diff --git a/posts/internalca/index.md b/posts/internalca/index.md index 533208e..4e18710 100644 --- a/posts/internalca/index.md +++ b/posts/internalca/index.md @@ -78,22 +78,21 @@ You can try to request a certificate from your ACME server with: ```sh step ca certificate --provisioner acme ``` -Please note that this last command might not work if you already have a service listening on port 80 as it launches a web server. +Please note that this last command might not work if you already have a service listening on port 80 as it launches an HTTP server. ## Actual usage -Remember that your ACME server must be able to find your servers to give them certificates; you might be good by just requesting certs with IPs but, in case you want to distribute named certificates (don't know if that's how they're called, but you get me), don't forget to add a DNS entry to your local resolver for each server that needs named certs. +Remember that your ACME server must be able to find your servers to give them certificates; you might be good by just requesting certs with IPs but, in case you want to distribute "named certificates" (probably not the right way to call them, but you get me), don't forget to add a DNS entry to your local DNS server for each (v)host that needs a "named cert". ### Traefik -I have been proxying my services with [Traefik](https://traefik.io/) for almost a year now and I don't regret switching to it one bit; it is easier to expose my conteneurised service, easier to get new certificates, easier to use in general. -I might have had a hard time setting up all the TLS params at the begging but it was all worth it in the end. -I won't do a tutorial on how to setup a Traefik reverse proxy, but I'll just show you how to use it like you'd normally use the Letsencrypt resolver. -To add your ACME server as an SSL certs resolver, add these commands to your Traefik container (you don't have to delete the other resolver to do so, just in case you were thinking about it): +I have been proxying my services with [Traefik](https://traefik.io/) for a while now and I don't regret switching to it one bit; it is easier to expose my *containerised* service, easier to get new certificates, easier to use in general. *I might have had a hard time setting up all the TLS params at the beginning but it was all worth it in the end though.* +I won't do a tutorial on how to setup a Traefik reverse proxy, but I'll show you how to use it like you'd normally use the Let's Encrypt resolver. +To add your ACME server as a certificates resolver, add these commands to your Traefik container (you can add multiple resolvers; I personally have Let's Encrypt AND my internal CA setup): ```yaml # Lets call the resolver myca # The HTTP entrypoint is called http -# Your caServer's addresse in myca.lan +# Your caServer's address in myca.lan - "--certificatesresolvers.myca.acme.httpchallenge=true" - "--certificatesresolvers.myca.acme.httpchallenge.entrypoint=http" - "--certificatesresolvers.myca.acme.caServer=https://myca.lan/acme/acme/directory"