Fabrefact

a blog by Sara Farquharson

Virtual Party Space Devlog #21: Let's Encrypt

Today I learned how to get an SSL certificate with Let’s Encrypt, and discovered a lot about health checks.

Log

LETS ENCRYPT GO

  • reason why docker-jitsi-meet uses standalone mode may be that if container is directly exposed to internet, standalone server might be live fast enough for LE call to succeed.
  • in Fargate, container doesn’t last long enough to pass health check and become valid recipient for HTTP request forwarded from load balancer
  • need a way to get a live server that responds to HTTP requests
    • stood up EC2 instance, installed acme.sh & nginx, and attached it as a target for load balancer SUCCESS!
      • scp keys back to my computer, hack is store them in config directory baked into docker image (since only need them for 30 days)
      • modified server init script to install acme.sh keys to nginx on start, and not try to get keys.
  • keys don’t work!
    • created keys with –staging enabled to allow more retries
    • tried to recreate without staging, but got “keys are fine, didn’t recreate” from real server
      • guess have to use –force once you’re sure your code works
  • for long-term fix, probably need a dedicated cert-renewal server?
    • how does load balancer know to direct traffic to port 80 on a different type of server?
      • docker compose ECS group only lets you have one service with same port open, unsure how to manage

Testing with 2 people

  • conference seems to die every 5 minutes, is JVB rebooting?
    • turns out yes, health checks for ports (10000/4443) are “failing” so Fargate kills the container
    • can I update health check?
      • not really, can’t change timeout or interval (and probably wouldn’t help, because UDP port isn’t going to respond to health check)
    • JVB has health check endpoint!
    • docker-compose has healthcheck option, maybe this is what lets you make a custom health check?
    • apparently you can’t update the health check for a TargetGroup
      • deleting the target group broke updates for the Cloudformation Stack

About this series

Back in mid-December I started an ambitious project to create a custom platform for a virtual birthday party in February. I kept notes on my progress, both for personal reference and to turn into a series of blog posts. It quickly became apparent that I did not have time to both do the project and blog about the project. I have retroactively decided to post my raw notes as a dev log.