SSL certs from LetsEncrypt (from another nginx container)?

frizzo · February 24, 2021, 4:00pm

I have a domain wildcard cert that is generated from another docker container running over on my NAS ( https://blog.linuxserver.io/2020/08/21/introducing-swag/). The LetsEncrypt cert/key files are .pem. Can I safely replace …/brewblox/traefik/brewblox[.crt | .key] with the externally-generaged LE cert?

Thinking I’d also have to schedule a script to copy the cert over to the brewblox rpi when it’s updated and restart traefik…

Is this practical?

Bob_Steers · February 24, 2021, 5:02pm

Yes, you can provide your own key files. You probably need to convert your .pem file. Traefik (v2) cert config is defined in brewblox/traefik/traefik-cert.yaml (docs).

You can safely update after overwriting key/cert/config files: they are only overwritten during brewblox-ctl setup / makecert, not during update.

frizzo · February 24, 2021, 5:48pm

@Bob_Steers Did not need to convert the certs, just rename them.

[admin@nas ~] scp /share/docker/mediasvcs/swag/config/etc/letsencrypt/live/mydomain.com/cert.pem \
                  root@rpi2.mydomain.com:/home/pi/brewblox/traefik/brewblox.crt

[admin@nas ~] scp /share/docker/mediasvcs/swag/config/etc/letsencrypt/live/mydomain.com/privkey.pem \
                  root@rpi2.mydomain.com:/home/pi/brewblox/traefik/brewblox.key 

[admin@nas ~] ssh root@rpi2.mydomain.com chmod 600 /home/pi/brewblox/traefik/brewblox.*

frizzo · March 6, 2021, 11:15pm

Is there a way to configure traefik to redirect all traffic to https and do so in a way that is persistent?

Bob_Steers · March 7, 2021, 1:02am

Extend the traefik service in docker-compose.yml. Copy the command section from the service in docker-compose.shared.yml, and add

--entrypoints.web.http.redirections.entrypoint.to=websecure

It returns a HTTP 301 response, so your browser will be pretty persistent about it.

We disabled automatic redirects a while back because iOS couldn’t handle self-signed certs for websockets.

frizzo · March 7, 2021, 3:34am

cool. thanks. will give it a go tomorrow.
Have a LetsEncrypt cert deployed. Will test to confirm the UX on IOS.

frizzo · March 7, 2021, 5:42pm

@Bob_Steers

If I understand correctly, just copy the traefik: service header and the command: section with the additional parameter? Not the whole traefik: service block, correct?

e.g.
docker-compose.yml

services:
  spark-one:
    command: --name=spark-one
    image: brewblox/brewblox-devcon-spark:${BREWBLOX_RELEASE}
    privileged: true
    restart: unless-stopped
  tilt:
    image: j616s/brewblox-tilt:latest
    network_mode: host
    privileged: true
    restart: unless-stopped
    volumes:
    - ./tilt:/share
  traefik:
    command: >-
      --api.dashboard=true
      --providers.docker=true
      --providers.docker.constraints="LabelRegex(`com.docker.compose.project`, `${COMPOSE_PROJECT_NAME}`)"
      --providers.docker.defaultrule="PathPrefix(`/{{ index .Labels \"com.docker.compose.service\" }}`)"
      --providers.file.directory=/config
      --entrypoints.web.address=:${BREWBLOX_PORT_HTTP}
      --entrypoints.websecure.address=:${BREWBLOX_PORT_HTTPS}
      --entrypoints.websecure.http.tls=true
      --entrypoints.web.http.redirections.entrypoint.to=websecure
version: '3.7'

Bob_Steers · March 7, 2021, 6:10pm

Correct. Config from the two compose files is merged.

frizzo · March 8, 2021, 3:30pm

Seems to be working just fine on IOS 14.4 with the http2https redirection in-place and a LetsEncrypt SSL certificate deployed. No UI functional issues found with any graphs or editors (fermentation setup only).