docker
/
nginx-certbot
1
0
Fork 0
Code Issues Pull Requests 1 Releases Wiki Activity

Version 0.5: Less features makes for better software

This commit is contained in:
Elliot Saba 2017-01-19 17:42:04 -08:00
parent 9fca4ca0c7
commit a5e9215d92
6 changed files with 71 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@ -1,5 +1,5 @@
FROM python:2 FROM python:2
MAINTAINER Henri Dwyer <henri@dwyer.io> MAINTAINER Elliot Saba <staticfloat@gmail.com>
VOLUME /etc/letsencrypt VOLUME /etc/letsencrypt
EXPOSE 80 EXPOSE 80
@ -8,7 +8,7 @@ RUN apt update && apt install -y cron
RUN pip install certbot RUN pip install certbot
RUN mkdir /scripts RUN mkdir /scripts
ADD ./crontab /etc/cron.d/certbot COPY ./crontab /etc/cron.d/certbot
RUN crontab /etc/cron.d/certbot RUN crontab /etc/cron.d/certbot
COPY ./scripts/ /scripts COPY ./scripts/ /scripts

4
Makefile
View File

@ -1,7 +1,7 @@
all: build all: build
build: Makefile Dockerfile build: Makefile Dockerfile
docker build --squash -t staticfloat/docker-letsencrypt-cron . docker build --squash -t staticfloat/docker-certbot-cron .
push: push:
docker push staticfloat/docker-letsencrypt-cron docker push staticfloat/docker-certbot-cron

56
README.md
View File

@ -1,5 +1,5 @@
# docker-letsencrypt-cron # docker-certbot-cron
Create and automatically renew website SSL certificates using the letsencrypt free certificate authority, and its client *certbot*. Create and automatically renew website SSL certificates using the letsencrypt free certificate authority, and its client *certbot*. Define the environment variables `DOMAINS` (space-separated list of fully-qualified domain names) and `EMAIL` (your letsencrypt registration email) to automatically run `certbot` to renew/fetch your SSL certificates in the background. Configure `nginx` to pass off the ACME validation challenge, and you'll have zero-downtime, 100% automatic SSL certificates for all your Docker containers!
# ACME Validation challenge # ACME Validation challenge
@ -12,28 +12,60 @@ The recommended way to use this image is to set up your reverse proxy to automat
If you use nginx as a reverse proxy, you can add the following to your configuration file in order to pass the ACME challenge. If you use nginx as a reverse proxy, you can add the following to your configuration file in order to pass the ACME challenge.
``` nginx ``` nginx
upstream certbot_upstream{
server certbot:80;
}
server { server {
listen 80; listen 80;
location '/.well-known/acme-challenge' { location '/.well-known/acme-challenge' {
default_type "text/plain"; default_type "text/plain";
proxy_pass http://certbot_upstream; # Note: this works with docker-compose only if the service name is `certbot`,
} # and the `nginx` service `depends_on` the `certbot` service!
proxy_pass http://certbot:80;
}
} }
``` ```
## `docker-compose` example
To use this container with `docker-compose`, put something like the following into your configuration:
```yml
version '2'
services:
...
certbot:
image: staticfloat/docker-certbot-cron
container_name: certbot
volumes:
- certbot_etc_letsencrypt:/etc/letsencrypt
restart: unless-stopped
environment:
- DOMAINS="foo.bar.com baz.bar.com"
- EMAIL=email@domain.com
...
nginx:
...
depends_on:
- certbot
volumes:
- certbot_etc_letsencrypt:/etc/letsencrypt:ro
...
volumes:
certbot_etc_letsencrypt:
external: true
```
I personally like having my certificates stored in an external volume so that if I ever accidentally run `docker-compose down` I don't have to re-issue myself the certificates.
# More information # More information
Find out more about letsencrypt: https://letsencrypt.org Find out more about letsencrypt: https://letsencrypt.org
Certbot github: https://github.com/certbot/certbot Certbot github: https://github.com/certbot/certbot
This repository was originally forked from `@henridwyer`, many thanks to him for the good idea. I've basically taken his approach and made it less flexible/simpler for my own use cases, so if you want this repository to do something a particular way, make sure [his repo](https://github.com/henridwyer/docker-letsencrypt-cron) doesn't already do it.
# Changelog # Changelog
### 0.5
- Change the name to `docker-certbot-cron`, update documentation, strip out even more stuff I don't care about.
### 0.4 ### 0.4
- Rip out a bunch of stuff because `@staticfloat` is a monster, and likes to do things his way - Rip out a bunch of stuff because `@staticfloat` is a monster, and likes to do things his way

13
docker-compose.yml
View File

@ -1,13 +0,0 @@
version: '2'
services:
certbot:
image: staticfloat/docker-letsencrypt-cron
container_name: certbot
volumes:
- buildbot_certbot_letsencrypt:/etc/letsencrypt
restart: unless-stopped
environment:
- DOMAINS=buildtest.e.ip.saba.us
- EMAIL=staticfloat@gmail.com
- SEPARATE=true

2
scripts/entrypoint.sh
View File

@ -1,3 +1,3 @@
#!/bin/bash #!/bin/bash
/bin/bash /scripts/run_certbot.sh /bin/bash /scripts/run_certbot.sh
cron -f exec cron -f

64
scripts/run_certbot.sh
View File

@ -1,50 +1,30 @@
echo "Running certbot for domains $DOMAINS" echo "Running certbot for domains $DOMAINS"
get_certificate() { get_certificate() {
# Gets the certificate for the domain(s) CERT_DOMAINS (a comma separated list) # Gets the certificate for the domain(s) CERT_DOMAINS (a comma separated list)
# The certificate will be named after the first domain in the list # The certificate will be named after the first domain in the list
# To work, the following variables must be set: # To work, the following variables must be set:
# - CERT_DOMAINS : comma separated list of domains # - CERT_DOMAINS : comma separated list of domains
# - EMAIL # - EMAIL
# - args
local d=${CERT_DOMAINS//,*/} # read first domain local d=${CERT_DOMAINS//,*/} # read first domain
echo "Getting certificate for $CERT_DOMAINS" echo "Getting certificate for $CERT_DOMAINS"
certbot certonly --agree-tos --keep -n \ certbot certonly --agree-tos --keep -n --text --email $EMAIL --server \
--text --server https://acme-v01.api.letsencrypt.org/directory \ https://acme-v01.api.letsencrypt.org/directory -d $CERT_DOMAINS \
--email $EMAIL -d $CERT_DOMAINS $args --standalone --standalone-supported-challenges http-01 --debug
ec=$? ec=$?
echo "certbot exit code $ec" echo "certbot exit code $ec"
if [ $ec -eq 0 ] if [ $ec -eq 0 ]; then
then echo "Certificates for $CERT_DOMAINS can be found in /etc/letsencrypt/live/$d"
echo "Certificates for $CERT_DOMAINS can be found in /etc/letsencrypt/live/$d" else
else echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details."
echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details." fi
fi
} }
args=""
if [ $WEBROOT ]
then
args=" --webroot -w $WEBROOT"
else
args=" --standalone --standalone-supported-challenges http-01"
fi
if $DEBUG
then
args=$args" --debug"
fi
set -x set -x
if $SEPARATE for d in $DOMAINS
then do
for d in $DOMAINS CERT_DOMAINS=$d
do
CERT_DOMAINS=$d
get_certificate
done
else
CERT_DOMAINS=${DOMAINS// /,}
get_certificate get_certificate
fi done