Add Let's Encrypt to Elastdocker about elastdocker HOT 15 CLOSED

Example of how someone else did it: https://github.com/swimlane/elk-tls-docker

from elastdocker.

Do you need help with this?

from elastdocker.

I'm back with an idea, and would like some input from repo maintainers on if they think this is a good solution.

I have tested a docker-compose setup that uses the official certbot container to auto-generate certs. Certbot shares a volume with nginx, and nginx uses the files put in that volume by certbot for TLS. Below is an example configuration:

services:
  certbot:
    container_name: certbot
    image: certbot/certbot
    volumes:
      - ./volumes/certbot/conf/:/etc/letsencrypt/
      - ./volumes/certbot/www/:/var/www/certbot/
    restart: unless-stopped
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
  nginx:
    container_name: nginx
    build:
      context: ./nginx
      args:
        DOMAIN: ${DOMAIN}
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./volumes/certbot/conf/:/etc/letsencrypt/
      - ./volumes/certbot/www/:/var/www/certbot/
    environment:
      EMAIL: ${EMAIL}
    restart: unless-stopped
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

What do you all think about this solution? Is this the right direction to start in?

from elastdocker.

I haven't been having enough time to add it to Elastdocker myself, any help would be appreciated of course ❤️

from elastdocker.

ok , did you have something in mind on how it should be done ?

from elastdocker.

i was thinking using certbot and creating make setup-letsencrypt then compiling in directory to create certs. or do you have some other idea ?

from elastdocker.

would like to push this topic:) Any plans here?

from elastdocker.

Another year, another person interested in this feature :) I'm swamped through Monday but if I get some free time next week I might look into elk-tls-docker's implementation as @wallopthecat mentioned and see if I can finally make a PR for this.

from elastdocker.

No longer Monday, but I did not forget about this. It's on my to-do list.

from elastdocker.

I'm back with some ideas. I've seen some services use a certbot container and mount the volume from that to an nginx container. In this case we could just mount it to the kibana container and configure kibana to use the certs from that volume. Here's an example.

Do you think we should add an nginx frontend? If so, should we make a separate compose file for "production" deployments? I'd like some feedback from the repo maintainer (@sherifabdlnaby) before moving forward with this.

from elastdocker.

+1 also looking for a solution for this.

from elastdocker.

Documentation will also need to be updated because there would be some prerequisite work that would need to be done (setting up DNS and port forwarding so letsencrypt can reach the service).

from elastdocker.

It's really up to @sherifabdlnaby if he wants to add to the scope of this project. Anyone is able to deploy the above docker-compose file and add their own nginx configurations create a reverse proxy to kibana. It's just a matter of whether we want this project to handle that when needed, or just provide instructions on how people can do that themselves.

from elastdocker.

Problem with LE (e.g. with certbot as proposed by @lawndoc) is that LE normally needs public access to the webserver. Which is not possible especially for private test setups.

OTOH so far we had good experience with mkcert which needs to be run at the host. It creates a CA which is added to the systems and browsers trust store automatically and then creates certificates which we mount into the containers.

from elastdocker.

There is a quite easy way to get letsencrypt certificates into elastdocker, although this method is not containerized itself.
This also uses the same certificate for all services.

Install certbot and get your certificate with the "certonly" command.
This saves the cert into /etc/letsencrypt/live/elastic.mydomain.com/

Create cronjob for auto-renewal:
SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Create a post-hook script that copies the cert, ca, and key into your elastdocker setup and run it ONCE manually
(Anyone fluent in bash is welcome to pimp this one up :) )

#/etc/letsencrypt/renewal-hooks/post/certbot-post-hook.sh
cat /etc/letsencrypt/live/elastic.mydomain.com/fullchain.pem > /mnt/data/elastdocker/secrets/certs/elasticsearch/elasticsearch.crt
cat /etc/letsencrypt/live/elastic.mydomain.com/fullchain.pem > /mnt/data/elastdocker/secrets/certs/kibana/kibana.crt
cat /etc/letsencrypt/live/elastic.mydomain.com/fullchain.pem > /mnt/data/elastdocker/secrets/certs/apm-server/apm-server.crt
cat /etc/letsencrypt/live/elastic.mydomain.com/privkey.pem > /mnt/data/elastdocker/secrets/certs/elasticsearch/elasticsearch.key
cat /etc/letsencrypt/live/elastic.mydomain.com/privkey.pem > /mnt/data/elastdocker/secrets/certs/kibana/kibana.key
cat /etc/letsencrypt/live/elastic.mydomain.com/privkey.pem > /mnt/data/elastdocker/secrets/certs/apm-server/apm-server.key

Modify permissions for hook script:
chmod 750 /etc/letsencrypt/renewal-hooks/post/certbot-post-hook.sh

Get Letsencrypt root cert:
wget https://letsencrypt.org/certs/isrgrootx1.pem
and copy it into your setup once
cat ./isrgrootx1.pem > /mnt/data/elastdocker/secrets/certs/ca/ca.crt

Set the correct hostname in the .env file
ELASTICSEARCH_HOST=elastic.mydomain.com

Thats it.

from elastdocker.