I’m updating a small deployment set up for a friend and have hit a snag. I’m not sure how to integrate Let’s Encrypt via
certbot with a distillery based deployment.
I already have a distillery
1.5 based deployment set up on Ubuntu
16.04 based server handling http with
nginx. I’m in the process of updating this to use distillery
2 and phoenix
1.4. I figured why not take advantage of cowboy
2‘s http2 support and simplify the set up by getting rid of `nginx’ ala steps found in https://blog.progressplum.app/ssl-migration-from-nginx-to-cowboy-2-in-phoenix-1-4/.
I’ve been basing the set up off of https://medium.com/@a4word/phoenix-app-secured-with-let-s-encrypt-469ac0995775. However, this assumes a non-distillery based phoenix server (i.e. no releases) and uses
Plug.Static to serve
My question is how would this work with distillery?
I’m seeing some Elixir packages for handling acme stuff via the app itself, but nothing is jumping out at me as working with phoenix
1.4 well or in combination with distillery.
I’ve written site_encrypt for this purpose. It’s been used for the past 6 months or so on my blog site. The blog itself is an Elixir powered system which uses Phoenix 1.3, and runs as an OTP release built with distillery 1.x. The project source can be found here. The Elixir project is in the
site folder, so you can consult that as a template. There’s also a small demo project included in the library repo.
I haven’t tried using
site_encrypt with Phoenix 1.4, but in theory it should work. If there are some problems, please open up an issue on GitHub.
I’m the author of the first article you linked to.
The examples I give are for Distillery, albeit Distillery 2.0. I give an example Mix.Config file that you can use for production. You’ll have to change the values themselves to values like
"$MY_ENV_VAR" and allow values to be replaced at run-time with
I’ll update the post to include how you’d do SSL renewal.
Thanks for the update and the original instructions. Beverage of your choice is my shout if you ever in Wellington, New Zealand.
If you don’t want to deal with serving Acme challenges through Phoenix, you can use standalone mode: https://certbot.eff.org/docs/using.html#standalone
This will generate certificates in
/etc/letsencrypt/live/domain_name/ You can then update your config file to point to the certificates
config :app_name, App.Endpoint,
Caveat: You will need to stop your webserver when you generate/renew certificates in standalone mode (once every 3 months)
I find it easier just to use DNS authentication, doesn’t matter what web server you use then, just point them to the live certs is all. ^.^
Don’t need to stop the webserver at all, just make sure the webserver is pulling the live certs and you are good.