website/docs: add small let's encrypt docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-23 00:59:06 +01:00
parent 87e99625e6
commit 457e17fec3
3 changed files with 69 additions and 0 deletions

View File

@ -52,6 +52,9 @@ def certificate_discovery(self: MonitoredTask):
continue continue
if path.is_dir(): if path.is_dir():
continue continue
# For certbot setups, we want to ignore archive.
if "archive" in file:
continue
# Support certbot's directory structure # Support certbot's directory structure
if path.name in ["fullchain.pem", "privkey.pem"]: if path.name in ["fullchain.pem", "privkey.pem"]:
cert_name = path.parent.name cert_name = path.parent.name

View File

@ -40,6 +40,7 @@ You can also bind mount single files into the folder, as long as they fall under
- If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder. - If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder.
- Files can be in any arbitrary file structure, and can have extension. - Files can be in any arbitrary file structure, and can have extension.
- If the path contains `archive`, the files will be ignored (to better support certbot setups).
``` ```
certs/ certs/
@ -55,3 +56,52 @@ certs/
``` ```
Files are checked every 5 minutes, and will trigger an Outpost refresh if the files differ. Files are checked every 5 minutes, and will trigger an Outpost refresh if the files differ.
## Web certificates
Starting with authentik 2021.12.4, you can configure the certificate authentik uses for its core webserver. For most deployments this will not be relevant and reverse proxies are used, but this can be used to create a very compact and self-contained authentik install.
#### Let's Encrypt
To use let's encrypt certificates with this setup, using certbot, you can use this compose file:
```yaml
version: '3.6'
services:
certbot:
image: certbot/dns-route53:v1.22.0
volumes:
- ../authentik/certs/:/etc/letsencrypt
- ./letsencrypt:/var/lib/letsencrypt
# Variables depending on DNS Plugin
environment:
AWS_ACCESS_KEY_ID: ...
command:
- certonly
- --non-interactive
- --agree-tos
- -m your.email@company
- -d authentik.company
# Again, match with your provider
- --dns-route53
```
This compose file expects a folder structure like this:
```
certbot/
├── docker-compose.yaml
└── letsencrypt/
authentik/
├── certs
├── custom-templates
├── docker-compose.yml
└── media
```
After you've created the certbot stack, and let it run, you should see a new Certificate appear in authentik. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
Navigate to *System -> Tenants*, edit any tenant and select the certificate of your choice.
Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.

View File

@ -67,6 +67,22 @@ AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb
The GeoIP database will automatically be updated every 8 hours. The GeoIP database will automatically be updated every 8 hours.
## Running on Port 80/443
By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can use a [docker-compose override file](https://docs.docker.com/compose/extends/#adding-and-overriding-configuration).
Create a file called `docker-compose.override.yml` with the following contents:
```yaml
version: '3.2'
services:
server:
ports:
- "0.0.0.0:80:9000"
- "0.0.0.0:443:9443"
```
## Startup ## Startup
Afterwards, run these commands to finish Afterwards, run these commands to finish