1/26/2024 0 Comments Web dumper v2.3.7"/home/patrick/side-project-db/mounted/certs/privatekey.key:/var/lib/postgresql/server.key:ro" "/home/patrick/side-project-db/mounted/certs/certificate.crt:/var/lib/postgresql/server.crt:ro" "/home/patrick/side-project-db/mounted/postgres-data:/var/lib/postgresql/data" If cmp -s "$Ĭommand: postgres -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key # These are the paths inside the traefik-certs-dumper container The only difference is that I tacked on a -post-hook to invoke a shell script that will be used to copy the extracted certificates to a directory that the PostgreSQL server has access to (and fix permissions as well). This was taken pretty straight from the example docker-compose.yml file. "/home/patrick/traefik-certs-dumper/mounted/post-hook.sh:/post-hook.sh" "/home/patrick/traefik/mounted/letsencrypt:/data" & traefik-certs-dumper file -version v2 -watch -domain-subdir=true -source /data/acme.json -dest /data/certs -post-hook "sh /post-hook.sh"' Certificates | length" /data/acme.json` != 0 ] do ![]() It will automatically export the certificates from the acme.json file that Traefik stores the certificates in. That’s where traefik-certs-dumper comes in. ![]() ![]() But I need to do something so that my PostgreSQL instance will have access to that certificate. With the setup so far, I’ll have Traefik automatically generating, and updating, a secure certificate for my domain name. It tells Traefik to use Let’s Encrypt to generate a secure certificate for. The labels in this section is the important part. And the Docker image I’m using ( crccheck/hello-world) is just a tiny image that runs a web server hosting a “Hello World” page. The domain name I want the certificate for is. However, for this to work, I need to host something so Traefik and Let’s Encrypt can do their thing. In my case, I want the certificate for PostgreSQL, not a website. Here’s the docker-compose.yaml configuration for that:įor a Let’s Encrypt certificate, you need to host a website at the domain name for which you want the certificate generated. I’m using a traefik Docker Compose network to put multiple containers on the same network as the Traefik proxy. You’ll have to configure your internal DNS or hosts file to point to the server for this to work. The labels section is setting up the Traefik dashboard so I can access it inside my home network at. Some documentation suggests starting with the staging server and then only commenting it out once things are working. Let’s Encrypt has a staging server you can use. "/home/patrick/traefik/mounted/letsencrypt:/letsencrypt" "/var/run/docker.sock:/var/run/docker.sock:ro" # - "-certificatesresolvers.le.acme.caserver=" "-certificatesresolvers.le.acme.tlschallenge=true" "-certificatesresolvers.le.acme.storage=/letsencrypt/acme.json" Here’s the Traefik section of my docker-compose.yml: In researching how to use Let’s Encrypt to get certificates, I came across the Traefik Proxy and its built-in support for automatically managing Let’s Encrypt certificates. Fortunately Let’s Encrypt is a perfectly viable option for getting free certificates these days. I wasn’t particularly interested in paying for it though. In order to support secure connections to the database, I wanted to use a real certificate (as opposed to a self-signed one). But there shouldn’t be anything about what I’m doing here that couldn’t be done with something like Rancher. ![]() This decision was based mostly on my having used Docker Compose to manage containers needed for automated test suites on work projects. I decided to use Docker Compose to manage the multiple containers I would need. So, I thought I’d share what I put together in case it might be helpful to someone else. I definitely can’t claim to be an expert on any of this, but I did get it working. And finally, I wanted to run everything in Docker containers. I wanted to support secure connections to the database, so that also meant configuring it to work with SSL. Earlier this year I decided to self-host a PostgreSQL database that had previously been running as a Heroku add-on.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |