How to use greenlock-express with docker? (without renewing on each container start?) #58
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I've been wasting past 20 hours non stop trying to figure out how to setup ssl with auto renew.. I'm only writting because I noticed (from the many issues) you really care about making an easy to use api (at contrary of letsencrypt and certbot maintainers).
So here #13 (comment) you said that
But how you will fix the issue that will get a new certificate every time a docker starts?
I'd imagine the best way to manage docker + node would be like this:
So here you say to use env vars... but doesn't really solve the problem of how to save the certs to database? Again
npx greenlock ... commands in your setup script
using this it will renew on every image start.Thank you, but don't write them off just yet. There's a lot of nuance to the security handshakes and so the ACME APIs are complicated because they're complicated, but they're also kind of genious.
I think that we need newer, modern versions of tool like
curl
that havejose
andjwt
built in - and that programming language stacks need to up their game.Possible Solutions
That would be the absolute simplest way to go about this.
https://git.rootprojects.org/root/greenlock-store-sequelize.js
https://git.rootprojects.org/root/greenlock-store-test.js
Note that you absolutely could create a single table and use it as a key/value store, and then fill out the various functions by tagging the keys and certs appropriately with a
type
column.Thank you, but don't write them off just yet. There's a lot of nuance to the security handshakes and so the ACME APIs are complicated because they're complicated, but they're also kind of genious.
I think that we need newer, modern versions of tool like
curl
that havejose
andjwt
built in - and that programming language stacks need to up their game.Possible Solutions
That would be the absolute simplest way to go about this.
https://git.rootprojects.org/root/greenlock-store-sequelize.js
https://git.rootprojects.org/root/greenlock-store-test.js
Note that you absolutely could create a single table and use it as a key/value store, and then fill out the various functions by tagging the keys and certs appropriately with a
type
column.Also note that although the docs show usage examples for Greenlock v2.7+, the tests should be valid for Greenlock v3/v4.
Wow! thanks for the quick response!
They are saying is the easiest way to setup, but I think they didn't do a count on the amount of questions made to setup and don't consider people like me that don't even post a question - because many questions are not even answered.
IMO is complicated if you don't use a managed solution and in that case they push you to their paid alternatives... where guess what... I managed to get a cert in minutes! Of course, no auto renew. The interesing fact is that 3m certs are free, but 12m are paid. And on their website say that 3m certs are better (more secure). If that would be true, the pricing should be reversed I'd say.
I'm sure many people would be happy with manual renewal every 1-3 years. For low security apps, it's not worth it to do it every 3 months. I gave up some projects beacuse SSL renewal is too painful.
I could use 1) but I'm using ECS, with EC2. I only use 1 machine, but I might have more later. How would it work if I setup a mounted volume and I have 2 machines? each will get their own ssl certs and keep renewing?
I rather use a database for this. I'm planning to drop sequelize because future doesn't look bright and last versions are broken.
Maybe option 3 is the best, but I can consider option 2 for short term.
For option 2 I can see
store: require('greenlock-store-sequelize').create({ storeDatabaseUrl: dbUrl })
looks good and easy to implement actually. But is usingGreenlock
and notGreenlock-express
. not sure how to pass the store, just set asmanager
key?Option 3: do you have some example e2e with
Greenlock-express
? https://git.rootprojects.org/root/greenlock-store-test.js seems to be a repo to test my manager/store. Ah.. so I need to implement that api and pass it to thestore
for the config? But not sure why there are so many configs https://git.rootprojects.org/root/greenlock-store-test.js#user-content-overview - I'd expect to give me a JSON and I give you back a JSON.Usually I take about 3 weeks to respond :-/ but I've been trying to get better. :)
I happened to be checking my email right as you posted this I think.
Because there's a many-to-many relationship between
If you just modify the quick start to use the store implementation that you want, with the options that you want, that should do the trick:
I think this would be the way to do that for the sequelize store:
So I'd run
CMD ["npx ", "greenlock defaults --store greenlock-store-sequelize --store-store-database-url 'postgres://postgres@postgres:5432/postgres'"]
or similar on the docker image when it starts.How do I get the certs back to node js? I assume it will save them to somewhere to the filesystem?
I normally prefer to have it as a script in node.js as things are simpler. I will investigate, but is not that easy to see how to use it in javascript and then pass the cert details as string to my express instance.
You don't. That's the purpose of the store - so that it would save them in the database or on the mounted volume.
You wouldn't do that either. You export your express instance to Greenlock Express, which will run it (or any other standard node http function) after https has been handled.