Skip to content

Commit

Permalink
Added certbot certificate generation, fixes #23
Browse files Browse the repository at this point in the history
  • Loading branch information
philtrep committed Sep 30, 2016
1 parent 45b809c commit 7da50a0
Show file tree
Hide file tree
Showing 11 changed files with 81 additions and 7 deletions.
43 changes: 40 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ git submodule add https://github.com/Osedea/nodock.git
#### Build and Run the containers
```
cd nodock
# Simple app
docker-compose up -d node mysql nginx
# or
# All containers
docker-compose up -d
```

Expand All @@ -35,17 +39,50 @@ services:
nginx:
build:
args:
web_ssl: "true" # defaults to "false"
self_signed: "true" # defaults to "false"
web_ssl: "true"
```
Add your certificate to `nginx/certs/cacert.pem` and the private key to `nginx/certs/privkey.pem`.

#### Generate and use a self-signed cert

`self_signed: "true"` will generate the necessary files, do note that `self_signed: "true"` as no effect if `web_ssl: "false"`

If you want to use your own: leave `self_signed: "false"`, add the certificate to `nginx/certs/cacert.pem` and the private key to `nginx/certs/privkey.pem`.
```
# docker-compose.override.yml
version: '2'
services:
nginx:
build:
args:
web_ssl: "true"
self_signed: "true"
```

#### Generate and use certbot (Let's Encrypt) to generate the cert

`CN` must be a publicly accessible address and `EMAIL` should be the server admin contact email.

```
version: '2'
services:
nginx:
build:
args:
web_ssl: "true"
certbot:
environment:
CN: "example.com"
EMAIL: "[email protected]"
```
Don't forget to bring up the container if you plan on using certbot (`docker-compose up -d certbot`).

## Running multiple node containers

To add more node containers, simply add the following to your `docker-compose.override.yml` or environment specific docker-compose file.

```
# docker-compose.override.yml
Expand Down
8 changes: 8 additions & 0 deletions certbot/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM phusion/baseimage:0.9.19

COPY scripts /root/scripts/

RUN apt-get update
RUN apt-get install -y letsencrypt

ENTRYPOINT bash -c "bash /root/scripts/run-certbot.sh && sleep infinity"
1 change: 1 addition & 0 deletions certbot/certs/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
*.pem
Empty file added certbot/certs/.gitkeep
Empty file.
Empty file added certbot/letsencrypt/.gitkeep
Empty file.
Empty file.
6 changes: 6 additions & 0 deletions certbot/scripts/run-certbot.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/bash

letsencrypt certonly --webroot -w /var/www/letsencrypt -d "$CN" --agree-tos --email "$EMAIL" --non-interactive --text

cp /etc/letsencrypt/archive/"$CN"/cert1.pem /var/certs/cert1.pem
cp /etc/letsencrypt/archive/"$CN"/privkey1.pem /var/certs/privkey1.pem
11 changes: 11 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ services:
MYSQL_USER: default_user
MYSQL_PASSWORD: secret
MYSQL_ROOT_PASSWORD: root
tty: true

nginx:
build:
Expand All @@ -49,7 +50,17 @@ services:
- "dockerhost:10.0.75.1"
tty: true

certbot:
build:
context: ./certbot
links:
- nginx
volumes_from:
- volumes

volumes:
image: tianon/true
volumes:
- ./certbot/letsencrypt/:/var/www/letsencrypt
- ./certbot/certs/:/var/certs
- ./data/logs/nginx/:/var/log/nginx
10 changes: 8 additions & 2 deletions nginx/scripts/web-ssl.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,13 @@ else
-subj "/C=FK/ST=Fake/L=Fake/O=Fake/CN=0.0.0.0" \
-keyout /etc/ssl/privkey.pem \
-out /etc/ssl/cacert.pem
chown www-data:www-data /etc/ssl/cacert.pem
chown www-data:www-data /etc/ssl/privkey.pem
chown www-data:www-data /etc/ssl/cert1.pem
chown www-data:www-data /etc/ssl/privkey1.pem
fi
if [ -e /var/certs/cert1.pem ]; then
cp /var/certs/cert1.pem /etc/ssl/cert1.pem
fi
if [ -e /var/certs/privkey1.pem ]; then
cp /var/certs/privkey1.pem /etc/ssl/privkey1.pem
fi
fi
4 changes: 2 additions & 2 deletions nginx/sites/node-https.template
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ server {
listen 443 default_server http2;

ssl on;
ssl_certificate /etc/ssl/cacert.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
ssl_certificate /etc/ssl/cert1.pem;
ssl_certificate_key /etc/ssl/privkey1.pem;

location / {
proxy_pass http://node:${WEB_REVERSE_PROXY_PORT};
Expand Down
5 changes: 5 additions & 0 deletions nginx/sites/node.template
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,9 @@ server {
location / {
proxy_pass http://node:${WEB_REVERSE_PROXY_PORT};
}

location /.well-known/acme-challenge/ {
root /var/www/letsencrypt/;
log_not_found off;
}
}

0 comments on commit 7da50a0

Please sign in to comment.