From bb6f7199ccd96c17c63ae6efd7080dafa2eea091 Mon Sep 17 00:00:00 2001 From: Nico Braun Date: Sat, 14 May 2022 15:38:08 +0200 Subject: [PATCH] initial commit --- .dockerignore | 7 + .gitignore | 2 + Dockerfile | 76 ++++++++++ LICENSE.txt | 201 ++++++++++++++++++++++++++ Makefile | 86 +++++++++++ README.md | 193 +++++++++++++++++++++++++ examples/dns-ionos/dns-ionos.ini | 3 + examples/dns-ionos/docker-compose.yml | 16 ++ examples/docker-compose.yml | 12 ++ examples/nginx/config/server.conf | 22 +++ examples/nginx/docker-compose.yml | 28 ++++ scripts/certbot-certonly.sh | 149 +++++++++++++++++++ scripts/certbot-renew.sh | 27 ++++ scripts/configure-crontab.sh | 11 ++ scripts/entrypoint.sh | 19 +++ scripts/install-dns-plugins.sh | 14 ++ 16 files changed, 866 insertions(+) create mode 100644 .dockerignore create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 LICENSE.txt create mode 100644 Makefile create mode 100644 README.md create mode 100644 examples/dns-ionos/dns-ionos.ini create mode 100644 examples/dns-ionos/docker-compose.yml create mode 100644 examples/docker-compose.yml create mode 100644 examples/nginx/config/server.conf create mode 100644 examples/nginx/docker-compose.yml create mode 100755 scripts/certbot-certonly.sh create mode 100755 scripts/certbot-renew.sh create mode 100755 scripts/configure-crontab.sh create mode 100755 scripts/entrypoint.sh create mode 100755 scripts/install-dns-plugins.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..385565a --- /dev/null +++ b/.dockerignore @@ -0,0 +1,7 @@ +examples +.docker-password.txt +Makefile +README.md +LICENSE.txt +.git +.vscode \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4865e78 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.docker-password.txt +.vscode \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..69fdb72 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,76 @@ +FROM alpine:3.15.4 +LABEL maintainer="Nico Braun " + +# account options +ENV EMAIL= + +# manage certificates options +ENV CERT_NAME= +ENV DOMAINS= +ENV PREFERRED_CHALLENGES= +ENV ISSUANCE_TIMEOUT= +ENV MAX_LOG_BACKUPS= +ENV FORCE_RENEWAL= +ENV QUIET= + +# authenticator options +ENV AUTHENTICATOR=standalone + +# standalone authenticator options +ENV HTTP01_ADDRESS= +ENV HTTP01_PORT= + +# webroot authenticator options +ENV WEBROOT_PATH= + +# dns authenticator options +ENV DNS_AUTHENTICATOR_CREDENTIALS= +ENV DNS_PROPAGATION_SECONDS= +ENV DNS_PLUGIN_FLAGS= + +# test and debug options +ENV STAGING= +ENV VERBOSE= +ENV DEBUG= + +# security options +ENV RSA_KEY_SIZE= +ENV KEY_TYPE= +ENV ELLIPTIC_CURVE= + +# path options +ENV CONFIG_DIR= +ENV WORK_DIR= +ENV LOGS_DIR= +ENV SERVER= + +# renew options +ENV PRE_HOOK_CMD= +ENV POST_HOOK_CMD= +ENV DEPLOY_HOOK_CMD= + +# custom options +ENV CERTBOT_CERTONLY_FLAGS= +ENV CERTBOT_RENEW_FLAGS= +ENV DNS_PLUGINS= +ENV RUN_ONCE= +ENV CRON="0 0,12 * * *" + +RUN set -ex; \ + apk add --no-cache \ + bash \ + tini \ + docker-cli \ + py3-pip \ + certbot + +# copy each certbot relevant script including the entrypoint.sh +# and ensure that each of them is executable +COPY scripts/ /scripts +RUN chmod +x -R /scripts + +VOLUME [ "/etc/letsencrypt" ] + +EXPOSE 80 + +ENTRYPOINT [ "/sbin/tini", "--", "/scripts/entrypoint.sh" ] \ No newline at end of file diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..f49a4e1 --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..ce5294e --- /dev/null +++ b/Makefile @@ -0,0 +1,86 @@ +default: help + +REGISTRY ?= +DOCKER_ID ?= nbraun1 +REPOSITORY ?= certbot +TAG ?= +PASSWORD_FILE ?