Add instructions on how to run

LICENSE

@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2016 Henri Dwyer
+Copyright (c) 2017 Elliot Saba
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,90 +1,120 @@
-# docker-letsencrypt-cron
-Create and automatically renew website SSL certificates using the letsencrypt free certificate authority, and its client *certbot*.
+# NOTE: This repository is now in maintenance-only mode
 
-This image will renew your certificates every 2 months, and place the lastest ones in the /certs folder in the container, and in the ./certs folder on the host.
+There is a [spiritual successor maintained by Jonas Alfredsson](https://github.com/JonasAlfredsson/docker-nginx-certbot/) that has some nice new features and is much more actively maintained.
+I highly suggest all users migrate their docker configs to use that docker image, as it is strictly superior to this one while still maintaning the same ease of use.
 
-# Usage
-
-## Setup
+# docker-nginx-certbot
+Create and automatically renew website SSL certificates using the free [letsencrypt](https://letsencrypt.org/) certificate authority, and its client [*certbot*](https://certbot.eff.org/), built on top of the [nginx](https://www.nginx.com/) webserver.
 
-In docker-compose.yml, change the environment variables:
-- WEBROOT: set this variable to the webroot path if you want to use the webroot plugin. Leave to use the standalone webserver.
-- DOMAINS: a space separated list of domains for which you want to generate certificates.
-- EMAIL: where you will receive updates from letsencrypt.
-- CONCAT: true or false, whether you want to concatenate the certificate's full chain with the private key (required for e.g. haproxy), or keep the two files separate (required for e.g. nginx or apache).
-- SEPARATE: true or false, whether you want one certificate per domain or one certificate valid for all domains. 
+This repository was originally forked from `@henridwyer`, many thanks to him for the good idea.  It has since been completely rewritten, and bears almost no resemblance to the original.  This repository is _much_ more opinionated about the structure of your webservers/containers, however it is easier to use as long as all of your webservers follow the given pattern.
 
-## Running
+# Usage
 
-### Using the automated image
+Create a config directory for your custom configs:
 
-```shell
-docker run --name certbot -v `pwd`/certs:/certs --restart always -e "DOMAINS=domain1.com domain2.com" -e "[email protected]" -e "CONCAT=true" -e "WEBROOT=" henridwyer/docker-letsencrypt-cron
+```bash
+$ mkdir conf.d
 ```
 
-### Building the image
-
-The easiest way to build the image yourself is to use the provided docker-compose file.
-
-```shell
-docker-compose up -d
+And a `*.conf` file in that directory (i.e. `nginx.conf`, but NOT just `.conf`):
+```nginx
+server {
+    listen              443 ssl;
+    server_name         server.company.com;
+    ssl_certificate     /etc/letsencrypt/live/server.company.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/server.company.com/privkey.pem;
+
+    location / {
+        ...
+    }
+}
 ```
 
-The first time you start it up, you may want to run the certificate generation script immediately:
-
-```shell
-docker exec certbot ash -c "/scripts/run_certbot.sh"
+Wrap this all up with a `docker-compose.yml` file:
+```yml
+version: '3'
+services:
+    frontend:
+        restart: unless-stopped
+        image: staticfloat/nginx-certbot
+        ports:
+            - 80:80/tcp
+            - 443:443/tcp
+        environment:
+            CERTBOT_EMAIL: [email protected]
+        volumes:
+          - ./conf.d:/etc/nginx/user.conf.d:ro
+          - letsencrypt:/etc/letsencrypt
+volumes:
+    letsencrypt:
 ```
 
-At 3AM, on the 1st of every odd month, a cron job will start the script, renewing your certificates.
-
-# ACME Validation challenge
-
-To authenticate the certificates, the you need to pass the ACME validation challenge. This requires requests made on port 80 to your.domain.com/.well-known/ to be forwarded to this container.
+Launch that docker-compose file, and you're good to go; `certbot` will automatically request an SSL certificate for any `nginx` sites that look for SSL certificates in `/etc/letsencrypt/live`, and will automatically renew them over time.
 
-The recommended way to use this image is to set up your reverse proxy to automatically forward requests for the ACME validation challenges to this container.
+Note: using a `server` block that listens on port 80 may cause issues with renewal. This container will already handle forwarding to port 443, so they are unnecessary.
 
-## Haproxy example
+## Templating
 
-If you use a haproxy reverse proxy, you can add the following to your configuration file in order to pass the ACME challenge.
+You may wish to template your configurations, e.g. passing in a hostname so as to be able to run multiple identical copies of this container; one per website.  The docker container will use [`envsubst`](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) to template all mounted user configs with a user-provided list of environment variables.  Example:
 
-``` haproxy
-frontend http
-  bind *:80
-  acl letsencrypt_check path_beg /.well-known
+```nginx
+# In user.conf.d/nginx_template.conf
+server {
+    listen              443 ssl;
+    server_name         ${FQDN};
+    ssl_certificate     /etc/letsencrypt/live/${FQDN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${FQDN}/privkey.pem;
 
-  use_backend certbot if letsencrypt_check
+    ...
+}
+```
 
-backend certbot
-  server certbot certbot:80 maxconn 32
+```yml
+version: '3'
+services:
+    frontend:
+        restart: unless-stopped
+        image: staticfloat/nginx-certbot
+        ports:
+            - 80:80/tcp
+            - 443:443/tcp
+        environment:
+            CERTBOT_EMAIL: [email protected]
+            # variable names are space-separated
+            ENVSUBST_VARS: FQDN
+            FQDN: server.company.com
+        volumes:
+          - ./conf.d:/etc/nginx/user.conf.d:ro
+          - letsencrypt:/etc/letsencrypt
+volumes:
+    letsencrypt:
 ```
 
-## Nginx example
+# Changelog
 
-If you use nginx as a reverse proxy, you can add the following to your configuration file in order to pass the ACME challenge.
+### 1.2
+- Officially putting this repository into maintenance-only mode.
 
