website/docs: add small let's encrypt docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-12-23 00:59:06 +01:00 · 2021-12-23 00:59:06 +01:00 · 457e17fec3
parent 87e99625e6
commit 457e17fec3
3 changed files with 69 additions and 0 deletions
--- a/authentik/crypto/tasks.py
+++ b/authentik/crypto/tasks.py
@ -52,6 +52,9 @@ def certificate_discovery(self: MonitoredTask):
            continue
        if path.is_dir():
            continue
+        # For certbot setups, we want to ignore archive.
+        if "archive" in file:
+            continue
        # Support certbot's directory structure
        if path.name in ["fullchain.pem", "privkey.pem"]:
            cert_name = path.parent.name
--- a/website/docs/core/certificates.md
+++ b/website/docs/core/certificates.md
@ -40,6 +40,7 @@ You can also bind mount single files into the folder, as long as they fall under

 - If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder.
 - Files can be in any arbitrary file structure, and can have extension.
+- If the path contains `archive`, the files will be ignored (to better support certbot setups).

 ```
 certs/
@ -55,3 +56,52 @@ certs/
 ```

 Files are checked every 5 minutes, and will trigger an Outpost refresh if the files differ.
+
+## Web certificates
+
+Starting with authentik 2021.12.4, you can configure the certificate authentik uses for its core webserver. For most deployments this will not be relevant and reverse proxies are used, but this can be used to create a very compact and self-contained authentik install.
+
+#### Let's Encrypt
+
+To use let's encrypt certificates with this setup, using certbot, you can use this compose file:
+
+```yaml
+version: '3.6'
+
+services:
+  certbot:
+    image: certbot/dns-route53:v1.22.0
+    volumes:
+      - ../authentik/certs/:/etc/letsencrypt
+      - ./letsencrypt:/var/lib/letsencrypt
+    # Variables depending on DNS Plugin
+    environment:
+      AWS_ACCESS_KEY_ID: ...
+    command:
+      - certonly
+      - --non-interactive
+      - --agree-tos
+      - -m your.email@company
+      - -d authentik.company
+      # Again, match with your provider
+      - --dns-route53
+```
+
+This compose file expects a folder structure like this:
+
+```
+certbot/
+├── docker-compose.yaml
+└── letsencrypt/
+authentik/
+├── certs
+├── custom-templates
+├── docker-compose.yml
+└── media
+```
+
+After you've created the certbot stack, and let it run, you should see a new Certificate appear in authentik. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
+
+Navigate to *System -> Tenants*, edit any tenant and select the certificate of your choice.
+
+Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.
--- a/website/docs/installation/docker-compose.md
+++ b/website/docs/installation/docker-compose.md
@ -67,6 +67,22 @@ AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb

 The GeoIP database will automatically be updated every 8 hours.

+## Running on Port 80/443
+
+By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can use a [docker-compose override file](https://docs.docker.com/compose/extends/#adding-and-overriding-configuration).
+
+Create a file called `docker-compose.override.yml` with the following contents:
+
+```yaml
+version: '3.2'
+
+services:
+  server:
+    ports:
+      - "0.0.0.0:80:9000"
+      - "0.0.0.0:443:9443"
+```
+
 ## Startup

 Afterwards, run these commands to finish