= .docker-password.txt + +ifdef REGISTRY +image := $(REGISTRY)/$(DOCKER_ID)/$(REPOSITORY) +else +image := $(DOCKER_ID)/$(REPOSITORY) +endif + +image_with_tag := $(image):$(TAG) +image_with_latest_tag := $(image):latest + +.PHONY: help +# https://marmelab.com/blog/2016/02/29/auto-documented-makefile.html +help: ## Print this help + @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' + +.PHONY: all +all: git-tag git-tag-push docker-clean docker-login docker-build docker-tag docker-push docker-logout ## Run the complete release process + +# git targets + +.PHONY: git-tag +git-tag: check-tag ## Create a Git tag + @echo create git tag + @git tag $(TAG) + +.PHONY: git-tag-push +git-tag-push: check-tag ## Push a Git tag + @echo push git tag + @git push origin $(TAG) + +# docker targets + +.PHONY: docker-clean +docker-clean: check-tag ## Remove each of our built Docker images + @echo remove built images + @docker rmi $(image_with_tag) 2>/dev/null || true + @docker rmi $(image_with_latest_tag) 2>/dev/null || true + +.PHONY: docker-login +docker-login: ## Perform login to Docker registry +ifdef PASSWORD_FILE +ifeq ($(shell test -f $(PASSWORD_FILE) && echo -n yes), yes) + @echo perform login + @cat $(PASSWORD_FILE) | base64 -d | docker login -u $(DOCKER_ID) --password-stdin $(REGISTRY) +else + $(error $(PASSWORD_FILE) not exists) +endif +else + $(error PASSWORD_FILE variable is undefined) +endif + +.PHONY: docker-build +docker-build: check-tag ## Build a new Docker image + @echo build $(image_with_tag) + @docker build -t $(image_with_tag) . + +.PHONY: docker-tag +docker-tag: check-tag ## Tag a Docker image + @echo tag image $(image_with_tag) to $(image_with_latest_tag) + @docker tag $(image_with_tag) $(image_with_latest_tag) + +.PHONY: docker-push +docker-push: check-tag ## Push a Docker image + @echo push $(image_with_tag) and $(image_with_latest_tag) + @docker push $(image_with_tag) + @docker push $(image_with_latest_tag) + +.PHONY: docker-logout +docker-logout: ## Perform logout from Docker registry + @echo perform logout + @docker logout $(REGISTRY) + +# utility targets + +.PHONY: check-tag +check-tag: +ifndef TAG + $(error TAG variable is undefined) +endif \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..9adcbc2 --- /dev/null +++ b/README.md @@ -0,0 +1,193 @@ +[1]: https://certbot.eff.org/ +[2]: https://letsencrypt.org/ +[3]: https://pip.pypa.io/en/stable/ + +![Docker Pulls](https://img.shields.io/docker/pulls/nbraun1/certbot) +![Docker Image Size (tag)](https://img.shields.io/docker/image-size/nbraun1/certbot/latest) + +# Certbot for Docker +Open Source and free to use [certbot][1] for Docker environments to automate the [Let's Encrypt's][2] certificate issuing and renewal. The Docker image is based on [Alpine Linux](https://hub.docker.com/_/alpine) and uses [certbot][1] under the hood. + +## Features +- Obtain certificates from [Let's Encrypt][2] +- Renew obtained certificates with configurable cronjobs +- [Renewal hooks](https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates) (pre, post and deploy hooks are supported out-of-the-box) +- Install [certbot's DNS plugins](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins) with [pip][3] when starting the Docker container +- Efficient signal handling with [Tini](https://github.com/krallin/tini) +- Highly configurable with [environment variables](#environment-variables) + +# Table of Contents +- [Getting Started](#getting-started) + - [Run with docker run](#run-with-docker-run) + - [Run with docker compose](#run-with-docker-compose) +- [Environment Variables](#environment-variables) + - [Required](#required) + - [Optional](#optional) +- [Volumes](#volumes) +- [Exposed Ports](#exposed-ports) +- [Building from Source](#building-from-source) +- [Reporting Issues](#reporting-issues) +- [License](#license) + +# Getting Started +Ensure that your domain points to an valid IP address before you start. + +## Run with `docker