Changes in ff9a74d: Updated haproxy-letsencrypt-docker.md

				haproxy-letsencrypt-docker.md
			
          @@ -19,8 +19,11 @@ There's a few things that make this a bit of a hassle:

           4. When the certs are renewed, we'll need to tell haproxy to pick them up<br/>Some docker-in-docker magic is required.

           5. certbot doesn't know how to make haproxy-complicit cert pem files<br/>We'll need to do a little scripting.

          +# Stage 0 - network setup

          +This all assumes that your soon-to-be certificated domains' A records are all pointing at the docker host (or port-forwarding router, or whatever), and you can reach the docker host on port 80 and 443 from the Interwebs.

          +

           # Stage 1 - get some certs

          -Since this is a greenfield setup, we can let certbot take care of the initial cert setup itself. HAProxy should be down for this.

          +Since this is a greenfield setup, we can let certbot take care of the initial cert request on its own - HAProxy should be down for this.

           The Dockerfile for the letsencrypt image looks like:

           ```dockerfile

          @@ -48,4 +51,37 @@ cat /etc/letsencrypt/live/wiki.davidstark.name/fullchain.pem \

             && docker kill -s HUP haproxy

           ```

          +That's wrapped up in a docker-compose file. We'll call it docker-compose-stage1.yml.

          +

          +```yaml

          +version: '3'

          +  letsencrypt:

          +    build: ./letsencrypt

          +    image: letsencrypt

          +    container_name: letsencrypt

          +    restart: no

          +    volumes:

          +      - letsencrypt_etc:/etc/letsencrypt

          +    command: bash -c 'certbot certonly \

          +                       --standalone \

          +                       --preferred-challenges http-01 \

          +                       --http-01-port 8000 \

          +                       --agree-tos \

          +                       --non-interactive \

          +                       -m your.email@fastmail.com \

          +                       -d "domain1.example.com" \

          +                       -d "domain2.example.com"; \

          +                       cat /etc/letsencrypt/live/domain1.example.com/fullchain.pem \

          +                           /etc/letsencrypt/live/domain1.example.com/privkey.pem \

          +                           > /etc/letsencrypt/haproxy.pem'

          +    ports:

          +      - 80:8000

          +    

          +volumes:

          +  letsencrypt_etc:

          +```

          +In the above we're requesting certs for domain1 and domain2 under example.com. Replace the email to if you're playing along at home.

          +certbot listens on port 8000, which docker is mapping to port 80. We don't need port 443 mapped, because this is an initial request, so Let's Encrypt should be fine with port 80.

          +Also of note, we're attaching a Volume to /etc/letsencrypt - that's where the certs end up, and that's how we'll make them available to haproxy.

          +The command also concatenates the cert chain and private key into a format that haproxy understands, and dumps it out into the mounted volume.

...	...	@@ -19,8 +19,11 @@ There's a few things that make this a bit of a hassle:
19	19	4. When the certs are renewed, we'll need to tell haproxy to pick them up<br/>Some docker-in-docker magic is required.
20	20	5. certbot doesn't know how to make haproxy-complicit cert pem files<br/>We'll need to do a little scripting.
21	21
	22	+# Stage 0 - network setup
	23	+This all assumes that your soon-to-be certificated domains' A records are all pointing at the docker host (or port-forwarding router, or whatever), and you can reach the docker host on port 80 and 443 from the Interwebs.
	24	+
22	25	# Stage 1 - get some certs
23		-Since this is a greenfield setup, we can let certbot take care of the initial cert setup itself. HAProxy should be down for this.
	26	+Since this is a greenfield setup, we can let certbot take care of the initial cert request on its own - HAProxy should be down for this.
24	27	The Dockerfile for the letsencrypt image looks like:
25	28
26	29	```dockerfile
...	...	@@ -48,4 +51,37 @@ cat /etc/letsencrypt/live/wiki.davidstark.name/fullchain.pem \
48	51	&& docker kill -s HUP haproxy
49	52	```
50	53
	54	+That's wrapped up in a docker-compose file. We'll call it docker-compose-stage1.yml.
	55	+
	56	+```yaml
	57	+version: '3'
	58	+ letsencrypt:
	59	+ build: ./letsencrypt
	60	+ image: letsencrypt
	61	+ container_name: letsencrypt
	62	+ restart: no
	63	+ volumes:
	64	+ - letsencrypt_etc:/etc/letsencrypt
	65	+ command: bash -c 'certbot certonly \
	66	+ --standalone \
	67	+ --preferred-challenges http-01 \
	68	+ --http-01-port 8000 \
	69	+ --agree-tos \
	70	+ --non-interactive \
	71	+ -m your.email@fastmail.com \
	72	+ -d "domain1.example.com" \
	73	+ -d "domain2.example.com"; \
	74	+ cat /etc/letsencrypt/live/domain1.example.com/fullchain.pem \
	75	+ /etc/letsencrypt/live/domain1.example.com/privkey.pem \
	76	+ > /etc/letsencrypt/haproxy.pem'
	77	+ ports:
	78	+ - 80:8000
	79	+
	80	+volumes:
	81	+ letsencrypt_etc:
	82	+```
51	83
	84	+In the above we're requesting certs for domain1 and domain2 under example.com. Replace the email to if you're playing along at home.
	85	+certbot listens on port 8000, which docker is mapping to port 80. We don't need port 443 mapped, because this is an initial request, so Let's Encrypt should be fine with port 80.
	86	+Also of note, we're attaching a Volume to /etc/letsencrypt - that's where the certs end up, and that's how we'll make them available to haproxy.
	87	+The command also concatenates the cert chain and private key into a format that haproxy understands, and dumps it out into the mounted volume.