The following instructions show how to do a manual LetsEncrypt handshake for Caddy, including for internal IPs.
It helps work around challenges getting a TLS certificate in some enterprise environment. This is common due to internal security team processes, and further complicated by firewall policies preventing outbound communications needed for LetsEncrypt's automatic TLS certificate generation protocol's handshake.
The instructions can be used in two ways:
- Graphistry staff can assist with TLS setup, including a temporary Graphistry-owned DNS entry such as
https://<my-org>.graphistry.com. - The same instructions can be used with DNS entries you control
Skip if Graphistry staff is handling for you
On your home machine or any other with internet access and Python, such as a container:
sudo pip install certbotsudo pip install cryptography --upgradesudo certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '<domain>'
Domain is an entry like 'my-org.graphistry.com' -- not https:// needed
Skip if Graphistry staff is handling for you
-
Add the TXT challenge (key+value) to the DNS records for your domain
-
Save the keys emitted on the machine from Step 1 when LE successfully verifies the TXT record
In your Graphistry server:
-
Copy
privkey.pem,fullchain.pemto${GRAPHISTRY_HOME}/data/caddy/config/ -
Edit
${GRAPHISTRY_HOME}/data/config/Caddyfile:
my-org.graphistry.com {
tls /config/fullchain.pem /config/privkey.pem
respond /caddy/health/ 200 {
body "{\"success\": true}"
close
}
reverse_proxy nginx:80
}
From ${GRAPHISTRY_HOME}, run:
docker-compose up -d --force-recreate --no-deps caddy- Watch logs with
docker-compose logs -f -t --tail=1 caddy
- follow steps 1-4 above
docker-compose stop caddy& remove caddy generate files in data/caddy/{data,config}/*docker-compose up -d --force-recreate --no-deps caddy