run` +Run [certbot][1] once: +```bash +docker run -it -p 80:80 -v $(pwd)/data/certbot:/etc/letsencrypt \ +-e EMAIL=your@email.com \ +-e DOMAINS=example.com,www.example.com \ +-e RUN_ONCE=1 \ +--name certbot nbraun1/certbot +``` + +Run [certbot][1] with cronjobs: +```bash +docker run -it -p 80:80 -v $(pwd)/data/certbot:/etc/letsencrypt \ +-e EMAIL=your@email.com \ +-e DOMAINS=example.com,www.example.com \ +-e CRON="0 0,12 * * *" \ +--name certbot nbraun1/certbot +``` + +Run [certbot][1] listens to another port for http-01 challenge: +```bash +docker run -it -p 80:81 -v $(pwd)/data/certbot:/etc/letsencrypt \ +-e EMAIL=your@email.com \ +-e DOMAINS=example.com,www.example.com \ +-e RUN_ONCE=1 \ +-e HTTP01_PORT=81 \ +--name certbot nbraun1/certbot +``` +[Certbot][1] listens to port 81 in the Docker container but is mapped as port 80 to the host in order to be reachable for a ACME server. + +## Run with `docker compose` +For an example to run [certbot][1] in Docker Compose consult our [docker-compose.yml](./examples/docker-compose.yml). In order to start the [certbot][1] run `docker compose up` in your command line. More examples can be found in the [examples directory](./examples/). +> Note that we use [Docker Compose V2](https://docs.docker.com/compose/#compose-v2-and-the-new-docker-compose-command) for this example. + +# Environment Variables +This section is partially based on the official [certbot command line options](https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options) documentation. Most of the environment variables defaults to an empty string which is in most cases equivalent to a boolean `false`. If you wish to set this environment variable to a boolean `true`, leave its value to `1` or any other non-empty string. There are also some environment variables wish require a string or number but each of them have a well documentation to describe its expectation. + +## Required +`EMAIL` +> One or more email addresses separated by commas used for account registration and important notifications. +--- +`DOMAINS` +> Comma separated list of domains which should be protected by the obtained certificate. The first domain in this list will be always the subject CN (Common Name) and all domains will be the SANs (Subject Alternative Names) in this certificate. In addition to that the first domain is used for the file name of the obtained certificate. In the case of a name collision it will append a number like 0001 to the file name. If you want to use another value for the file name use the `CERT_NAME` environment variable. + +## Optional +`CERT_NAME` +> The name of the obtained certificate used for its file name. This value does not effect the certificate's content itself. +--- +`PREFERRED_CHALLENGES` +> Sorted, comma separated list of preferred [challenges](https://letsencrypt.org/docs/challenge-types/) used for authorization. Each challenge has a version but if you set e.g "http" as `PREFERRED_CHALLENGES`, [certbot][1] will select the latest version automatically. If no value is set for this environment variable, we try to auto-detect this value based on the configured `AUTHENTICATOR` environment variable. The table below shows each `PREFERRED_CHALLENGES` which is used by an `AUTHENTICATOR` by default: + +| AUTHENTICATOR | PREFERRED_CHALLENGES | +|----------------------------------------------------------------------------------|------------------------| +| [webroot](https://eff-certbot.readthedocs.io/en/stable/using.html#webroot) | http-01 | +| [standalone](https://eff-certbot.readthedocs.io/en/stable/using.html#standalone) | http-01 | +| [dns](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins) | dns-01 | + +--- +`ISSUANCE_TIMEOUT` +> The duration in seconds how long [certbot][1] will