-
Notifications
You must be signed in to change notification settings - Fork 0
SSL
We use Let's Encrypt for SSL certificates, as it easily allows us to automate certificate renewals.
Automatical certificate renewal for data.gbif.no and archive.gbif.no is done using dehydrated.
Everything should just happen automatically (on the 1st of every month), but if something goes wrong, simply run /opt/bin/renew to renew the certificates. This script will also concatenate privkey.pem and cert.pem so lighttpd can use the certificates.
For the docker websites (e.g. https://resolver.gbif.no, and we are slowly migrating all the others to docker) certificate renewal is handled automatically using the docker letsencrypt companion proxy - https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion. It is running using the same docker-compose.yml file as the jwilder nginx reverse proxy.
Periodic maintenance might involve pulling the images (should have :latest tag) docker-compose pull and then docker-compose stop and docker-compose up -d.