Alternatives to Nginx/Certbot

[josecelano]

I've been working on a PR for docker support.

When it comes to deploying the containerized application, one of the hardest things is generating and renewing the HTTPS certificate by using Let's Encrypt.

You usually need to mount a volume into the Nginx and Certbot containers. You need to add a lot of extra configurations. There is a lot of information about how to do it, and I started working on a docker-compose configuration for the tracker here.

The problem is I think you need a lot of boilerplate, and it would be nice if we could just run the application, and the application can handle the certificates in a more innovative autonomous way.

On the other hand, I've found a lot of problems trying to deploy a multi-container app to some cloud services. For example:

• Azure Container Instances for docker-compose have a low resource limit. It did not work for me with four containers (Nginx/certbot/tracker/MySQL). It did work even with two containers (Nginx/tracker).
• Digital Ocean App Platfom only allows you to use single container.

I see at least two alternatives:

Other web servers or docker images

• Caddy web server has a built-in automatic HTTPS.
• Some docker images integrate Nginx and Certbot. For example, this one.

I discarded those options because most people are familiar with Ngxin/Certbot configuration.

Use the tracker

The application already allows you to use your certificates.

[[http_trackers]]
enabled = false
bind_address = "0.0.0.0:7070"
ssl_enabled = false
ssl_cert_path = ""
ssl_key_path = ""

[http_api]
enabled = true
bind_address = "0.0.0.0:8080"
ssl_enabled = false
ssl_cert_path = ""
ssl_key_path = ""

The problem is you have to renew them manually and restart the app.

If the app could generate and renew the certificates, that would make the infrastructure dependencies and deployment much more effortless. I have seen some projects that handle certificates.

There are also some options:

• We can write the code to create and renew certificates. It's just an extra setup and maybe a thread/worker to renew it.
• We could try to find a web framework plugin/crate

Plugin for web frameworks

• https://github.com/ctm/actix-web-lets-encrypt
• https://crates.io/crates/lets-encrypt-warp

The lets-encrypt-warp crate allows you to extend the warp web framework with endpoints to generate and renew Let's Encrypt certificates. I think that is awesome @droundy! I like the idea of running cargo run with some env vars without worrying about providing certificates. It would be nice to create a new virtual machine on any cloud provider or your host and just run the following:

git clone git@github.com:torrust/torrust-tracker.git
LETS_ENCRIPT_EMAIL=email cargo run

By default, we could generate a localhost certificate if you are using a loopback address (without reverse proxy) and a live certificate in any other case.

What do you think @da2ce7 @WarmBeer?

Rust clients

These are only alternatives to certbot, which I think do not add any extra benefit.

• https://github.com/onur/acme-client