I’ve never used mattermost… happy to show you all the charm code… it’s currently published to the charmhub under the beta channel…
Below is an example AWS-ready bundle yaml
if you don’t use spaces, simply drop those bindings… In prod we put the mahrio-webapp behind the private space and NGINX wires towards it via juju relation
If you need more just let me know… I am imagine I would need your gitlab name but happy to get you access… I tried using the official certbot and nginx and sadly it was all just not very clear to me how to use it… my hope was oneday to get off this one-off of mine and wire in the “official” operator… but that is a low low priority in the scheme of things for me…
It’s OK, I have a few items open as it seems… the postgresql database backup/restore process with @mthaddon is more of a concern since I have no good way of taking backups with it atm.
The certbot thing is something I think I can manage…
In fact I chatted with the author of the github that backs this back in beginning of winter… my issue was I couldn’t sort it out and needed to launch “something” … and so just rolled certbot myself… indeed it appears it could offer a nice way forward if I can sort out the plugins it has/uses…
and by no means am I knocking the author… I was in a huge rush that month
edit: I recall one reason I didn’t feel too comfortable with this way wasy… I was leaving AWS credentials with the charm and controller… just for the certbot to run once… and opted instead to run a process at the beginning of a new domain launch … something which happens not very often right now… We only use READ-ONLY deploy keys in all our charms … with the exception of course of the controller cloud credential… and we want to keep it that way for as long as possible.
@emcp I think Martin Hilton isn’t working for Canonical anylonger and perhaps isn’t maintaining it.
I use DNS acme challenges so I can’t use this charm atm. I’m not sure exactly how I would implement that yet, bkt it would for sure bu useful this kind of charm.
Perhaps we could collaborate on getting this charm updated if you are up for it?
I think we’re definitely doing the same thing… and I am happy to share knowledge so the best operator charm can arise from whatever work we’ve got… my hope with the Juju Charm community is things like this happening… freedom to experiment on charms myself… while also keeping an eye on who else is working on the same exact modules/components… so that our efforts can be combined… I notice though with some of those older charms, as you mentioned, people move on and then the charmcode is locked in a launchpad or github
with the plugins and subordinate charms I think I still have something to learn how those work and when to use them
As i’ve inherited most things from Martin Hilton, let me know if there’s anything related to certbot i can help with…
I can just confirm that we’re using the certbot charm regularly in combination with aws’ route53 and it works a treat. Running the action obtains certs/keys/chain and i quite painless.
It seems we can try get something small going together @emcp you and myself.
Would it be possible to have a short meeting some day soon so we can discuss it?
I’m using certbot with dns challenge:
certbot certonly --manual --preferred-challenges dns -d "mysite.example.com" --agree-tos --email foo@example.com
At which point I get a token (**********) which I need to add to my DNS at a TXT record
_acme-challenge.mysite.example.com ********
I’m not sure how to implement such a solution yet, but perhaps with your help I can figure it out and totally would love to collaborate with you also on how we could discover how to actually improve the community aspects of charming.
I have tested the certbot charm together with the haproxy charm and it seems to work quite well. However, I can’t figure out how to use domain-alias with it. Do you know if it is supported somehow?
For nginx it works quite well… we have multiple domains that we instantiate in NGINX… and certbot just auto-speaks to NGINX… prompting you one time which of those domains do you want to use TLS… maybe we can jump on a session later so I can see what HAProxy does differently. The certbot-mahrio charm doesnt track anything about the certs… it just installs certbot and then you have to intervene manually one time… but once that’s done it auto renews / edits NGINX automatically…
@alesstimec It’s not about holding multiple certificates, I think… Let me explain.
We use Route53 and have set up an alias for the dns challenge. Currently we use acme.shhttps://github.com/acmesh-official/acme.sh. Using the docker container it would typically be like:
So with certbot, the domain for the certificate would be domain.com but for the challenge we want to use acme.domain.dev.
It seems like the charm does only support specifying --domains. And when I think about it, it might be that certbot itself does not support this. If that is the case it would of course be difficult to make the charm support it.
Note that I’m quite new to working with certificates.