5c8d317b4013105407d8b802c0ab1df1a7e4e132
haproxy-letsencrypt-docker.md
| ... | ... | @@ -1,4 +1,19 @@ |
| 1 | 1 | <!-- TITLE: Haproxy with Lets Encrypt in Docker --> |
| 2 | 2 | <!-- SUBTITLE: Catch 22 --> |
| 3 | 3 | |
| 4 | -# This should be easy |
|
| ... | ... | \ No newline at end of file |
| 0 | +# What are we doing here? |
|
| 1 | +Let's set up [HAProxy](https://www.haproxy.org/) with some lovely free certs from [Let's Encrypt](https://letsencrypt.org/) via [certbot](https://certbot.eff.org/) for a couple of domains. |
|
| 2 | +Everything running in [docker](https://www.docker.com), and all tied together with [docker-compose](https://docs.docker.com/compose/). |
|
| 3 | +We'll use docker [user-defined networks](https://docs.docker.com/v17.09/engine/userguide/networking/#user-defined-networks), because that's the Right Thing To Do. |
|
| 4 | + |
|
| 5 | +# This should be easy. Right? |
|
| 6 | +Docker: easy. |
|
| 7 | +HAProxy: easy. |
|
| 8 | +Let's Encrypt: easy. |
|
| 9 | +Docker and HAProxy and Let's Encrypt: minor pain in the arse. |
|
| 10 | + |
|
| 11 | +There's a few things that make this a bit of a hassle: |
|
| 12 | +1. We want haproxy to be running on port 80/443, but those are the ports certbot needs to do validation<br/>We'll have to do this in two stages. |
|
| 13 | +2. haproxy with the default config won't start up if it can't resolve the container IPs for the backends.<rb/>Since certbot is just a command to be run in a container, it probably won't be running when haproxy starts up. |
|
| 14 | +3. certbot needs to be run once in one way to request the certs, and then every couple of days/weeks in another way to check and renew certs.<br/>We'll need to different incantations for certbot. |
|
| 15 | +4. When the certs are renewed, we'll need to tell haproxy to pick them up<br/>Some docker-in-dockr magic is required. |