622
Comments
@LexiconCode
As we use the entered domain as well for webserver configuration, we would need to introduce an additional field for domain with wildcard (used for certbot -d ...) and the concrete subdomain, that shell be used for the webserver. |
Wouldn't it be lighter to use acme.sh instead of certbot? Acme.sh supports wildcard certificates generation. |
@pedrom34 But definitely worth trying and maybe it works even better than certbot? The problem with certbot so far is, that we use it in different versions, APT packages for Stretch and above and github master on Jessie, as there is no APT package available. But cert renewal and some other stuff is again not done without APT package. This also leads to some regular work... |
@MichaIng |
it's well known that debian prefer stability over new features and therefor everything is outdated. let's encrypt and certbot have inplemented wildcard support via ACME2v in the version 0.22.0 Debian now ship 0.28.0 && 0.31.0 So I think this issue is outdated for certbot. |
@FredericGuilbault Furthermore of course Certbot needs to verify that the domains indeed belongs to you, which is with the default authentication methods simply done by Certbot placing a file into your webserver dir and LetsEncrypt servers trying to access those files via the domains you added. |
I degraded this request to add multiple domains only, not wildcard domains. The letter means DNS authentication method, which means additional modules and custom methods/steps to follow. That can be better done manually, even from an external system, since 90% needs to be done manually anyway. I switched my private server and dietpi.com over to acme.sh already and dietpi-letsencrypt will have the cert generation and webserver implementation clearly separated so that any client can be used manually as well and our script will implement any given/chosen cert or allow to create one via known clients (acme.sh and certbot for now). Multiple domains is a quite simple request. The clients take a comma-separated list and simply check all the same way. Thanks to @Ruben-VV an initial support for Lighttpd is there: #3728 |
It's unfortunate to see this getting pushed out. I run a personal server w/ Nginx + Nextcloud + Gitea + PiHole (and some static sites), and this appears to be the final hurdle to switch the whole thing over to a repurposed 2009 Mac Mini which is now running DietPi. With all that and Samba + BTRFS support out of the box, DietPi really comes as close to a dream home-setup as I've ever gotten ... P.S. FWIW - I can help test multi-domain certs, if that's of any use. P.P.S. Another option would be to support the Caddy webserver, which fully automates HTTPS & LetsEncrypt use. |
You'll get most flexibility by using DNS authentication. Depending on the DNS provider you might find a Certbot DNS plugin that will basically guide you through the required steps: https://certbot.eff.org/docs/using.html#dns-plugins
then follow the related guide above (differs with each DNS provider). But the above is a bid difficult to put inside a script due to those differences, multi domains (without wildcard) is much easier for that, so yeah I'll likely find time with next release and let you know when it's ready for testing. Caddy is indeed an interesting web server. The problem with web servers is, that it basically requires to add support to all web applications as well, so installing the web server is easy to do and to implement but add configurations for 10 - 20 applications is the hard part. Probably it can be done in waves across multiple DietPi versions 🙂. |
Thx, my DNS provider is not in the certbot list alas (united-domains). I've been using Caddy for a few years (v2 since a few months), only switched to nginx because it was the next best option in DietPi. I probably know nothing about most of the 10-20 affected apps in DietPi, but would be delighted to help out on at least the apps I mentioned. Not sure how to start on this kind of work though - shall I just start browsing and hacking on some of the |
Here's a (the file can be split up in pieces by using the import directive) P.S. You probably also need to set the |
Don't know if this is related here but when I ran dietpi-letsencrypt it only recognized the |
You know that Caddy does HTTPS and LetsEncrypt by default, and on its own, right? IOW, it does not use/need certbot. |
Ah indeed, I forgot about that even that I read it not too long ago 😄. I have ideas to implement HTTPS automatically for all webservers, by allowing users to enter (via |
Well, I don't want to hijack this valid issue and turn it into a "let's caddy" discussion, but after several years of use, here's how I tend to do things: all my domains are set up in Caddy, which then handles the static sites for me. For all other sites, I use Caddy as reverse proxy, and set up the servers as plain HTTP on port other than 80 (since Caddy already occupies 80, and has to, to be able to automate Let's Encrypt). Given that adding a new domain/server to the Caddy config file is just a few lines, I really don't have a use for any other setup anymore - anything that wants to serve, can serve, as long as it can be configured as HTTP on some non-80 local port. Even within DietPi, I think this approach could have merit for other services that are activated. I've cut back massively on the number of domains I manage, all I can say is that the above has made HTTPS and Let's Encrypt a no-brainer. Even for quick temporary test (sub-) domains. If DietPi were to gain support for this approach, I'd switch to it as my front-end. FWIW. YMMV. |
