Rework certificate handling. #532
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In Zulip Server 4.9-0, we started unconditionally installing `certbot`, leading to `/etc/letsencrypt` always existing in the container, and breaking the symlinking of it into `/data/`, and certbot certificates in general. Rework how certificates are obtained and stored. Certificates are now stored in subdirectories of `/data/certs/`, so that auto-generated certificates (either from certbot, or self-signed) cannot ever overwrite manual certificates. Only the data parts of `/etc/letsencrypt` are stored in the data volume; the general configuration aspects and hooks are left for Puppet to configure. We swap `certbot-deploy-hook` for overwriting the `/etc/letsencrypt/renewal-hooks/deploy/050-nginx.sh` hook, leaving the other hooks (for symlinking, and restarting the email server) untouched. The core Zulip Server behaviour of symlinking the certbot certificates into `/etc/ssl/` is left untouched; we deal with persistence and backup by dint of storing the `/etc/letsencrypt` in the data volume. Fixes #381. Fixes #489.
alexmv
force-pushed
the
certs
branch
8 times, most recently
from
99c3925 to
96f9f2e
Compare
alexmv
force-pushed
the
certs
branch
8 times, most recently
from
2ee285d to
22ca821
Compare
Most Docker deployments are behind other proxies, and are not expected to do TLS termination. We remove the `DISABLE_HTTPS` environment variable, and instead use a new `CERTIFICATES` var to combine `DISABLE_HTTPS` and `SSL_CERTIFICATE_GENERATION` into one setting. The default (empty) value generates and provides no certificates, but "self-signed", "certbot", and "manual" are possible values.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In Zulip Server 4.9-0, we started unconditionally installing
certbot, leading to/etc/letsencryptalways existing in the container, and breaking the symlinking of it into/data/, and certbot certificates in general.Rework how certificates are obtained and stored. Certificates are now stored in subdirectories of
/data/certs/, so that auto-generated certificates (either from certbot, or self-signed) cannot ever overwrite manual certificates. Only the data parts of/etc/letsencryptare stored in the data volume; the general configuration aspects and hooks are left for Puppet to configure.We swap
certbot-deploy-hookfor overwriting the/etc/letsencrypt/renewal-hooks/deploy/050-nginx.shhook, leaving the other hooks (for symlinking, and restarting the email server) untouched. The core Zulip Server behaviour of symlinking the certbot certificates into/etc/ssl/is left untouched; we deal with persistence and backup by dint of storing the/etc/letsencryptin the data volume.Fixes #381.
Fixes #489.
Requires zulip/zulip#36803.