Just mess it all up
This commit is contained in:
parent
d77ba8c122
commit
10f222b8a9
|
@ -15,4 +15,4 @@ COPY ./scripts/ /scripts
|
||||||
RUN chmod +x /scripts/run_certbot.sh
|
RUN chmod +x /scripts/run_certbot.sh
|
||||||
|
|
||||||
ENTRYPOINT []
|
ENTRYPOINT []
|
||||||
CMD ["/scripts/entrypoint.sh"]
|
CMD ["/bin/bash", "/scripts/entrypoint.sh"]
|
||||||
|
|
1
LICENSE
1
LICENSE
|
@ -1,6 +1,7 @@
|
||||||
MIT License
|
MIT License
|
||||||
|
|
||||||
Copyright (c) 2016 Henri Dwyer
|
Copyright (c) 2016 Henri Dwyer
|
||||||
|
Copyright (c) 2017 Elliot Saba
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
of this software and associated documentation files (the "Software"), to deal
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
|
2
Makefile
2
Makefile
|
@ -3,5 +3,5 @@ all: build
|
||||||
build: Makefile Dockerfile
|
build: Makefile Dockerfile
|
||||||
docker build --squash -t staticfloat/docker-letsencrypt-cron .
|
docker build --squash -t staticfloat/docker-letsencrypt-cron .
|
||||||
|
|
||||||
push: build
|
push:
|
||||||
docker push staticfloat/docker-letsencrypt-cron
|
docker push staticfloat/docker-letsencrypt-cron
|
||||||
|
|
55
README.md
55
README.md
|
@ -1,64 +1,12 @@
|
||||||
# docker-letsencrypt-cron
|
# docker-letsencrypt-cron
|
||||||
Create and automatically renew website SSL certificates using the letsencrypt free certificate authority, and its client *certbot*.
|
Create and automatically renew website SSL certificates using the letsencrypt free certificate authority, and its client *certbot*.
|
||||||
|
|
||||||
This image will renew your certificates every 2 months, and place the lastest ones in the /certs folder in the container, and in the ./certs folder on the host.
|
|
||||||
|
|
||||||
# Usage
|
|
||||||
|
|
||||||
## Setup
|
|
||||||
|
|
||||||
In docker-compose.yml, change the environment variables:
|
|
||||||
- WEBROOT: set this variable to the webroot path if you want to use the webroot plugin. Leave to use the standalone webserver.
|
|
||||||
- DOMAINS: a space separated list of domains for which you want to generate certificates.
|
|
||||||
- EMAIL: where you will receive updates from letsencrypt.
|
|
||||||
- CONCAT: true or false, whether you want to concatenate the certificate's full chain with the private key (required for e.g. haproxy), or keep the two files separate (required for e.g. nginx or apache).
|
|
||||||
- SEPARATE: true or false, whether you want one certificate per domain or one certificate valid for all domains.
|
|
||||||
|
|
||||||
## Running
|
|
||||||
|
|
||||||
### Using the automated image
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker run --name certbot -v `pwd`/certs:/certs --restart always -e "DOMAINS=domain1.com domain2.com" -e "EMAIL=webmaster@domain1.com" -e "CONCAT=true" -e "WEBROOT=" henridwyer/docker-letsencrypt-cron
|
|
||||||
```
|
|
||||||
|
|
||||||
### Building the image
|
|
||||||
|
|
||||||
The easiest way to build the image yourself is to use the provided docker-compose file.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-compose up -d
|
|
||||||
```
|
|
||||||
|
|
||||||
The first time you start it up, you may want to run the certificate generation script immediately:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker exec certbot ash -c "/scripts/run_certbot.sh"
|
|
||||||
```
|
|
||||||
|
|
||||||
At 3AM, on the 1st of every odd month, a cron job will start the script, renewing your certificates.
|
|
||||||
|
|
||||||
# ACME Validation challenge
|
# ACME Validation challenge
|
||||||
|
|
||||||
To authenticate the certificates, the you need to pass the ACME validation challenge. This requires requests made on port 80 to your.domain.com/.well-known/ to be forwarded to this container.
|
To authenticate the certificates, the you need to pass the ACME validation challenge. This requires requests made on port 80 to your.domain.com/.well-known/ to be forwarded to this container.
|
||||||
|
|
||||||
The recommended way to use this image is to set up your reverse proxy to automatically forward requests for the ACME validation challenges to this container.
|
The recommended way to use this image is to set up your reverse proxy to automatically forward requests for the ACME validation challenges to this container.
|
||||||
|
|
||||||
## Haproxy example
|
|
||||||
|
|
||||||
If you use a haproxy reverse proxy, you can add the following to your configuration file in order to pass the ACME challenge.
