-
Notifications
You must be signed in to change notification settings - Fork 824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to acme.sh #510
Comments
It's the former: contact address(es) are properties of the ACME account resource. There's no way specified in the protocol draft to set a contact address for a specific order, authorization, or issuance. Any updates to the contact information would be handled as an account update. Hope that helps! |
In the current
|
@cpu yes that was helpful, thanks ! 😃 |
@cpu if you have 5~10 minutes to spare, would you happen to have an advice on the 4th point above ? |
@buchdag I agree its probably not worth the trouble of migrating existing account keys. It might be more important one day when acme-caa is enabled in production and users could have |
That is what I wanted to talk about previously. Generally I agree with all design decisions, but I will investigate closer at a latter time.
If I remember my digging correctly, |
I'm brand new to this project, but I'd be interested in helping out, if you're still looking for help. |
Hi @buchdag, I've tried the 'acme.sh' branch of your fork with some succes after rebasing it on v1.12.1 plus these changes :
Any chance to have your branch rebased as well so anyone working on it could submit pull requests? Thanks, _g. |
@pini-gh Also it has a publish docker image: |
@Neilpang |
I now have a working configuration with DNS mode enabled. It needs polishing and corner cases testing, but it does work for basic usage. |
@pini-gh I have testing your fork in dns_ali mode. My nginx-proxy compainon's configuration is:
It is working with my nginx-proxy with VIRTUAL_UPSTREAM support. And I add https://github.com/ccpaging/docker-letsencrypt-nginx-proxy-companion Can I make a pull request to your fork? |
I've had a look at your commit. As I understand it it brings two changes:
I'm not fond of the former as it brings nothing new to the end user. For the latter no need to add yet another script. I would consider a patch using a Docker build arg to override the default tree-ish to checkout. |
Yes. Accessing github.com may be slower and unstable sometime or somewhere. This companion should have Dockfile.alpine just like nginx-proxy. It is not urgent. |
@pini-gh sorry for the lack of answer, been busy on other stuff for a while. A rebased @ccpaging going back to fetching Installing
The companion is already based on Alpine. |
The rebased @pini-gh your design decisions seems pretty sensible to me and I'd like to merge them to the branch but the DNS stuff will have to wait just a little. Would it be ok to you if I committed those changes to the branch with you as the author ? |
@buchdag please do, and let me know when it's done so I could rebase my work on your branch. |
@buchdag I've just setup branch acme.sh-pini on top of your current acme.sh branch. This should ease cherry-picking from there. |
Many thanks ! If possible, could you rework fca180c a bit so that I could directly cherry pick it ?
if [[ ${DEBUG:-} == true ]]; then
DEBUG=1 && export DEBUG
fi
Let me know if this is possible for you, and if not: do you mind if I co-author the commit to change this ? |
Done. Please tell me in case I missed something. |
Hmmm the I don't really get why this test specifically and the function that fetch the relevant companion logs in case of CI failures fails for this test too, yay. |
Great! Looking forward to rebase on v2.0.0 :) |
#719 has been merged, |
I tried digging into code and the related issues, but it was not clear to me: Is this implementation (v2.0.1) capable of |
No, it isn't yet. But this is planned, as I undertand it. Meanwhile you may want to try my fork which has |
It does work indeed! Minor intervention on my ansible roles. Thank you for the pointer, and for the great work! |
Thank you for the feedback! |
I still get too many certificates error even after I added I use exactly the same command as in the README: docker run --detach \
--name nginx-proxy-letsencrypt \
--volumes-from nginx-proxy \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--volume /etc/acme.sh \
--env "[email protected]" \
jrcs/letsencrypt-nginx-proxy-companion I also tried mount I also tried to use |
Once the limit is reached you have to wait a few days. In the meantime use |
Yes, I already waited a week and this problem does not disappear. I see in the logs that all certificates reissue each time when I reload the docker project. I also see different certificates in the browser. Finally, I just see those |
As I said, set |
@CaliforniaMountainSnake Use a named volume instead:
|
@buchdag, thank you, with named volumes the certificates are persisted! |
As indicated there, a v2.0 version of
letsencrypt-nginx-proxy-companion
usingacme.sh
instead ofsimp_le
is being worked on. I'm opening this issue so we can discuss the potential non backward compatible changes introduced by this ACME client swap and how we should handle them.For now the branch I'm working on is only available on my fork of the project : https://github.com/buchdag/docker-letsencrypt-nginx-proxy-companion/tree/acme.sh
First, here are the issues I encountered.
General use
simp_le
is stateless,acme.sh
is not. It works with a configuration directory and will generate configuration files no matter what. This mean that either a new docker volume will be needed to store those configurations, or that we'll have to put them somewhere into the already existing/etc/nginx/certs
.Certificates
acme.sh
generate the certificates in its own certificate directory (defaulting to the config directory) with different, non configurable naming conventions thansimp_le
, then optionally copy them to the directory and file name of your choice. It uses its own certificate directory to keep track of what certificate have been generated and if they are still valid or not. If we want to migrate existing certs to acme.sh, we'll have to put them in its cert folder with the same naming convention and re-create the "status file" it uses to keep track of each cert status. But the bigger issue here is that we didn't even have a way to say for sure if a cert inside/etc/nginx/certs
was handled by the companion until very recently, so making such a migration automatic might not even be possible. And we don't even have a way for the container to know its own version yet.acme.sh
makes no distinction between certificates issued from different ACME endpoints. If you ask for a cert from the production endpoint, then for a cert covering the same base domain from the staging endpoint, the first cert will be overwritten. The same goes with V1 <> V2 endpoints.ACME accounts
acme.sh
andsimp_le
store the ACME account keys in a different way :simp_le
encode the public and the private key in JWK format on a single file and store just those two infos whileacme.sh
encode the private key in PEM format, the public key in JWK format inside a JSON file and additionally store the account id, contact address, creation IP, creation date and account status inside the JSON.acme.sh
is using a per-config directory email address which has to be configured prior to certificate issuance whilesimp_le
can take a different address at each invocation. BTW @cpu if you read this, I'm unsure about the way this is handled on the ACME side, are the contact address(es) only stored at the account level and written over if modified, or do you store a potentially different set of contact address(es) for each generated certificate ?Minor issues
DEBUG
environment variable is used by acme.sh too but it expect a numeric value, so we can't usetrue
anymore.acme.sh
prints it in PEM format on std output. It might be a matter of personal taste but I find it to be rather unclean and not fit for a non interactive process.acme.sh
keep the same private key when renewing a certificate whilesimp_le
has the inverse behaviour.I'll detail the way I'm currently handling each of these issues later today or in the few next days.
The text was updated successfully, but these errors were encountered: