diff --git a/Dockerfile b/Dockerfile index 92860f3..f47ab79 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM python:2 -MAINTAINER Henri Dwyer +MAINTAINER Elliot Saba VOLUME /etc/letsencrypt EXPOSE 80 @@ -8,7 +8,7 @@ RUN apt update && apt install -y cron RUN pip install certbot RUN mkdir /scripts -ADD ./crontab /etc/cron.d/certbot +COPY ./crontab /etc/cron.d/certbot RUN crontab /etc/cron.d/certbot COPY ./scripts/ /scripts diff --git a/Makefile b/Makefile index ec259bc..090cfe3 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ all: build build: Makefile Dockerfile - docker build --squash -t staticfloat/docker-letsencrypt-cron . + docker build --squash -t staticfloat/docker-certbot-cron . push: - docker push staticfloat/docker-letsencrypt-cron + docker push staticfloat/docker-certbot-cron diff --git a/README.md b/README.md index 0742a45..8dbb2ef 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -# docker-letsencrypt-cron -Create and automatically renew website SSL certificates using the letsencrypt free certificate authority, and its client *certbot*. +# docker-certbot-cron +Create and automatically renew website SSL certificates using the letsencrypt free certificate authority, and its client *certbot*. Define the environment variables `DOMAINS` (space-separated list of fully-qualified domain names) and `EMAIL` (your letsencrypt registration email) to automatically run `certbot` to renew/fetch your SSL certificates in the background. Configure `nginx` to pass off the ACME validation challenge, and you'll have zero-downtime, 100% automatic SSL certificates for all your Docker containers! # ACME Validation challenge @@ -12,28 +12,60 @@ The recommended way to use this image is to set up your reverse proxy to automat If you use nginx as a reverse proxy, you can add the following to your configuration file in order to pass the ACME challenge. ``` nginx -upstream certbot_upstream{ - server certbot:80; -} - server { - listen 80; - location '/.well-known/acme-challenge' { - default_type "text/plain"; - proxy_pass http://certbot_upstream; - } + listen 80; + location '/.well-known/acme-challenge' { + default_type "text/plain"; + # Note: this works with docker-compose only if the service name is `certbot`, + # and the `nginx` service `depends_on` the `certbot` service! + proxy_pass http://certbot:80; + } } - ``` +## `docker-compose` example + +To use this container with `docker-compose`, put something like the following into your configuration: +```yml +version '2' +services: +... + certbot: + image: staticfloat/docker-certbot-cron + container_name: certbot + volumes: + - certbot_etc_letsencrypt:/etc/letsencrypt + restart: unless-stopped + environment: + - DOMAINS="foo.bar.com baz.bar.com" + - EMAIL=email@domain.com +... + nginx: + ... + depends_on: + - certbot + volumes: + - certbot_etc_letsencrypt:/etc/letsencrypt:ro +... +volumes: + certbot_etc_letsencrypt: + external: true +``` +I personally like having my certificates stored in an external volume so that if I ever accidentally run `docker-compose down` I don't have to re-issue myself the certificates. + # More information Find out more about letsencrypt: https://letsencrypt.org Certbot github: https://github.com/certbot/certbot +This repository was originally forked from `@henridwyer`, many thanks to him for the good idea. I've basically taken his approach and made it less flexible/simpler for my own use cases, so if you want this repository to do something a particular way, make sure [his repo](https://github.com/henridwyer/docker-letsencrypt-cron) doesn't already do it. + # Changelog +### 0.5 +- Change the name to `docker-certbot-cron`, update documentation, strip out even more stuff I don't care about. + ### 0.4 - Rip out a bunch of stuff because `@staticfloat` is a monster, and likes to do things his way diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index 04056c9..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,13 +0,0 @@ -version: '2' - -services: - certbot: - image: staticfloat/docker-letsencrypt-cron - container_name: certbot - volumes: - - buildbot_certbot_letsencrypt:/etc/letsencrypt - restart: unless-stopped - environment: - - DOMAINS=buildtest.e.ip.saba.us - - EMAIL=staticfloat@gmail.com - - SEPARATE=true diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 8de8c90..6b45867 100644 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -1,3 +1,3 @@ #!/bin/bash /bin/bash /scripts/run_certbot.sh -cron -f +exec cron -f diff --git a/scripts/run_certbot.sh b/scripts/run_certbot.sh index 96ef8c0..b933427 100755 --- a/scripts/run_certbot.sh +++ b/scripts/run_certbot.sh @@ -1,50 +1,30 @@ echo "Running certbot for domains $DOMAINS" get_certificate() { - # Gets the certificate for the domain(s) CERT_DOMAINS (a comma separated list) - # The certificate will be named after the first domain in the list - # To work, the following variables must be set: - # - CERT_DOMAINS : comma separated list of domains - # - EMAIL - # - args + # Gets the certificate for the domain(s) CERT_DOMAINS (a comma separated list) + # The certificate will be named after the first domain in the list + # To work, the following variables must be set: + # - CERT_DOMAINS : comma separated list of domains + # - EMAIL - local d=${CERT_DOMAINS//,*/} # read first domain - echo "Getting certificate for $CERT_DOMAINS" - certbot certonly --agree-tos --keep -n \ - --text --server https://acme-v01.api.letsencrypt.org/directory \ - --email $EMAIL -d $CERT_DOMAINS $args - ec=$? - echo "certbot exit code $ec" - if [ $ec -eq 0 ] - then - echo "Certificates for $CERT_DOMAINS can be found in /etc/letsencrypt/live/$d" - else - echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details." - fi + local d=${CERT_DOMAINS//,*/} # read first domain + echo "Getting certificate for $CERT_DOMAINS" + certbot certonly --agree-tos --keep -n --text --email $EMAIL --server \ + https://acme-v01.api.letsencrypt.org/directory -d $CERT_DOMAINS \ + --standalone --standalone-supported-challenges http-01 --debug + ec=$? + echo "certbot exit code $ec" + if [ $ec -eq 0 ]; then + echo "Certificates for $CERT_DOMAINS can be found in /etc/letsencrypt/live/$d" + else + echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details." + fi } -args="" -if [ $WEBROOT ] -then - args=" --webroot -w $WEBROOT" -else - args=" --standalone --standalone-supported-challenges http-01" -fi - -if $DEBUG -then - args=$args" --debug" -fi - set -x -if $SEPARATE -then - for d in $DOMAINS - do - CERT_DOMAINS=$d - get_certificate - done -else - CERT_DOMAINS=${DOMAINS// /,} +for d in $DOMAINS +do + CERT_DOMAINS=$d get_certificate -fi +done +