Add Aspire.Hosting.Certbot integration for Certbot container support #13248
Conversation
…port Co-authored-by: davidfowl <[email protected]>
Co-authored-by: davidfowl <[email protected]>
|
cc @danegsta |
|
@copilot - Lets expose the Certificate and Private Key as propreties on CertbotResource |
Co-authored-by: davidfowl <[email protected]>
Added |
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 13248Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 13248" |
1 similar comment
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 13248Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 13248" |
|
Wonder whether we should make this |
Yeah, it'd be nice to have something that'll work with any ACME compatible certificate source. |
| /// </code> | ||
| /// </example> | ||
| /// </remarks> | ||
| public static IResourceBuilder<T> WithCertbotCertificates<T>( |
There was a problem hiding this comment.
I think we're going to have situations where users have multiple certificates (potentially even multiple Certbot certificates) for a resource for different purposes. There might be a server auth (HTTPS) certificate from Let's Encrypt, but also one or more client auth certificates from something like a Vault server on their network.
It's one of the reasons I named the new HTTPS APIs WithServerAuthenticationCertificate to differentiate from future client certificate usage. I think we'll need a similar model for publish time where it's not enough to just have a certificate, we need to consider what it's used for as well.
I'd love to see this integrate with those new APIs so we could do something like:
var certbot = builder.AddCertbot("mydomaincert", "mydomain", "email")
.RunAsDevelopmentCertificate();
builder.AddYarp("gateway")
.WithServerAuthenticationCertificate(certbot);and have everything work at both run and publish.
There was a problem hiding this comment.
In the future we'd be able to have builder.AddKeyVaultCertificate("mycert") with the same conventions.
There was a problem hiding this comment.
Does let’s encrypt support issuing more than just server certificates?
There was a problem hiding this comment.
Ah I see we should rename the method
There was a problem hiding this comment.
Not after February 2026 they don't; but Certbot can be used to retrieve certificates from other providers that support the same protocol.
There was a problem hiding this comment.
This would be a great way to provision client certificates from a Vault server on a private network, for example.
ZeroSSL etc. |
|
Let’s not over engineer the certbot integration. We need concrete implementations to flee out the abstractions. There’s no harm in modeling the concrete container and initially before understanding the abstraction. See also keycloack and oauth |
|
@copilot let’s make this Aspire.Hosting.Certbot |
|
Agree, but I think the right package name is Aspire.Hosting.Certbot because its not actually from LetsEncrypt. But we can make LetsEncrypt the default since that is what everyone normally thinks about. |
…ertbotCertificates to WithServerCertificates Co-authored-by: davidfowl <[email protected]>
|
I don't think we need to solve all the design problems right away, but we will have to effectively have to duplicate publish and run time certificate config until we do. I fully expect we'll end up needing something like: public interface ICertificateResource
{
ReferenceExpression PemFormatCertificate { get; }
ReferenceExpression PemFormatKey { get; }
ReferenceExpression PfxFormatCertificate { get; }
}We'd also need properties to indicate whether a certificate provider can provide the Pfx or Pem format assets (I assume some will only support PFX and others only PEM). But that would be a pattern that we could easily unify with the existing experimental certificate APIs (once we worked out all the other pesky design decisions we'd have to make). |
mitchdenny
left a comment
mitchdenny
left a comment
There was a problem hiding this comment.
I think we should get this in.
Description
Adds
Aspire.Hosting.Certbothosting integration for ACME-based certificate management via Certbot container.New package: Aspire.Hosting.Certbot
CertbotResource- Container resource for SSL/TLS certificate provisioning using ACME protocolAddCertbot()- Extension method to add Certbot with domain/email parametersWithServerCertificates<T>()- Mount certificates volume in other containersCertificatePath- Property exposing the path to the SSL/TLS certificate (fullchain.pem)PrivateKeyPath- Property exposing the path to the private key (privkey.pem)/etc/letsencryptwith permission fixes for non-root containersUsage:
Checklist
<remarks />and<code />elements on your triple slash comments?doc-ideatemplatebreaking-changetemplatediagnostictemplateOriginal prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.