Add LetsEncrypt support to PMM Server

General

Escalation

General

Escalation

Description

during pmmdemo.percona.com update we need to make a lot of manual steps to install letsencrypt certificates inside the container.
I propose to create docker variable LETSENCRYPT_DOMAIN for our usual container which will automate SSL certificates setup.

it is simple, it is needed to run only few commands

add the following lines to /etc/nginx/conf.d/pmm.conf
                # .well-known
                location /.well-known {
                        alias       /usr/share/pmm-server/.well-known;
                        auth_basic  off;
                }
run commands
# certbot certonly --agree-tos --register-unsafely-without-email --webroot -w /usr/share/pmm-server -d ${LETSENCRYPT_DOMAIN}
# ln -f -s /etc/letsencrypt/live/${LETSENCRYPT_DOMAIN}/fullchain.pem /srv/nginx/certificate.crt
# ln -f -s /etc/letsencrypt/live/${LETSENCRYPT_DOMAIN}/privkey.pem   /srv/nginx/certificate.key
# printf '#!/bin/bash\n\nexec /bin/certbot renew\nnginx -s reload\n' > /etc/cron.daily/certbot
# chmod 755 /etc/cron.daily/certbot

Benefit:
all our users with public accessible PMM will have a possibility to get absolutely valid TLS/SSL certificates automatically for free.

How to test

None

How to document

None

Smart Checklist

Activity

Alexey Palazhchenko December 25, 2019 at 5:59 AM

https://github.com/bradfitz/autocertdelegate

David Bennett December 6, 2018 at 12:05 AM
Edited

I was able to get this to work. Tested on 1.17.0 server. A couple of notes:

nginx needs to be restarted after modifying pmm.conf with systemctl restart nginx and before the certbot certonly call
nginx needs to be restarted again after certificates and key are linked.

I am not 100% sure, but I think this may be needed for pmm-admin to work properly with let's encrypt certificate:

ln -f -s /etc/letsencrypt/live/${LETSENCRYPT_DOMAIN}/fullchain.pem /srv/nginx/ca-certs.pem

Manjot Singh October 31, 2017 at 8:33 PM

I think this would be useful.

Mykola Marzhan October 11, 2017 at 8:32 AM

@Michael Coburn,
what do you think?

Details
Assignee
Unassigned
Reporter
Mykola Marzhan(Deactivated)
Priority
Medium
Labels
michaelc_pmpreviously-tasktransition-new
Needs QA
Yes
Needs Doc
Yes

Smart Checklist

Created October 11, 2017 at 8:31 AM

Updated March 27, 2024 at 2:58 PM

Add LetsEncrypt support to PMM Server

Description

How to test

How to document

Smart Checklist

Activity

Alexey Palazhchenko December 25, 2019 at 5:59 AM

David Bennett December 6, 2018 at 12:05 AM
Edited

Manjot Singh October 31, 2017 at 8:33 PM

Mykola Marzhan October 11, 2017 at 8:32 AM

Details
Assignee
Unassigned
Reporter
Mykola Marzhan(Deactivated)
Priority
Medium
Labels
michaelc_pmpreviously-tasktransition-new
Needs QA
Yes
Needs Doc
Yes

Details

Assignee

Reporter

Priority

Labels

Needs QA

Needs Doc

Smart Checklist

Smart Checklist

Flag notifications

Something's gone wrong

Something's gone wrong

Add LetsEncrypt support to PMM Server

Description

How to test

How to document

Smart Checklist

Activity

Alexey Palazhchenko December 25, 2019 at 5:59 AM

David Bennett December 6, 2018 at 12:05 AMEdited

Manjot Singh October 31, 2017 at 8:33 PM

Mykola Marzhan October 11, 2017 at 8:32 AM

DetailsAssigneeUnassignedUnassignedReporterMykola MarzhanMykola Marzhan(Deactivated)PriorityMediumLabelsmichaelc_pmpreviously-tasktransition-newNeeds QAYesNeeds DocYes

Details

Assignee

Reporter

Priority

Labels

Needs QA

Needs Doc

Smart ChecklistOpen Smart Checklist

Smart Checklist

Flag notifications

Something's gone wrong

Something's gone wrong

David Bennett December 6, 2018 at 12:05 AM
Edited

Details
Assignee
Unassigned
Reporter
Mykola Marzhan(Deactivated)
Priority
Medium
Labels
michaelc_pmpreviously-tasktransition-new
Needs QA
Yes
Needs Doc
Yes

Smart Checklist