sounds like an alternative to Nginx Proxy Manager https://nginxproxymanager.com/ |
Interesting, thanks for the pointer - but it's not quite the same in terms of deployment: "Install Docker and Docker-Compose". Caddy is a single executable. |
it's true that it require more supporting software like Docker and Docker-Compose. While Docker is already available, Docker-Compose will follow shortly on DietPi. It might be easier for some folks to use a GUI instead going down on command line. But that's again a different discussion about personal preferences 😜 |
Isn't that Docker container just a wrapper/frontend around a simple Nginx proxy? I mean every webserver can do simple proxy tasks, Nginx by nature with less effort and less resources than Apache2, as it is build from ground up as a proxy, Lighttpd might do well similarly. But at least performance/memory/simplicity-wise it only makes sense when running multiple websites/webservers on multiple machines, or if a web application that runs via internal webserver on a different port, needs to be available via 80/443 for convenience or to pass the firewall. So my current opinion is to not use proxies on a regular basis to enable HTTPS via our scripts, but use a dedicated ACME client and make the issued cert/key available for each application. That also assures encryption and server authentication on every connection level and it allows us full control over e.g. key type (RSA/ECC), size OCSP and such. Caddy would then be a special case where, when installed and bound to port 80, But the more I read about Caddy (currently doing) to more I like to test it with certain web applications. Curious about relevant features like access control, headers, redirects, rewrites and such things, also how it performs when serving dynamic content via PHP-FPM. |
Nope it's more. It's a stack out of 2 container. One running Nginx + web application while the other is a database container. As well it's doing more than SSL handling (host management, certificate handling, access control, redirects, TCP/UDP traffic stream handling, 404 host definition) and it is multi-user capable. Probably oversized for simple certificate handling. 🤣 |
I tested https://nginxproxymanager.com/ on a VM and it is great, but it doesnt run on my Rpi 2. It gives a bad gateway error. There are several issues open about that |
you need to use a different database than the one stated on install instructions. Docker is downloading incorrect architecture. I'm using Portainer to deploy following stack
|
Tried that too but didn't work. Will give it a try again. |
did you use Portainer? It is good to get some inside into the container. I had the experience that the database was the issue, usually resulting into the application container to fail. Will do a test on my RPi1 @MichaIng are you ok we continue on this topic or should we move into a new issue?? |
Being the person responsible for I suspect that there are numerous trade-offs to deal with all this in DietPi. |
What exactly does it store in the database 🤔. So when installing this to run lets say Nextcloud, you end up running two MariaDB servers. That is why I don't like containers for embedded devices/SBCs 😄.
Indeed, also all the features are basic webserver features, of course which needs config file adjustments, ah aside of issuing TLS certificates of course. Yeah, the problem with such is always, either it runs, and can be easily configured the way you need it, then it makes things easier (aside of the resource overhead), or it does not, and then you need to understand the depth of it, not only the container, but probably the underlying software as well (MariaDB, Nginx, the ACME client), how they are invoked, deal with bugs of the container additionally with those of the underlying software, which are probably fixed upstream already. On the other hand, with Debian packages it's sometimes similar, if they ship with a too specific setup away from upstream. And then we come and put another layer on top (
I'm fine with some ideas/discussion here as the actual step that closes this feature request stands already: Allow to define multiple domains, comma-separated, with the main domain first (that shall be applied as server name), and pass that to Certbot. Implementing/switching to acme.sh, standalone issuing, Caddy implementation, a new script for applying HTTPS directly to other web applications (not running port port 80/443), is a different topic. |
not necessarily. I successfully tested MariaDB installed directly on DietPi host. Now I have application container running on Docker only, while using MariaDB outside the container/Docker.
there you go
|
I didn't use portainer but I used version 3, maybe that was the issue. Don't have to my rpi right now cause they shutdown it down at work. will check it on Monday How do you install |
Yes, I used This will pull pre-compiled modules from piwheels.org and you don't need to compile it on your RPi1 But looks like NPM apps container is not starting correctly on |
neither does it on my RPi2 |
you can have a look to your container log. Just go to the directory you stored the compose file
|
I used your Thank you very much !! PS: If you have any insides on how to run it on the |
PR up, to allow this for all webserver + OCSP stapling switch + standalone certificate without a webserver installed: #4220 |
Let's Encrypt now supports wildcard certificates this would be the preferred way to integrate into the diet pi platform and simplify Web servers.
The text was updated successfully, but these errors were encountered: