Adding section to generate SSL certificats with Traefik

[guillaumebriday]

Heavily inspired from basecamp/kamal#112

I think it could be nice to have proper example of how to use built in traefik mechanism to generate SSL certificats. 👍

Also, here is a blog post about how to use from scratch: https://guillaumebriday.fr/how-to-deploy-rails-with-kamal-and-ssl-certificate-on-vps

[nickhammond]

I'm almost wondering if we do the wildcard version since that keeps on getting asked about on Discord. The wildcard version would also support your primary TLD as well as any subdomain under it. I know it'll complicate it a bit more but you can always remove the *. from your configuration.

[guillaumebriday]

Great idea @nickhammond

Can you share an example of the configuration you have in mind here maybe so I could adapt the PR?

Thanks

[guillaumebriday]

@dhh what do you think about this one? 👍

[ReDev1L]

Any way to run command on kamal hosts automatically?

[gammons]

throught

[Sija]

through

[morgoth]

This helped me setup HTTPS. Let's merge it.

[nickhammond]

Here's the relevant bits for wildcard certs on top of what you already have. I don't think this can be simplified down to just generate the wildcard cert only but I haven't messed with this in a while.

This host match could also change to a regex.

    labels:
      traefik.http.routers.hey-web.rule: Host(`*.example.com`) || Host(`example.com`)

traefik:
  args:
    entrypoints.websecure.http.tls.domains[0].main: "example.com"
    entrypoints.websecure.http.tls.domains[0].sans: "*.example.com"

Writing this out now though I think we just stick with the simpler example since there's a lot more to explain when you add this additional stuff. Also, I'm thinking that Thruster is going to make a lot of this irrelevant.

[kimrgrey]

I doubt it is going to work for multiple servers. Kamal starts traefik on every host, so if setup has more than 1 machine problems will start occurring. In order to acquire and renew certificate traefik has to be exposed to ACME provider for HTTP / DNS / TLS challenge. But with multiple servers there there is no way to ensure that the correct instance of Traefik will receive the challenge request and subsequent responses.

[kimrgrey]

Official documentation for Traefik highlights this problem with regards to CRD in K8s but it is general issue with multiple Traefik instances running under load balancer: https://doc.traefik.io/traefik/providers/kubernetes-crd/#letsencrypt-support-with-the-custom-resource-definition-provider

[djmb]

@guillaumebriday - could you add a warning about this only working for single servers?

[djmb]

I think this should be "Let's Encrypt" rather than "Letsencrypt"

[santiagorodriguez96]

I think it would be nice to clarify that the file should be created before deploying otherwise we would be mounting a volume on a file that does not exist, which creates a directory and will prevent all of this from working – plus, it's hard to understand why.

I was thinking on something like this:

Finally, _before_ deploying, create the `acme.json` file and give it correct permissions on each hosts:
```bash
$ mkdir -p /letsencrypt && touch /letsencrypt/acme.json && chmod 600 /letsencrypt/acme.json

[jensljungblad]

If you do

volume:
  - "letsencrypt:/letsencrypt"

instead, you do not have to create the file beforehand. Is there a downside to that approach?

[santiagorodriguez96]

Hmm no, I cannot think of any downside 🤔

[paulsturgess]

I can confirm using:

volume:
  - "letsencrypt:/letsencrypt"

in config/deploy.yml worked for me without needing to manually create the directory and file with permissions.

[santiagorodriguez96]

These lines will ensure that all http traffic is redirected to https. It feels to me that if we are going to include them as part of this section, we should clearly indicate that this will be the case. What do you think?

[jensljungblad]

If using Rails and config.force_ssl = true, should I still be adding these lines?

[santiagorodriguez96]

Seems to work for me with just force_ssl true!