Now OneFeed is living on https. Its certificate is signed by Let’s Encrypt, “a free, automated, and open Certificate Authority”. Using Let’s Encrypt’s ACME (Automatic Certificate Management Environment) protocol and a client of the protocol, requesting and renewing site certificate is just done automatically.
ACME protocol defines serveral challenges which a protocol client can use to prove it (the host running the client) owns the domain. Also the protocol defines how to request, renew, and revoke certificates. With clear definition of interaction with ACME server (CA) and client (your site), all process can be automated. Certbot is a recommended ACME client.
To set up https on this site, I use this great post as a reference. Basic steps are:
- use a certbot docker image to get certificate from Let’s Encrypt for the first time.
- update configuration of web server using the certificate.
- set up a cron job to auto-renew the certificate.
Use Docker Images to Get Certificate
Certbot is in active development. Use the certbot docker image (by default latest image), so that we don’t bother ourselves with updating certbot to newest version. And use the nginx docker image to set up a basic web server to fulfill ACME challenges, so that our production web server’s configuration gets untouched when requesting a certificate. (Also plus since OneFeed is already living within docker containers, using docker/docker-compose is an easy decision.) The containers used in this step are discarded/cleaned up as soon as certificate fetched for the first time.
Update Configuration of the Production Web Server
Just google how to set up https on the web server. For OneFeed, https is set up on a nginx server.
Set Up a Cron Job to Renew and Reload/Restart Web Server
The reference post uses docker kill --signal=HUP production-nginx-container
to send signal to nginx container’s nginx process for server reloading.
However, since OneFeed is not using plain nginx container, but a passenger-docker,
therefore using docker-compose restart
to reload certificate instead.
0 23 * * * docker run --rm -it --name certbot-renew \
-v /CERTBOT_VOLUME/etc/letsencrypt:/etc/letsencrypt \
-v /CERTBOT_VOLUME/var/lib/letsencrypt:/var/lib/letsencrypt \
-v /CERTBOT_VOLUME/data/letsencrypt:/data/letsencrypt \
-v /CERTBOT_VOLUME/var/log/letsencrypt:/var/log/letsencrypt \
certbot/certbot renew --webroot -w /data/letsencrypt --quiet \
&& cd YOUR_DOCKER_COMPOSE_WORKING_DIR \
&& docker-compose restart