|
|
||||||
|
|
||||||
``` haproxy
|
|
||||||
frontend http
|
|
||||||
bind *:80
|
|
||||||
acl letsencrypt_check path_beg /.well-known
|
|
||||||
|
|
||||||
use_backend certbot if letsencrypt_check
|
|
||||||
|
|
||||||
backend certbot
|
|
||||||
server certbot certbot:80 maxconn 32
|
|
||||||
```
|
|
||||||
|
|
||||||
## Nginx example
|
## Nginx example
|
||||||
|
|
||||||
If you use nginx as a reverse proxy, you can add the following to your configuration file in order to pass the ACME challenge.
|
If you use nginx as a reverse proxy, you can add the following to your configuration file in order to pass the ACME challenge.
|
||||||
|
@ -86,6 +34,9 @@ Certbot github: https://github.com/certbot/certbot
|
||||||
|
|
||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
|
### 0.4
|
||||||
|
- Rip out a bunch of stuff because `@staticfloat` is a monster, and likes to do things his way
|
||||||
|
|
||||||
### 0.3
|
### 0.3
|
||||||
- Add support for webroot mode.
|
- Add support for webroot mode.
|
||||||
- Run certbot once with all domains.
|
- Run certbot once with all domains.
|
||||||
|
|
|
@ -1,16 +1,13 @@
|
||||||
version: '2'
|
version: '2'
|
||||||
|
|
||||||
services:
|
services:
|
||||||
# Example docker-compose service
|
|
||||||
certbot:
|
certbot:
|
||||||
build: .
|
image: staticfloat/docker-letsencrypt-cron
|
||||||
container_name: certbot
|
container_name: certbot
|
||||||
volumes:
|
volumes:
|
||||||
- ./certs:/certs
|
- buildbot_certbot_letsencrypt:/etc/letsencrypt
|
||||||
restart: always
|
restart: unless-stopped
|
||||||
environment:
|
environment:
|
||||||
- WEBROOT=""
|
- DOMAINS=buildtest.e.ip.saba.us
|
||||||
- DOMAINS=domain1.com domain2.com
|
- EMAIL=staticfloat@gmail.com
|
||||||
- EMAIL=webmaster@domain1.com
|
|
||||||
- CONCAT=false
|
|
||||||
- SEPARATE=true
|
- SEPARATE=true
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
#!/bin/sh
|
#!/bin/bash
|
||||||
/scripts/run_certbot.sh
|
/bin/bash /scripts/run_certbot.sh
|
||||||
crond -f
|
cron -f
|
||||||
|
|
|
@ -6,7 +6,6 @@ get_certificate() {
|
||||||
# To work, the following variables must be set:
|
# To work, the following variables must be set:
|
||||||
# - CERT_DOMAINS : comma separated list of domains
|
# - CERT_DOMAINS : comma separated list of domains
|
||||||
# - EMAIL
|
# - EMAIL
|
||||||
# - CONCAT
|
|
||||||
# - args
|
# - args
|
||||||
|
|
||||||
local d=${CERT_DOMAINS//,*/} # read first domain
|
local d=${CERT_DOMAINS//,*/} # read first domain
|
||||||
|
@ -18,16 +17,7 @@ get_certificate() {
|
||||||
echo "certbot exit code $ec"
|
echo "certbot exit code $ec"
|
||||||
if [ $ec -eq 0 ]
|
if [ $ec -eq 0 ]
|
||||||
then
|
then
|
||||||
if $CONCAT
|
echo "Certificate obtained for $CERT_DOMAINS! Your new certificate - named $d - /etc/letsencrypt"
|
||||||
then
|
|
||||||
# concat the full chain with the private key (e.g. for haproxy)
|
|
||||||
cat /etc/letsencrypt/live/$d/fullchain.pem /etc/letsencrypt/live/$d/privkey.pem > /certs/$d.pem
|
|
||||||
else
|
|
||||||
# keep full chain and private key in separate files (e.g. for nginx and apache)
|
|
||||||
cp /etc/letsencrypt/live/$d/fullchain.pem /certs/$d.pem
|
|
||||||
cp /etc/letsencrypt/live/$d/privkey.pem /certs/$d.key
|
|
||||||
fi
|
|
||||||
echo "Certificate obtained for $CERT_DOMAINS! Your new certificate - named $d - is in /certs"
|
|
||||||
else
|
else
|
||||||
echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details."
|
echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details."
|
||||||
fi
|
fi
|
||||||
|
@ -46,6 +36,7 @@ then
|
||||||
args=$args" --debug"
|
args=$args" --debug"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
set -x
|
||||||
if $SEPARATE
|
if $SEPARATE
|
||||||
then
|
then
|
||||||
for d in $DOMAINS
|
for d in $DOMAINS
|
||||||
|
|
Loading…
Reference in New Issue