undefined | Better HN

0 pointsmxuribe1y ago0 comments

I have not automated much of my setup...but for the nginx and certbot portion, i think there is an option you can choose to have certbot NOT alter your nginx config (basically, leave it as-is)...and because the change that certbot applies (if i recall correctly) is really only insert the location(s) of the cert files under like /etc...i think you can apply the cert location initially in your nginx config, have certbot do its thing, then have it not change your config, and proceed. If nginx complains about having the cert locations present in congif file and the certs technically don't exist yet (since certbot has not done its thing at this stage)...then there's always the not-sopisticated method of starting with your nginx config without those cert locations, then have certbot alter your config, then have one of your automated steps re-replace the config with one that has all your needs plus has the expected certbot cert location parths inserted....like i said, not sophisticated, but it would work. I'm sure there are severral other ways to do this beyond what i noted. ;-)

0 comments

bluehatbrit1y ago

As you say, nginx does complain about the cert files not existing, so that's pretty close to what I do. I just start with the non-ssl version, let certbot do it's thing, and then copy the result after it's deployed (if I remember). It's mildly annoying, but it takes about 2 minutes in total so it's been like that for 2 years now.

I'm sure there's something smarter I can do, like reading back the result afterwards or someting and altering my local file. But honestly, once nginx is configured for an application, I almost never touch the config again anyway.

I suspect I'm more likely to move everything over to cloudflare tunnels and ditch dealing with ssl locally altogether at this point.

mxuribeOP1y ago

Ah ok, gotcha. Yeah I'm the same that when my nginx config is done, I rarely touch it again. Also I have been playing with Caddy just to avoid the hassle of the cert management...to see if it can handle traffic like nginx can. So far my tests are showing Caddy as a pretty good replacement. (I should note that my scaling needs are quite low since, you know, I'm not a startup nor am I a massively large web service :-) )

j / k navigate · click thread line to collapse

0 comments

bluehatbrit1y ago

I suspect I'm more likely to move everything over to cloudflare tunnels and ditch dealing with ssl locally altogether at this point.

mxuribeOP1y ago

j / k navigate · click thread line to collapse