"Postprocess" certificates

[jmarceli]

Hi, Thanks for the great container.
While it works perfectly in most use cases I have one problem with it. The MongoDB requires certificate file which is basically a merge of key and cert files from Let's Encrypt (https://serverfault.com/questions/805971/how-to-correctly-configure-mongodb-to-use-letsencrypt-ssl-on-ubuntu/878457). Is there any chance to support autogeneration of such file?

I don't know if there are any more use cases for postprocessing certificates after renewal, but maybe there is a chance to support that just using container configuration?

[buchdag]

Hi !

Adding that kind of cert post processing is definitely possible (in the sense that it can technically be done) but it's also, out of scope in my opinion : as the name of the project imply, it aims solely to provide auto LE cert generation for nginx-proxy.

I'm well aware that the ease in auto managing certificates with this container have people wish for its scope to be extended (see #315 and #275 for instance) but for now I don't see how to get down this road without those scope extensions ending up as jury rigged features on a very purpose specific project.

Don't hesitate to give me your toughts on this.

Back to the feature you asked for, the best I can do right now is try to help you add it on a forked version if you'd like.

[jmarceli]

Hi,
Thanks for your response. I've decided that the best approach to this problem would be writing separate container which will handle certificate files manipulations in response to Docker API events (like nginx container restart). What do you think about such approach?

Could you please point me in the right direction if I want to listen to selected Docker API events and execute some bash command as a response.

Currently I have a script:

while read l; do echo "OK"; done < <(curl -GET -s --unix-socket /var/run/docker.sock http:/events --data-urlencode 'filters={"container":["nginx-mongo"],"event":["restart"]}') 

Which theoretically should print OK each time the nginx-mongo container restarts (I'll use labels like you do in a final version). Unfortunatelly this code doesn't work as expected.

What is even more strange without events filtering everything works OK:

while read l; do echo "OK"; done < <(curl -GET -s --unix-socket /var/run/docker.sock http:/events)

and a version without echoing things also works:

curl -GET -s --unix-socket /var/run/docker.sock http:/events --data-urlencode 'filters={"container":["nginx-mongo"],"event":["restart"]}'

Any help would be appreciated.

[buchdag]

I think you should rather go for something simpler and modify the letsencrypt-nginx-proxy-companion to add an env var like MONGODB_POSTPROCESS which, when set to true, will trigger the post processing for this specific certificate during the letsencrypt service loop. You already have docker-gen running inside this container and watching the events on the docker socket, so don't waste time and ressource doing another watcher.

[jmarceli]

What do you think about LE_POSTPROCESS env variable where you may add any bash command for files postprocessing? It would be a much more generic solution where MongoDB will be just one of the possible use cases.

[buchdag]

Interpreting bash commands from environment variable does not really sound like a good idea to me 😨