9 months ago
I am unable to run a Docker service with Nginx and Certbot. When Certbot attempts to validate the ACME challenge, the service returns a 404 error.
# Stage 1: Build the Certbot image
FROM certbot/certbot:latest AS certbot
# Run Certbot to get the SSL certificates
RUN certbot certonly --standalone --preferred-challenges http --agree-tos --no-eff-email --email myemail@mydomain.io -d my.sub.domain.com
# Stage 2: Build the Nginx image
FROM nginx:latest
# Copy the SSL certificates from the Certbot image
COPY --from=certbot /etc/letsencrypt/live/example.com/fullchain.pem /etc/ssl/certs/fullchain.pem
COPY --from=certbot /etc/letsencrypt/live/example.com/privkey.pem /etc/ssl/private/privkey.pem
# Copy your Nginx configuration file
COPY /nginx/nginx.conf /etc/nginx/nginx.conf
# Expose ports 80 and 443
EXPOSE 80 443
# Start Nginx
CMD ["nginx", "-g", "daemon off;"]I've also tried to set the Nginx config before the Certbot command, enabling location /.well-known/acme-challenge/ for http.
I want to create a reverse proxy to handle my API versions serving each version from a different machine and Github branch.
11 Replies
brody
You would never want to run certbot, Railway handles all of that for you.
2 months ago
Since we cannot have TLS termination on the TCP proxy, there is still a use-case to run certbot. For example if you want TLS on non-http in an automated fashion without resorting to DNS challenges.
2 months ago
I'm not sure if you could issue named certificates for the TCP Proxy, but can't hurt to try, though whatever you do, don't use NGINX, make it easier on yourself and use Caddy.
kruegernet
Since we cannot have TLS termination on the TCP proxy, there is still a use-case to run certbot. For example if you want TLS on non-http in an automated fashion without resorting to DNS challenges.
2 months ago
What would be really nice would be if the certs could be exposed via railway env vars and then I could re-use the ones you generate for https on the same service but for non-http TCP service. Without a proper way to have TLS on TCP I'm not sure I'll be able to use railway as a customer 
which I would like to
2 months ago
Not too sure how HTTP certs for the HTTP domain helps with the TCP Proxy, you might have a slight misconception on how that works.
Either way, you can always self-sign certificates, we do this for Postgres.
https://github.com/railwayapp-templates/postgres-ssl/blob/main/init-ssl.sh
brody
Not too sure how HTTP certs for the HTTP domain helps with the TCP Proxy, you might have a slight misconception on how that works.Either way, you can always self-sign certificates, we do this for Postgres.https://github.com/railwayapp-templates/postgres-ssl/blob/main/init-ssl.sh
2 months ago
Misconception is right: thought they could be reused since both X.509. Not thrilled on self-signed, will look at CAs
kruegernet
Misconception is right: thought they could be reused since both X.509. Not thrilled on self-signed, will look at CAs
2 months ago
Actually are you sure you cannot use the cert from letsencrypt with http extensions as TLS certs for any TCP service?
kruegernet
Actually are you sure you cannot use the cert from letsencrypt with http extensions as TLS certs for any TCP service?
2 months ago
I'm like 99% sure this works, pretty sure I've done it before
2 months ago
The certs are for the *up.railway.app wildcard, I can't see that working too well, and either way, we do not provide them, and have no plans to provide them as readable files.
brody
The certs are for the *up.railway.app wildcard, I can't see that working too well, and either way, we do not provide them, and have no plans to provide them as readable files.
2 months ago
This is for custom domain
2 months ago
I'm sorry, we have no plans to provide access to the generated certificate.
Status changed to Closed brody • 2 months ago