wait for the ACME server to issue a certificate. Default is 90 seconds. +--- +`MAX_LOG_BACKUPS` +> The maximum number of backup logs which should be kept by [certbot's][1] built-in log rotation. If set this value to 0, log rotation is disabled and [certbot][1] will always write to the same log file. It might be useful to set this value to 0 if you want to use external log rotation software like [logrotate](https://linux.die.net/man/8/logrotate). +--- +`FORCE_RENEWAL` +> Force [certbot][1] to renew a certificate if exists and regardless of whether it is near expiry. +--- +`QUIET` +> Silence all output except errors. +--- +`AUTHENTICATOR` +> Name of the authenticator plugin. Default is standalone. +--- +`HTTP01_ADDRESS` +> The address the server listens to during http-01 challenge. Applied if `AUTHENTICATOR` is standalone. +--- +`HTTP01_PORT` +> Port used in the http-01 challenge. Applied if `AUTHENTICATOR` is standalone. +--- +`WEBROOT_PATH` +> Path to the top-level directory containing the files served by your webserver. Applied if `AUTHENTICATOR` is webroot and `WEBROOT_PATH` is required in this case. +--- +`DNS_AUTHENTICATOR_CREDENTIALS` +> DNS provider credentials INI file. Applied if `AUTHENTICATOR` is from type dns. +--- +`DNS_PROPAGATION_SECONDS` +> The number of seconds to wait for DNS to propagate before asking the ACME server to verify the DNS record. Applied if `AUTHENTICATOR` is from type dns. +--- +`DNS_PLUGIN_FLAGS` +> Additional command line options for the DNS plugin. +--- +`STAGING` +> Use the staging server to obtain or revoke test (invalid) certificates; equivalent to set the environment variable `SERVER` to `https://acme-staging-v02.api.letsencrypt.org/directory`. +--- +`VERBOSE` +> Make [certbot's][1] output verbose. +--- +`DEBUG` +> Show tracebacks in case of errors. +--- +`RSA_KEY_SIZE` +> Size of the RSA key. Default is 2048. +--- +`KEY_TYPE` +> Type of generated private key. Can be either `rsa` or `ecdsa`. +--- +`ELLIPTIC_CURVE` +> The SECG [elliptic curve](https://datatracker.ietf.org/doc/html/rfc8446#section-7.4.2) name to use. Default is secp256r1. +--- +`CONFIG_DIR` +> Configuration directory. Default is /etc/letsencrypt. +--- +`WORK_DIR` +> Working directory. Default is /var/lib/letsencrypt. +--- +`LOGS_DIR` +> Logs directory. Default is /var/log/letsencrypt. +--- +`SERVER` +> ACME Directory Resource URI. Default is `https://acme-v02.api.letsencrypt.org/directory`. +--- +`PRE_HOOK_CMD` +> Command to be run in a shell before obtaining any certificates. Can be used for renewal to temporarily shutdown your webserver that might conflict with the standalone plugin. This will only be called if a certificate is actually to be obtained/renewed. When renewing several certificates that have identical pre-hooks, only the first will be executed. +--- +`POST_HOOK_CMD` +> Command to be run in a shell after attempting to obtain/renew certificates. Can be used to deploy renewed certificates or to restart any servers that were stopped by `PRE_HOOK_CMD`. This is only run if an attempt was made to obtain/renew a certificate. If multiple renewed certificates have identical post-hooks, only one will be run. +--- +`DEPLOY_HOOK_CMD` +> Command to be run in a shell once for each successfully issued certificate. For this command, the shell variable *$RENEWED_LINEAGE* will point to the `CONFIG_DIR` live subdirectory (for example, "/etc/letsencrypt/live/example.com") containing the new certificates and keys; the shell variable *$RENEWED_DOMAINS* will contain a space separated list of renewed certificate domains (for example, "`example.com www.example.com`"). +--- +`CERTBOT_CERTONLY_FLAGS` +> Additional command line options for [certbot's][1] certonly command. +--- +`CERTBOT_RENEW_FLAGS` +> Additional