[IMP]letsencrypt with nginx

[pasgou]

What about using https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion to include letsencrypt as a CA with clouder dns template and clouder proxy?

I don't know how to do that but it seems to make sense.

[YannickB]

Hello,

We already have a working process with LetsEncrypt inside clouder proxy. Since this tool is based on another docker image I don't really see the added value :/. Is there any point I missed ?

[pasgou]

I found this project interesting as it permits to have images on the server (physically) with letsencrypt and nginx for all the others apps needing SSL or TLS. Instead of having one gear per app, we have one gear per node.

[lasley]

@YannickB - do we have an existing strategy for the LetsEncrypt renewals?

@pasgou - For internal CA, we are working on #180

[YannickB]

@lasley Yes, you have a cron which renew it 15days before the end of the certificate. Still a little buggy though.

[lasley]

@YannickB - I assume this is at the proxy level yeah? I think that would in effect accomplish the same thing that this does, even in terms of architecture placement.

@pasgou Maybe we're missing something?

[YannickB]

@lasley yep, in proxy container

[pasgou]

@lasley I think that somethings doesn't have to be reinvented.
Work with the Project I mentionned should permit to have immediatly a non buggy utility to have a letsencrypt client with Monthly automatic renewal. No need to have a private CA, or only for pki in a mail or doc signature context.

[pasgou]

See description : https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/

[lasley]

@pasgou - From what I understand, LetsEnrypt will not allow the issuance of certificates for private hosts. This means we cannot secure our internal communication using it, and thus the internal CA is still required for many TLS/SSL purposes - such as Logstash.

Seems like this would help from a renewal perspective for the ones that are using LetsEncrypt though. I still need to study our current implementation more to understand the ramifications- I'm still learning the edges of core such as proxy.

[pasgou]

Letsencrypt is a CA for the web server, Mail server, or everything needing SSL/TLS communication. I don't know if it could be use for ssh communication, but why not IFCB servers have domain name ?

Major use is https.

[pasgou]

In faq on https://letsencrypt.org/docs/faq/ :
"""
Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?

Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.

Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.
"""