Tutor SSL config

Site Operators
, ,
1

I’ve installed Tutor and having issues getting the HTTPS/SSL working, unable to find the directory that stores the certificates or the config files that specify the path to the SSL certs.

The documentation for Caddy seems to provide little to no relevant information as far as I can tell/find, the paths that they mention either don’t exist or don’t conform to how Tutor/Caddy implements certbot.

Note that I am currently unable to use the DNS based checking in my setup environment and instead must use the CloudFlare API plugin for Certbot to authenticate and validate my domain which works if I use
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.passwd -d *.domain.tld
(/etc/letsencrypt/cloudflare.passwd is a file I generated containing my API key)

Where/how do I add the path to my already generated certificates, OR can we change how the Tutor installation handles certbot to allow for the CloudFlare API to be used for domain validation? (Note that this method does also support wildcard certs so may prove to be a useful option in the scripts if we can tweak this)

2

You might also want to post on the Tutor discussion board for anything Tutor related

3

Hello @joel.edwards,

Please share this question on the Tutor Discussion Board, so it is easier to find for others having the same problem.

For your question, I have just done this process this week. You can find an outline below.

  1. Create your own Cloudflare Docker image following this guide. https://caddy.community/t/how-to-guide-caddy-v2-cloudflare-dns-01-via-docker/8007
    You can also use the image shared in the guide if you are just testing.
  2. Adjust Tutor to use your custom Caddy image.
tutor config save --set "DOCKER_IMAGE_CADDY=docker.io/USERNAME/REPO:TAG"
  1. You need to adjust the Tutor Caddyfile to use the DNS challenge.
    3.1. If you are using Maple, you can create a plugin that uses the patch caddyfile-global to insert the TLS configuration mentioned in the guide. I have not done this, but you should be able to figure
    it out from the Caddyfile documentation.
    3.2. If you are using older versions, you will have to run tutor local quickstart, then manually change the Caddyfile. Mine looks like this for your reference. You can find the Caddyfile at this location: echo "$(tutor config printroot)/env/apps/caddy" 
DOMAIN {
    tls EMAIL { 
        dns cloudflare API_TOKEN
    }
    reverse_proxy nginx:80 {
        header_up X-Forwarded-Port 443
    }
}
2 Likes
4

Thanks for all the info you’ve shared. Unfortunately I seemed to have trouble getting it to work though, but that’s likely due to my lack of experience in the docker space.

Through some (lots of) exploring, I did find a working method, and in my opinion is an extremely simple method, but I do welcome any comments or suggestions :slight_smile:

Files to edit:
.local/share/tutor/env/local/docker-compose.prod.yml

Add the path to your certificates stored on the local machine and mount to location of choice in container volumes
- /etc/letsencrypt/archive/:/tmp/

 volumes:
      - ../apps/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - ../../data/caddy:/data
      - /etc/letsencrypt/archive/:/tmp/

Next file
.local/share/tutor/env/apps/caddy/Caddyfile

For each site (cms/lms) add the path to your certs as they appear in container
tls /tmp/domain.tld/fullchain1.pem /tmp/domain.tld/privkey1.pem

lms.domain.tld ...
...
...
...
    import proxy "lms:8000"
    tls /tmp/domain.tld/fullchain1.pem /tmp/domain.tld/privkey1.pem
...

cms.domain.tld ...
...
...
...
    import proxy "cms:8000"
    tls /tmp/domain.tld/fullchain1.pem /tmp/domain.tld/privkey1.pem

Restart everything and you should then be getting full SSL through the letsencrypt certbot running on main host OS

Hopefully this does help someone else down the road :smiley: or someone can tell me what an idiot I am and give me a better method… hehehe