diff --git a/authentik/crypto/tasks.py b/authentik/crypto/tasks.py index d0e4e9bc3..20b9e1ad1 100644 --- a/authentik/crypto/tasks.py +++ b/authentik/crypto/tasks.py @@ -52,6 +52,9 @@ def certificate_discovery(self: MonitoredTask): continue if path.is_dir(): continue + # For certbot setups, we want to ignore archive. + if "archive" in file: + continue # Support certbot's directory structure if path.name in ["fullchain.pem", "privkey.pem"]: cert_name = path.parent.name diff --git a/website/docs/core/certificates.md b/website/docs/core/certificates.md index 056946f46..c7f3ed64d 100644 --- a/website/docs/core/certificates.md +++ b/website/docs/core/certificates.md @@ -40,6 +40,7 @@ You can also bind mount single files into the folder, as long as they fall under - If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder. - Files can be in any arbitrary file structure, and can have extension. +- If the path contains `archive`, the files will be ignored (to better support certbot setups). ``` certs/ @@ -55,3 +56,52 @@ certs/ ``` Files are checked every 5 minutes, and will trigger an Outpost refresh if the files differ. + +## Web certificates + +Starting with authentik 2021.12.4, you can configure the certificate authentik uses for its core webserver. For most deployments this will not be relevant and reverse proxies are used, but this can be used to create a very compact and self-contained authentik install. + +#### Let's Encrypt + +To use let's encrypt certificates with this setup, using certbot, you can use this compose file: + +```yaml +version: '3.6' + +services: + certbot: + image: certbot/dns-route53:v1.22.0 + volumes: + - ../authentik/certs/:/etc/letsencrypt + - ./letsencrypt:/var/lib/letsencrypt + # Variables depending on DNS Plugin + environment: + AWS_ACCESS_KEY_ID: ... + command: + - certonly + - --non-interactive + - --agree-tos + - -m your.email@company + - -d authentik.company + # Again, match with your provider + - --dns-route53 +``` + +This compose file expects a folder structure like this: + +``` +certbot/ +├── docker-compose.yaml +└── letsencrypt/ +authentik/ +├── certs +├── custom-templates +├── docker-compose.yml +└── media +``` + +After you've created the certbot stack, and let it run, you should see a new Certificate appear in authentik. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot). + +Navigate to *System -> Tenants*, edit any tenant and select the certificate of your choice. + +Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals. diff --git a/website/docs/installation/docker-compose.md b/website/docs/installation/docker-compose.md index 3a98062e7..85d96d30e 100644 --- a/website/docs/installation/docker-compose.md +++ b/website/docs/installation/docker-compose.md @@ -67,6 +67,22 @@ AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb The GeoIP database will automatically be updated every 8 hours. +## Running on Port 80/443 + +By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can use a [docker-compose override file](https://docs.docker.com/compose/extends/#adding-and-overriding-configuration). + +Create a file called `docker-compose.override.yml` with the following contents: + +```yaml +version: '3.2' + +services: + server: + ports: + - "0.0.0.0:80:9000" + - "0.0.0.0:443:9443" +``` + ## Startup Afterwards, run these commands to finish