command line options for [certbot's][1] renew command. +--- +`DNS_PLUGINS` +> Comma separated list of DNS plugin names which will be installed with [pip][3]. +--- +`RUN_ONCE` +> If defined, the `CRON` environment variable is ignored and [certbot][1] runs only once. +--- +`CRON` +> [Cron](https://crontab.guru/crontab.5.html) expression for [certbot's][1] automatically renewal. If you have no idea of how to write such an cron expression, use [crontab guru](https://crontab.guru/) to generate one. + +# Volumes +- `/etc/letsencrypt` - stores the obtained certificates. + +# Exposed Ports +- 80 + +# Building from Source +Checkout this repository and run `docker build -t nbraun1/certbot .` in the project's root directory. You can use any arbitrary Docker tag. Use the built tag in your [docker run](#run-with-docker-run) command or in your [docker-compose.yml](#run-with-docker-compose) to apply your modifications. + +# Reporting Issues +If you found a bug or miss a feature, feel free to create an issue in GitHub's integrated [issue tracker](https://github.com/nbraun1/certbot/issues). But before doing so, please check if there is already an issue which describes your bug or feature in a similar fashion. + +# License +This [certbot][1] is Open Source software released under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0.html). \ No newline at end of file diff --git a/examples/dns-ionos/dns-ionos.ini b/examples/dns-ionos/dns-ionos.ini new file mode 100644 index 0000000..8a883a3 --- /dev/null +++ b/examples/dns-ionos/dns-ionos.ini @@ -0,0 +1,3 @@ +dns_ionos_prefix = your-public-key +dns_ionos_secret = your-private-key +dns_ionos_endpoint = https://api.hosting.ionos.com \ No newline at end of file diff --git a/examples/dns-ionos/docker-compose.yml b/examples/dns-ionos/docker-compose.yml new file mode 100644 index 0000000..d9f521f --- /dev/null +++ b/examples/dns-ionos/docker-compose.yml @@ -0,0 +1,16 @@ +version: "3.9" +services: + certbot: + image: nbraun1/certbot + environment: + EMAIL: your@email.com + DOMAINS: example.com,www.example.com + AUTHENTICATOR: dns-ionos + DNS_AUTHENTICATOR_CREDENTIALS: /etc/letsencrypt/.secrets/certbot/dns-ionos.ini + DNS_PROPAGATION_SECONDS: 10 + # https://github.com/helgeerbe/certbot-dns-ionos + DNS_PLUGINS: certbot-dns-ionos + RUN_ONCE: 1 + volumes: + - ./data/certbot:/etc/letsencrypt + - ./dns-ionos.ini:/etc/letsencrypt/.secrets/certbot/dns-ionos.ini diff --git a/examples/docker-compose.yml b/examples/docker-compose.yml new file mode 100644 index 0000000..9ed09fe --- /dev/null +++ b/examples/docker-compose.yml @@ -0,0 +1,12 @@ +version: "3.9" +services: + certbot: + image: nbraun1/certbot + environment: + EMAIL: your@email.com + DOMAINS: example.com,www.example.com + RUN_ONCE: 1 + ports: + - 80:80 + volumes: + - ./data/certbot:/etc/letsencrypt diff --git a/examples/nginx/config/server.conf b/examples/nginx/config/server.conf new file mode 100644 index 0000000..cb4362c --- /dev/null +++ b/examples/nginx/config/server.conf @@ -0,0 +1,22 @@ +server { + listen 80; + server_name example.com www.example.com; + + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +# add this configuration after you obtained certificates +# otherwise nginx cannot start successfully because the ssl files cannot be find +# server { +# listen 443 ssl; +# server_name example.com www.example.com; + +# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; +# } \ No newline at end of file diff --git a/examples/nginx/docker-compose.yml b/examples/nginx/docker-compose.yml new file mode 100644 index 0000000..375de64 --- /dev/null +++ b/examples/nginx/docker-compose.yml @@ -0,0 +1,28 @@ +version: "3.9" +services: + certbot: + image: nbraun1/certbot + container_name: certbot + depends_on: + - nginx + environment: + EMAIL: your@email.com + DOMAINS: example.com,www.example.com + AUTHENTICATOR: webroot + WEBROOT_PATH: /var/www/letsencrypt + POST_HOOK_CMD: docker kill -s HUP $$(docker ps --filter "name=webserver" | awk '{print $$1}') + CRON: "* * * * *" + volumes: + - ./data/certbot/letsencrypt:/etc/letsencrypt + - ./data/certbot/www:/var/www/letsencrypt + - /var/run/docker.sock:/var/run/docker.sock:ro + nginx: + image: nginx + container_name: webserver + ports: + - 80:80 + - 443:443 + volumes: + - ./config:/etc/nginx/conf.d:ro + - ./data/certbot/letsencrypt:/etc/letsencrypt:ro + - ./data/certbot/www:/var/www/letsencrypt:ro diff --git a/scripts/certbot-certonly.sh b/scripts/certbot-certonly.sh new file mode 100755 index 0000000..c83ad1f --- /dev/null +++ b/scripts/certbot-certonly.sh @@ -0,0 +1,149 @@ +#!/bin/bash +set -e + +if [ -z "$EMAIL" ]; then + >&2 echo "EMAIL environment variable is undefined" + exit 1 +fi + +# add account options +certbot_params+=(-m "$EMAIL") + +# add manage certificates options +if [ ! -z "$CERT_NAME" ]; then + certbot_params+=(--cert-name "$CERT_NAME") +fi + +if [ ! -z "$DOMAINS" ]; then + certbot_params+=(-d "$DOMAINS") +fi + +if [ ! -z "$ISSUANCE_TIMEOUT" ]; then + certbot_params+=(--issuance-timeout "$ISSUANCE_TIMEOUT") +fi + +if [ ! -z "$MAX_LOG_BACKUPS" ]; then + certbot_params+=(--max-log-backups "$MAX_LOG_BACKUPS") +fi + +if [ ! -z "$FORCE_RENEWAL" ]; then + certbot_params+=(--force-renewal) + # add renew options + if [ ! -z "$PRE_HOOK_CMD" ]; then + certbot_params+=(--pre-hook "$PRE_HOOK_CMD") + fi + + if [ ! -z "$POST_HOOK_CMD" ]; then + certbot_params+=(--post-hook "$POST_HOOK_CMD") + fi + + if [ ! -z "$DEPLOY_HOOK_CMD" ]; then + certbot_params+=(--deploy-hook "$DEPLOY_HOOK_CMD") + fi +fi + +if [ ! -z "$QUIET" ]; then + certbot_params+=(-q) +fi + +# check if an user defines the PREFERRED_CHALLENGES environment variable, +# if so we should not auto-detect and override this value +if [ ! -z "$PREFERRED_CHALLENGES" ]; then + use_custom_preferred_challenges=1 +fi + +# add authenticator options +# add the --webroot-path option if the authenticator is "webroot" +if [ "$AUTHENTICATOR" == "webroot" ]; then + # fail if the WEBROOT_PATH environment variable is undefined + if [ -z "$WEBROOT_PATH" ]; then + >&2 echo "authenticator is webroot but no WEBROOT_PATH is defined" + exit 1 + fi + certbot_params+=(--webroot --webroot-path "$WEBROOT_PATH") + if [ -z $use_custom_preferred_challenges ]; then + # webroot authenticator works only with the http challenge + PREFERRED_CHALLENGES="http-01" + fi +# add the --standalone option if the authenticator is "standalone" +elif [ "$AUTHENTICATOR" == "standalone" ]; then + certbot_params+=(--standalone) + if [ ! -z "$HTTP01_ADDRESS" ]; then + certbot_params+=(--http-01-address "$HTTP01_ADDRESS") + fi + if [ ! -z "$HTTP01_PORT" ]; then + certbot_params+=(--http-01-port "$HTTP01_PORT") + fi + if [ -z $use_custom_preferred_challenges ]; then + # standalone authenticator works only with the http challenge + PREFERRED_CHALLENGES="http-01" + fi +# add the dns authenticator options +elif [[ "$AUTHENTICATOR" == *dns* ]]; then + certbot_params+=(-a "$AUTHENTICATOR") + if [ ! -z "$DNS_AUTHENTICATOR_CREDENTIALS" ]; then + certbot_params+=(--"$AUTHENTICATOR"-credentials "$DNS_AUTHENTICATOR_CREDENTIALS") + fi + if [ ! -z "$DNS_PROPAGATION_SECONDS" ]; then + certbot_params+=(--"$AUTHENTICATOR"-propagation-seconds "$DNS_PROPAGATION_SECONDS") + fi + if [ ! -z "$DNS_PLUGIN_FLAGS" ]; then + certbot_params+=($DNS_PLUGIN_FLAGS) + fi + if [ -z $use_custom_preferred_challenges ]; then + # dns authenticator works only with the dns challenge + PREFERRED_CHALLENGES="dns-01" + fi +fi + +certbot_params+=(--preferred-challenges "$PREFERRED_CHALLENGES") + +# add test and debug options +if [ ! -z "$STAGING" ]; then + certbot_params+=(--staging) +fi + +if [ ! -z "$VERBOSE" ]; then + certbot_params+=(-v) +fi + +if [ ! -z "$DEBUG" ]; then + certbot_params+=(--debug) +fi + +# add security options +if [ ! -z "$RSA_KEY_SIZE" ]; then + certbot_params+=(--rsa-key-size "$RSA_KEY_SIZE") +fi + +if [ ! -z "$KEY_TYPE" ]; then + certbot_params+=(--key-type "$KEY_TYPE") +fi + +if [ ! -z "$ELLIPTIC_CURVE" ]; then + certbot_params+=(--elliptic-curve "$ELLIPTIC_CURVE") +fi + +# add path options +if [ ! -z "$CONFIG_DIR" ]; then + certbot_params+=(--config-dir "$CONFIG_DIR") +fi + +if [ ! -z "$WORK_DIR" ]; then + certbot_params+=(--work-dir "$WORK_DIR") +fi + +if [ ! -z "$LOGS_DIR" ]; then + certbot_params+=(--logs-dir "$LOGS_DIR") +fi + +if [ ! -z "$SERVER" ]; then + certbot_params+=(--server "$SERVER") +fi + +# add custom options +if [ ! -z "$CERTBOT_CERTONLY_FLAGS" ]; then + certbot_params+=($CERTBOT_CERTONLY_FLAGS) +fi + +certbot certonly -n --keep --agree-tos "${certbot_params[@]}" \ No newline at end of file diff --git a/scripts/certbot-renew.sh b/scripts/certbot-renew.sh new file mode 100755 index 0000000..e3fb70e --- /dev/null +++ b/scripts/certbot-renew.sh @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +# add manage certificates options +if [ ! -z "$QUIET" ]; then + certbot_params+=(-q) +fi + +# add renew options +if [ ! -z "$PRE_HOOK_CMD" ]; then + certbot_params+=(--pre-hook "$PRE_HOOK_CMD") +fi + +if [ ! -z "$POST_HOOK_CMD" ]; then + certbot_params+=(--post-hook "$POST_HOOK_CMD") +fi + +if [ ! -z "$DEPLOY_HOOK_CMD" ]; then + certbot_params+=(--deploy-hook "$DEPLOY_HOOK_CMD") +fi + +# add custom options +if [ ! -z "$CERTBOT_RENEW_FLAGS" ]; then + certbot_params+=($CERTBOT_RENEW_FLAGS) +fi + +certbot renew "${certbot_params[@]}" &>>/var/log/letsencrypt/renewal.log \ No newline at end of file diff --git a/scripts/configure-crontab.sh b/scripts/configure-crontab.sh new file mode 100755 index 0000000..31fe39f --- /dev/null +++ b/scripts/configure-crontab.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -e + +cron_script="/scripts/certbot-renew.sh" +crontab -l | grep -q "$CRON $cron_script" && ec=$? || ec=$? +# check if crontab already exists +if [ $ec == 0 ]; then + echo "crontab $CRON $cron_script already exists" +else + echo "$CRON $cron_script" | crontab - +fi \ No newline at end of file diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh new file mode 100755 index 0000000..567f085 --- /dev/null +++ b/scripts/entrypoint.sh @@ -0,0 +1,19 @@ +#!/bin/bash +set -e + +# install each dns plugin which is defined in the DNS_PLUGINS +# environment variable if not already installed +./scripts/install-dns-plugins.sh + +# run certbot's certonly command to issue certificates if not already exists +./scripts/certbot-certonly.sh + +if [ -z "$RUN_ONCE" ]; then + # add crontab which is defined in the CRON + # environment variable if not already exists + ./scripts/configure-crontab.sh + + # execute the cron which we have configured previously + # to ensure that the issued certificates will be renewed + exec crond -f -L /var/log/letsencrypt/cron.log +fi \ No newline at end of file diff --git a/scripts/install-dns-plugins.sh b/scripts/install-dns-plugins.sh new file mode 100755 index 0000000..6ac74fb --- /dev/null +++ b/scripts/install-dns-plugins.sh @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +IFS="," read -ra dns_plugins <<< "$DNS_PLUGINS" + +for dns_plugin in "${dns_plugins[@]}"; do + pip3 show "$dns_plugin" &>/dev/null && ec=$? || ec=$? + # check if dns plugin already exists + if [ $ec == 0 ]; then + echo "$dns_plugin is already installed" + else + pip3 install "$dns_plugin" >/dev/null + fi +done \ No newline at end of file