This is after a docker container was built to run the app on this server.
Ah, just quickly looked at those Psono docs and they gloss over how you obtain a cert. They just say
We assume that you want to use:
https://psono.example.comto host Psono- you have a valid certificate in /etc/ssl/ with fullchain.pem and privkey.pem
Which indeed is a chicken-egg problem for ACME certs because you can't start their provided nginx config without that valid cert already existing. At least using nginx for the ACME Challenge.
I think they assume you get a cert from a domain or hosting company through "traditional" methods rather than using ACME like Let's Encrypt. Or, they just don't understand ACME very well and just expect you to sort it out (probably this).
There are ways forward here with Let's Encrypt like using certbot --standalone to get your "bootstrap" cert and then switching that to something like certbot certonly --nginx rather than just the --nginx. I'm not sure this will integrate well with their product since I don't have time to study it in depth right now.
Adding docker into the mix adds complexity as well.
That's all I can offer for now. Maybe I will check it out more later.
5 Likes
You've answered my core questions, and I thank you all for the help. I need to get better at a lot of these things, and Psono certainly writes their docs as if everyone using it is in a corp environment, so me trying to downscale it for my family deployment is adding complexity, but I also don't understand many of these things well enough (YET!) to figure it all out as I go.
So, I'll be reading up more on docker, nginx and certbot, and I will try the workaround to get past the chicken/egg situation the installation instructions put me in.
4 Likes
This most definitely comes from a previous system where these PEM files were manually put into that directory.
I believe most if not all Ubuntu systems provide a "snakeoil" certificate and key (which aren't publicly trusted, but would work with ACME) in /etc/ssl/private/ to bootstrap your HTTPS site.
2 Likes
I just wanted to update since you all gave such great responses, I managed to back up a bit, I tore out the nginx config and did a rudimentary one to get the server listening on 80 and 443 with a bootstrap cert primarily following this article: How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu | DigitalOcean
That allowed me to run the full nginx certbot to get my proper permanent cert and then I updated the nginx config to add back all the app-prescribed redirects, etc.
Big thank you to everyone
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.