-``` nginx
-upstream certbot_upstream{
-  server certbot:80;
-}
+### 1.1
+- Upgraded to Python 3 installed within the environment, various quality of life improvements around initial setup and renewal.
 
-server {
-  listen              80;
-  location '/.well-known/acme-challenge' {
-    default_type "text/plain";
-    proxy_pass http://certbot_upstream;
-  }
-}
+### 1.0
+- Many improvements thanks to contributors from across the globe.  Together, we have drastically reduced the amount of customization needed; configs can be mounted directly into a prebuilt image, and the configurations can even be templated.
 
-```
+### 0.8
+- Ditch cron, it never liked me anway.  Just use `sleep` and a `while` loop instead.
 
-# More information
+### 0.7
+- Complete rewrite, build this image on top of the `nginx` image, and run `cron`/`certbot` alongside `nginx` so that we can have nginx configs dynamically enabled as we get SSL certificates.
 
-Find out more about letsencrypt: https://letsencrypt.org
+### 0.6
+- Add `nginx_auto_enable.sh` script to `/etc/letsencrypt/` so that users can bring nginx up before SSL certs are actually available.
 
-Certbot github: https://github.com/certbot/certbot
+### 0.5
+- Change the name to `docker-certbot-cron`, update documentation, strip out even more stuff I don't care about.
 
-# Changelog
+### 0.4
+- Rip out a bunch of stuff because `@staticfloat` is a monster, and likes to do things his way
 
 ### 0.3
 - Add support for webroot mode.

example/certbot_extra_domains/README.md

@@ -0,0 +1,2 @@
+1. put your letsencript primary key domain name as the filename.
+2. list extra domain names each line in the file.

example/certbot_extra_domains/example.com

@@ -0,0 +1,3 @@
+www.example.com
+sub1.example.com
+sub2.example.com

example/conf.d/nginx.conf

@@ -0,0 +1,9 @@
+server {
+    listen              443 ssl;
+    server_name         yourhostname.com;
+    ssl_certificate     /etc/letsencrypt/live/yourhostname.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/yourhostname.com/privkey.pem;
+
+    return 200 'Let\'s Encrypt certificate successfully installed!';
+    add_header Content-Type text/plain;
+}

example/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3'
+
+services:
+  proxy:
+    image: staticfloat/nginx-certbot
+    restart: always
+    environment:
+      CERTBOT_EMAIL: "[email protected]"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./conf.d:/etc/nginx/user.conf.d:ro
+      - ./certbot_extra_domains:/etc/certbot/extra_domains:ro
+

src/Dockerfile

@@ -0,0 +1,32 @@
+FROM nginx
+LABEL maintainer="Elliot Saba <[email protected]>, Valder Gallo <[email protected]>, Bruno Zell <[email protected]>"
+
+VOLUME /etc/letsencrypt
+EXPOSE 80
+EXPOSE 443
+
+# Do this apt/pip stuff all in one RUN command to avoid creating large
+# intermediate layers on non-squashable docker installs
+RUN apt update && \
+    apt install -y python3 python3-dev libffi6 libffi-dev libssl-dev curl build-essential procps && \
+    curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3 && \
+    pip install -U cffi certbot && \
+    apt remove --purge -y python3-dev build-essential libffi-dev libssl-dev curl && \
+    apt-get autoremove -y && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy in scripts for certbot
+COPY ./scripts/ /scripts
+RUN chmod +x /scripts/*.sh
+
+# Add /scripts/startup directory to source more startup scripts
+RUN mkdir -p /scripts/startup
+
+# Copy in default nginx configuration (which just forwards ACME requests to
+# certbot, or redirects to HTTPS, but has no HTTPS configurations by default).
+RUN rm -f /etc/nginx/conf.d/*
+COPY nginx_conf.d/ /etc/nginx/conf.d/
+
+ENTRYPOINT []
+CMD ["/bin/bash", "/scripts/entrypoint.sh"]

src/Makefile

@@ -0,0 +1,22 @@
+
+$(warning $(shell IMAGE_NAME=$(IMAGE_NAME) printenv | grep IMAGE_NAME))
+ifndef IMAGE_NAME
+	#$(warning IMAGE_NAME is not set)
+	IMAGE_NAME=nginx-certbot
+endif
+
+# If we have `--squash` support, then use it!
+ifneq ($(shell docker build --help 2>/dev/null | grep squash),)
+DOCKER_BUILD = docker build --squash
+else
+DOCKER_BUILD = docker build
+endif
+
+all: build
+
+build: Makefile Dockerfile
+	$(DOCKER_BUILD) -t $(IMAGE_NAME) .
+	@echo "Done!  Use docker run $(IMAGE_NAME) to run"
+
+push:
+	docker push $(IMAGE_NAME)

src/nginx_conf.d/certbot.conf

@@ -0,0 +1,16 @@
+server {
+    # Listen on plain old HTTP
+    listen 80 default_server reuseport;
+    listen [::]:80 default_server reuseport;
+
+    # Pass this particular URL off to certbot, to authenticate HTTPS certificates
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        proxy_pass http://localhost:1337;
+    }
+
+    # Everything else gets shunted over to HTTPS
+    location / {
+        return 301 https://$http_host$request_uri;
+    }
+}