website/docs: add small let's encrypt docs
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
87e99625e6
commit
457e17fec3
|
@ -52,6 +52,9 @@ def certificate_discovery(self: MonitoredTask):
|
|||
continue
|
||||
if path.is_dir():
|
||||
continue
|
||||
# For certbot setups, we want to ignore archive.
|
||||
if "archive" in file:
|
||||
continue
|
||||
# Support certbot's directory structure
|
||||
if path.name in ["fullchain.pem", "privkey.pem"]:
|
||||
cert_name = path.parent.name
|
||||
|
|
|
@ -40,6 +40,7 @@ You can also bind mount single files into the folder, as long as they fall under
|
|||
|
||||
- If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder.
|
||||
- Files can be in any arbitrary file structure, and can have extension.
|
||||
- If the path contains `archive`, the files will be ignored (to better support certbot setups).
|
||||
|
||||
```
|
||||
certs/
|
||||
|
@ -55,3 +56,52 @@ certs/
|
|||
```
|
||||
|
||||
Files are checked every 5 minutes, and will trigger an Outpost refresh if the files differ.
|
||||
|
||||
## Web certificates
|
||||
|
||||
Starting with authentik 2021.12.4, you can configure the certificate authentik uses for its core webserver. For most deployments this will not be relevant and reverse proxies are used, but this can be used to create a very compact and self-contained authentik install.
|
||||
|
||||
#### Let's Encrypt
|
||||
|
||||
To use let's encrypt certificates with this setup, using certbot, you can use this compose file:
|
||||
|
||||
```yaml
|
||||
version: '3.6'
|
||||
|
||||
services:
|
||||
certbot:
|
||||
image: certbot/dns-route53:v1.22.0
|
||||
volumes:
|
||||
- ../authentik/certs/:/etc/letsencrypt
|
||||
- ./letsencrypt:/var/lib/letsencrypt
|
||||
# Variables depending on DNS Plugin
|
||||
environment:
|
||||
AWS_ACCESS_KEY_ID: ...
|
||||
command:
|
||||
- certonly
|
||||
- --non-interactive
|
||||
- --agree-tos
|
||||
- -m your.email@company
|
||||
- -d authentik.company
|
||||
# Again, match with your provider
|
||||
- --dns-route53
|
||||
```
|
||||
|
||||
This compose file expects a folder structure like this:
|
||||
|
||||
```
|
||||
certbot/
|
||||
├── docker-compose.yaml
|
||||
└── letsencrypt/
|
||||
authentik/
|
||||
├── certs
|
||||
├── custom-templates
|
||||
├── docker-compose.yml
|
||||
└── media
|
||||
```
|
||||
|
||||
After you've created the certbot stack, and let it run, you should see a new Certificate appear in authentik. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
|
||||
|
||||
Navigate to *System -> Tenants*, edit any tenant and select the certificate of your choice.
|
||||
|
||||
Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.
|
||||
|
|
|
@ -67,6 +67,22 @@ AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb
|
|||
|
||||
The GeoIP database will automatically be updated every 8 hours.
|
||||
|
||||
## Running on Port 80/443
|
||||
|
||||
By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can use a [docker-compose override file](https://docs.docker.com/compose/extends/#adding-and-overriding-configuration).
|
||||
|
||||
Create a file called `docker-compose.override.yml` with the following contents:
|
||||
|
||||
```yaml
|
||||
version: '3.2'
|
||||
|
||||
services:
|
||||
server:
|
||||
ports:
|
||||
- "0.0.0.0:80:9000"
|
||||
- "0.0.0.0:443:9443"
|
||||
```
|
||||
|
||||
## Startup
|
||||
|
||||
Afterwards, run these commands to finish
|
||||
|
|
Reference in a new issue