Configuring SSL certificate for JupyterHub

[zxcGrace]

I am deploying my JupyterHub on google cloud Kubernetes, and I want to assign SSL certificate to it using Let’s Encrypt.
I used Certbot and ran the following commands:

sudo apt-get install certbot python-certbot-apache -t stretch-backports
sudo certbot --apache

Then, I got this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): www.jupyterhubtest.tk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.jupyterhubtest.tk
Enabled Apache rewrite module
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

I am not sure is it the right approach to set SSL certificate for JupyterHub. Should I use Certbot for it?

[consideRatio]

@zxcGrace hi! Is it correct that you are also using this repository's helm chart to deploy the JupyterHub on kubernetes? Then you can configure this very easily to be done for you!

Check out this section of the guide that comes with the JupyterHub Helm chart regarding this: http://z2jh.jupyter.org/en/latest/security.html#https

[zxcGrace]

I followed this guide to install the JupyterHub: http://z2jh.jupyter.org/en/latest/setup-jupyterhub.html, so I think I used the helm chart to deploy the JupyterHub on kubernetes.

I already obtained a domain and created an A record for that domain, but just don't know how to set up HTTPS. I read the link you sent to me but it only showed how to set up automatic/manual HTTPS. However, I don't have my own HTTPS. I am not sure how would that page help. Am I missing anything? Should I use Certbot (from Let's encrypt) to set up HTTPS? I am not sure what's the right approach. Is there a clear instruction that I can follow? Thank you!

[consideRatio]

Ah then you are indeed using this repositoriy's helm chart.

I don't have my own HTTPS.

If you don't have your own certificates prepared etc, that is fine, that is the most common situation I'd say. Then you can use the automatic option and everything will be taken care of for you, it is also the easiest one.

[akaszynski]

The latest helm 3 upgrade seems to have broken something. Certificates are no longer being issued automatically (or at all). I'm using the following in my config.yaml with v0.8.2

proxy:
  secretToken: "redacted"
  https:
    hosts:
      - redacted.com
    letsencrypt:
      contactEmail: [email protected]

Any idea what needs to happen to get this working?

[akaszynski]

I think I found the problem:

kubectl logs pod/autohttps-7985844949-2lrbz-c kube-lego

time="2019-12-09T18:20:34Z" level=error msg="worker: error processing item, requeuing after rate limit: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details." context=kubelego

Seems that ACMEv1 is disabled...

[consideRatio]

It is probably lets encrypt that has deprecated things which now impacts us.

Id love to solve this but im so low on time and this may require some tinkering and will be a change that will require manual interventions of many different kinds because of many different setups in the wild.

[akaszynski]

Looks like the issue has been noted here: #1448

[consideRatio]

@zxcGrace this documentation is what's needed: https://zero-to-jupyterhub.readthedocs.io/en/latest/administrator/security.html#set-up-manual-https, and the automatic setup issue described has now been resolved.