I have been listening to groove salad since high school. I was happy to run into the team at defcon and express my gratitude. Also, if you love the station, don't forget to donate/support[1] them.
Whoa, that's awesome. I'm familiar with that forum thread (haha) but I didn't realize there'd been a response on it from an AWS employee just in the last couple of weeks.
I use Let's Encrypt DNS validation. This does not require you to run anything on your server. You just need to have a way to distribute cert to your servers.
can you explain this ? I'm trying to bake letsencrypt certificates in my docker images and I am trying to figure out a way around the race condition (nginx needs a certificate to run <-> certificate needs nginx to run).
How about storing the letsencrypt certificates in a data-container/locally on the host and mapping those files to the nginx container when you start it?
For the very first time, you can use let's encrypt's manual verification process, but then have the let's encrypt client set up to renew certs automatically (possibly even from a separate container) using same data file mappings.
cannot run a docker inside a docker. the problem is not running a webserver, the problem is the race condition which needs to be solved when docker starts up.
As a totally-naive-to-your-problem-particulars and totally-hacky suggestion, why not start nginx with a starter cert, then mv the new cert into position and reload nginx?
Have an instance with plain-text http running only the Lets Encrypt challenge. Make an explicit rule for it on your load balancer, and deploy it first.
1. https://somafm.com/support/