feat: add optional letsencrypt tls

This commit is contained in:
bisco
2026-06-24 11:06:33 +02:00
parent 1e3685bab8
commit 719cdce9c1
19 changed files with 561 additions and 62 deletions
+28 -2
View File
@@ -38,7 +38,33 @@
4. Inspect `docker compose logs --tail=200 proxy backend frontend`.
5. Verify local DNS or `/etc/hosts` maps `azionelab.org` to the proxy address.
## Let's Encrypt does not issue a certificate
1. Confirm `LETSENCRYPT_ENABLED=1` and that `docker compose ps -a certbot proxy` shows
both containers running and the proxy healthy.
2. Check that the domain's public A/AAAA records point to this host. Remove an AAAA
record if IPv6 does not actually reach it.
3. Verify inbound TCP port 80 reaches NGINX; HTTP-01 cannot use only port 443.
4. Request `http://azionelab.org/.well-known/acme-challenge/missing`: a 404 from NGINX
confirms the challenge route is reachable, while a timeout or another server does
not.
5. Inspect `docker compose logs --tail=200 certbot proxy` for ACME validation or rate
limit errors. Do not repeatedly retry the production CA; use staging while fixing
connectivity.
## HTTPS is not activated after issuance
1. Run `docker compose run --rm --no-deps --entrypoint certbot certbot certificates`.
2. Confirm `LETSENCRYPT_DOMAIN` exactly matches the certificate name used by both
services.
3. Wait for `TLS_RELOAD_INTERVAL_SECONDS`, then inspect proxy logs for `nginx -t` or
reload errors.
4. Run `docker compose exec proxy nginx -t` and check HTTPS locally with an explicit
DNS override.
## Rollback
Revert the application commit and rebuild containers. Preserve database/media volumes.
Before reversing migrations or deleting volumes, make and validate coordinated backups.
Disable Certbot with `LETSENCRYPT_ENABLED=0` if TLS is moving to a load balancer, then
recreate the affected services. Revert the application commit and rebuild containers
for a full rollback. Preserve database, media, and certificate volumes. Before
reversing migrations or deleting volumes, make and validate coordinated backups.