Enabling SSL with digitalocean DNS let's encrypt? No Nginx

mythicalprogrammer · July 19, 2019, 4:08pm

Hi.

I got digitalocean SSL generate by letsencrypt via DNS going. The digitalocean console have a fingerprint with SHA1 code (no idea what that is). I am using cowboy2 and not nginx.

I have no idea how to configure phoenix to use DNS level ssl.

My phoenix app is running on port 4000 and I got the server port fowarding all incoming port 80 request to 4000.

Do I need to do a port forward for 443 requests to 4000 too?

Also how do my prod config looks like?

Do I switch the url: [host: “example.com”, port: 80] to url: [host: “example.com”, port: 443]?

Is the port for https key should be 443 even though the app is running 4000? https: [port: 443 ...

Also I’m not sure what to supply keyfile and certfile?

use Mix.Config

config :hello_phoenix, HelloPhoenix.Endpoint,
  http: [port: 4000],
  url: [host: "example.com", port: 80],
  cache_static_manifest: "priv/static/manifest.json",
  https: [port: 443,
          otp_app: :hello_phoenix,
          keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"),
          certfile: System.get_env("SOME_APP_SSL_CERT_PATH"),
          ]

Thank you for your time

idi527 · July 19, 2019, 4:17pm

You’d probably set cowboy to listen on two ports, one for http traffic and one for https.

So something like that would probably work

config :hello_phoenix, HelloPhoenix.Endpoint,
  http: [port: 4000], # what cowboy binds to to listen for plain traffic
  url: [scheme: "https", host: "example.com", port: 443], # <- used only for generated urls
  cache_static_manifest: "priv/static/manifest.json",
  https: [port: 4001, # what cowboy binds to to listen for encrypted traffic
          otp_app: :hello_phoenix,
          keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"),
          certfile: System.get_env("SOME_APP_SSL_CERT_PATH"),
          cacertfile: System.get_env("SOME_APP_SSL_CACERT_PATH"),
          ]

I have no idea how to configure phoenix to use DNS level ssl.

Not sure what you mean by “DNS level” (lets encrypt’s dns validation?), but all certs generated by letsencrypt are the same, no matter what approach was used. So you just point cowboy to key, cert, and cacert, (to which it should have read rights) and it should work.

NobbZ · July 19, 2019, 4:42pm

Just use traefik to handle letsencrypt.

It will RP all the requests for you and also take care for LE renewals as necessary.

Then all you need to do on elixir side is to configure URL generation appropriately to generate HTTPS URLs.

mythicalprogrammer · July 19, 2019, 4:55pm

You’re talking about this app? https://traefik.io/

Thanks.

NobbZ · July 19, 2019, 5:11pm

Exactly.

When I’m back home I’ll check my config and share relevant parts of it.

mythicalprogrammer · July 19, 2019, 6:04pm

I figured out my problem.

I had to shut down the web server (cowboy2/phx app) and remove the port forward 80 to 4000 firewall rule.

With this I can self generate my ssl cert with certbot using this tutorial.

I’ll keep traefik.io in mind for the future. For now I’d like to keep my stack as small as possible since I’m a one man team and kinda want to get my web app going along with as little dev ops as possible.

I also learned a bit more about prod.exs config file and a pretty neat looking web proxy traefik.

Thank you guys so much.