From 7da50a0e063200562c9f39be615a5aa4e4c9020b Mon Sep 17 00:00:00 2001 From: philtrep Date: Thu, 29 Sep 2016 23:49:11 -0400 Subject: [PATCH] Added certbot certificate generation, fixes #23 --- README.md | 43 ++++++++++++++++++++++-- certbot/Dockerfile | 8 +++++ certbot/certs/.gitignore | 1 + certbot/certs/.gitkeep | 0 certbot/letsencrypt/.gitkeep | 0 certbot/letsencrypt/.well-known/.gitkeep | 0 certbot/scripts/run-certbot.sh | 6 ++++ docker-compose.yml | 11 ++++++ nginx/scripts/web-ssl.sh | 10 ++++-- nginx/sites/node-https.template | 4 +-- nginx/sites/node.template | 5 +++ 11 files changed, 81 insertions(+), 7 deletions(-) create mode 100644 certbot/Dockerfile create mode 100644 certbot/certs/.gitignore create mode 100644 certbot/certs/.gitkeep create mode 100644 certbot/letsencrypt/.gitkeep create mode 100644 certbot/letsencrypt/.well-known/.gitkeep create mode 100644 certbot/scripts/run-certbot.sh diff --git a/README.md b/README.md index 1c7d9d6..d64f79b 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,10 @@ git submodule add https://github.com/Osedea/nodock.git #### Build and Run the containers ``` cd nodock +# Simple app +docker-compose up -d node mysql nginx +# or +# All containers docker-compose up -d ``` @@ -35,17 +39,50 @@ services: nginx: build: args: - web_ssl: "true" # defaults to "false" - self_signed: "true" # defaults to "false" + web_ssl: "true" ``` +Add your certificate to `nginx/certs/cacert.pem` and the private key to `nginx/certs/privkey.pem`. + +#### Generate and use a self-signed cert `self_signed: "true"` will generate the necessary files, do note that `self_signed: "true"` as no effect if `web_ssl: "false"` -If you want to use your own: leave `self_signed: "false"`, add the certificate to `nginx/certs/cacert.pem` and the private key to `nginx/certs/privkey.pem`. +``` +# docker-compose.override.yml + +version: '2' + +services: + nginx: + build: + args: + web_ssl: "true" + self_signed: "true" +``` + +#### Generate and use certbot (Let's Encrypt) to generate the cert +`CN` must be a publicly accessible address and `EMAIL` should be the server admin contact email. + +``` +version: '2' + +services: + nginx: + build: + args: + web_ssl: "true" + certbot: + environment: + CN: "example.com" + EMAIL: "fake@gmail.com" +``` +Don't forget to bring up the container if you plan on using certbot (`docker-compose up -d certbot`). ## Running multiple node containers + To add more node containers, simply add the following to your `docker-compose.override.yml` or environment specific docker-compose file. + ``` # docker-compose.override.yml diff --git a/certbot/Dockerfile b/certbot/Dockerfile new file mode 100644 index 0000000..f6c1611 --- /dev/null +++ b/certbot/Dockerfile @@ -0,0 +1,8 @@ +FROM phusion/baseimage:0.9.19 + +COPY scripts /root/scripts/ + +RUN apt-get update +RUN apt-get install -y letsencrypt + +ENTRYPOINT bash -c "bash /root/scripts/run-certbot.sh && sleep infinity" diff --git a/certbot/certs/.gitignore b/certbot/certs/.gitignore new file mode 100644 index 0000000..cfaad76 --- /dev/null +++ b/certbot/certs/.gitignore @@ -0,0 +1 @@ +*.pem diff --git a/certbot/certs/.gitkeep b/certbot/certs/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/certbot/letsencrypt/.gitkeep b/certbot/letsencrypt/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/certbot/letsencrypt/.well-known/.gitkeep b/certbot/letsencrypt/.well-known/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/certbot/scripts/run-certbot.sh b/certbot/scripts/run-certbot.sh new file mode 100644 index 0000000..26be75c --- /dev/null +++ b/certbot/scripts/run-certbot.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +letsencrypt certonly --webroot -w /var/www/letsencrypt -d "$CN" --agree-tos --email "$EMAIL" --non-interactive --text + +cp /etc/letsencrypt/archive/"$CN"/cert1.pem /var/certs/cert1.pem +cp /etc/letsencrypt/archive/"$CN"/privkey1.pem /var/certs/privkey1.pem diff --git a/docker-compose.yml b/docker-compose.yml index a858f69..cb89565 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,6 +30,7 @@ services: MYSQL_USER: default_user MYSQL_PASSWORD: secret MYSQL_ROOT_PASSWORD: root + tty: true nginx: build: @@ -49,7 +50,17 @@ services: - "dockerhost:10.0.75.1" tty: true + certbot: + build: + context: ./certbot + links: + - nginx + volumes_from: + - volumes + volumes: image: tianon/true volumes: + - ./certbot/letsencrypt/:/var/www/letsencrypt + - ./certbot/certs/:/var/certs - ./data/logs/nginx/:/var/log/nginx diff --git a/nginx/scripts/web-ssl.sh b/nginx/scripts/web-ssl.sh index 00d8501..7aed576 100644 --- a/nginx/scripts/web-ssl.sh +++ b/nginx/scripts/web-ssl.sh @@ -13,7 +13,13 @@ else -subj "/C=FK/ST=Fake/L=Fake/O=Fake/CN=0.0.0.0" \ -keyout /etc/ssl/privkey.pem \ -out /etc/ssl/cacert.pem - chown www-data:www-data /etc/ssl/cacert.pem - chown www-data:www-data /etc/ssl/privkey.pem + chown www-data:www-data /etc/ssl/cert1.pem + chown www-data:www-data /etc/ssl/privkey1.pem + fi + if [ -e /var/certs/cert1.pem ]; then + cp /var/certs/cert1.pem /etc/ssl/cert1.pem + fi + if [ -e /var/certs/privkey1.pem ]; then + cp /var/certs/privkey1.pem /etc/ssl/privkey1.pem fi fi diff --git a/nginx/sites/node-https.template b/nginx/sites/node-https.template index 0338faa..fe049a1 100644 --- a/nginx/sites/node-https.template +++ b/nginx/sites/node-https.template @@ -4,8 +4,8 @@ server { listen 443 default_server http2; ssl on; - ssl_certificate /etc/ssl/cacert.pem; - ssl_certificate_key /etc/ssl/privkey.pem; + ssl_certificate /etc/ssl/cert1.pem; + ssl_certificate_key /etc/ssl/privkey1.pem; location / { proxy_pass http://node:${WEB_REVERSE_PROXY_PORT}; diff --git a/nginx/sites/node.template b/nginx/sites/node.template index 73092f9..a3b2ed5 100644 --- a/nginx/sites/node.template +++ b/nginx/sites/node.template @@ -6,4 +6,9 @@ server { location / { proxy_pass http://node:${WEB_REVERSE_PROXY_PORT}; } + + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt/; + log_not_found off; + } }