Changes in 7b05b8c: Updated haproxy-letsencrypt-docker.md

				haproxy-letsencrypt-docker.md
			
          @@ -14,6 +14,38 @@ Docker and HAProxy and Let's Encrypt: minor pain in the arse.

           There's a few things that make this a bit of a hassle:

           1. We want haproxy to be running on port 80/443, but those are the ports certbot needs to do validation<br/>We'll have to do this in two stages.

          -2. haproxy with the default config won't start up if it can't resolve the container IPs for the backends.<br/>Since certbot is just a command to be run in a container, it probably won't be running when haproxy starts up.

          +2. haproxy with the default config won't start up if it can't resolve the container IPs for the backends.<br/>Since certbot is just a command to be run in a container, it probably won't be running when haproxy starts up.<br/>Some extra config is needed in haproxy.

           3. certbot needs to be run once in one way to request the certs, and then every couple of days/weeks in another way to check and renew certs.<br/>We'll need to different incantations for certbot.

          -4. When the certs are renewed, we'll need to tell haproxy to pick them up<br/>Some docker-in-dockr magic is required.

          +4. When the certs are renewed, we'll need to tell haproxy to pick them up<br/>Some docker-in-docker magic is required.

          +5. certbot doesn't know how to make haproxy-complicit cert pem files<br/>We'll need to do a little scripting.

          +

          +# Stage 1 - get some certs

          +Since this is a greenfield setup, we can let certbot take care of the initial cert setup itself. HAProxy should be down for this.

          +The Dockerfile for the letsencrypt image looks like:

          +

          +```dockerfile

          +FROM ubuntu:latest

          +

          +ENV DEBIAN_FRONTEND=noninteractive 

          +RUN apt-get update && \

          +    apt-get install -y software-properties-common && \

          +    add-apt-repository ppa:certbot/certbot && \

          +    apt-get update && \

          +    apt-get install -y certbot docker.io

          +COPY deploy-hook /deploy-hook

          +RUN chmod +x /deploy-hook

          +```

          +

          +Note we're installing the docker.io package, and copying in a script. We'll need them later on.

          +The deploy-hook script looks like:

          +

          +```sh

          +#!/usr/bin/env bash

          +

          +cat /etc/letsencrypt/live/wiki.davidstark.name/fullchain.pem \

          +    /etc/letsencrypt/live/wiki.davidstark.name/privkey.pem \

          +    > /etc/letsencrypt/haproxy.pem \

          +  && docker kill -s HUP haproxy

          +```

          +

          +

...	...	@@ -14,6 +14,38 @@ Docker and HAProxy and Let's Encrypt: minor pain in the arse.
14	14
15	15	There's a few things that make this a bit of a hassle:
16	16	1. We want haproxy to be running on port 80/443, but those are the ports certbot needs to do validation<br/>We'll have to do this in two stages.
17		-2. haproxy with the default config won't start up if it can't resolve the container IPs for the backends.<br/>Since certbot is just a command to be run in a container, it probably won't be running when haproxy starts up.
	17	+2. haproxy with the default config won't start up if it can't resolve the container IPs for the backends.<br/>Since certbot is just a command to be run in a container, it probably won't be running when haproxy starts up.<br/>Some extra config is needed in haproxy.
18	18	3. certbot needs to be run once in one way to request the certs, and then every couple of days/weeks in another way to check and renew certs.<br/>We'll need to different incantations for certbot.
19		-4. When the certs are renewed, we'll need to tell haproxy to pick them up<br/>Some docker-in-dockr magic is required.
	19	+4. When the certs are renewed, we'll need to tell haproxy to pick them up<br/>Some docker-in-docker magic is required.
	20	+5. certbot doesn't know how to make haproxy-complicit cert pem files<br/>We'll need to do a little scripting.
	21	+
	22	+# Stage 1 - get some certs
	23	+Since this is a greenfield setup, we can let certbot take care of the initial cert setup itself. HAProxy should be down for this.
	24	+The Dockerfile for the letsencrypt image looks like:
	25	+
	26	+```dockerfile
	27	+FROM ubuntu:latest
	28	+
	29	+ENV DEBIAN_FRONTEND=noninteractive
	30	+RUN apt-get update && \
	31	+ apt-get install -y software-properties-common && \
	32	+ add-apt-repository ppa:certbot/certbot && \
	33	+ apt-get update && \
	34	+ apt-get install -y certbot docker.io
	35	+COPY deploy-hook /deploy-hook
	36	+RUN chmod +x /deploy-hook
	37	+```
	38	+
	39	+Note we're installing the docker.io package, and copying in a script. We'll need them later on.
	40	+The deploy-hook script looks like:
	41	+
	42	+```sh
	43	+#!/usr/bin/env bash
	44	+
	45	+cat /etc/letsencrypt/live/wiki.davidstark.name/fullchain.pem \
	46	+ /etc/letsencrypt/live/wiki.davidstark.name/privkey.pem \
	47	+ > /etc/letsencrypt/haproxy.pem \
	48	+ && docker kill -s HUP haproxy
	49	+```
	50	+
	51	+