Merge pull request #719 from nginx-proxy/acme.sh

Replace simp_le with acme.sh

Author: buchdag

.gitignore

@@ -2,6 +2,7 @@ certs/
 conf.d/
 data/
 vhost.d/
+.vscode
 
 # tests
 go/

.travis.yml

@@ -28,8 +28,7 @@ before_install:
 install:
   - docker build -t "$IMAGE" .
   - docker inspect "$IMAGE"
-  - docker run --rm "$IMAGE" simp_le --version
-  - docker run --rm "$IMAGE" simp_le -v --test
+  - docker run --rm "$IMAGE" acme.sh --version
   - docker images
 
 before_script:

Dockerfile

@@ -2,51 +2,58 @@ FROM golang:1.15-alpine AS go-builder
 
 ENV DOCKER_GEN_VERSION=0.7.4
 
-# Install build dependencies for docker-gen
-RUN apk add --update \
+# Build docker-gen
+RUN apk add --no-cache --virtual .build-deps \
         curl \
         gcc \
         git \
         make \
-        musl-dev
-
-# Build docker-gen
-RUN go get github.com/jwilder/docker-gen \
+        musl-dev \
+    && go get github.com/jwilder/docker-gen \
     && cd /go/src/github.com/jwilder/docker-gen \
-    && git checkout $DOCKER_GEN_VERSION \
+    && git -c advice.detachedHead=false checkout $DOCKER_GEN_VERSION \
     && make get-deps \
-    && make all
+    && make all \
+    && go clean -cache \
+    && mv docker-gen /usr/local/bin/ \
+    && rm -rf /go/src \
+    && apk del .build-deps
 
-FROM alpine:3.11
+FROM alpine:3.12
 
-LABEL maintainer="Yves Blusseau <90z7oey02@sneakemail.com> (@blusseau)"
+LABEL maintainer="Nicolas Duchon <nicolas.duchon@gmail.com> (@buchdag)"
 
-ENV DEBUG=false \
-    DOCKER_HOST=unix:///var/run/docker.sock
+ARG GIT_DESCRIBE
+ARG ACMESH_VERSION=2.8.7
+
+ENV COMPANION_VERSION=$GIT_DESCRIBE \
+    DOCKER_HOST=unix:///var/run/docker.sock \
+    PATH=$PATH:/app
 
 # Install packages required by the image
-RUN apk add --update \
+RUN apk add --no-cache --virtual .bin-deps \
         bash \
-        ca-certificates \
         coreutils \
         curl \
         jq \
         openssl \
-    && rm /var/cache/apk/*
+        socat
 
 # Install docker-gen from build stage
-COPY --from=go-builder /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/
+COPY --from=go-builder /usr/local/bin/docker-gen /usr/local/bin/
 
-# Install simp_le
-COPY /install_simp_le.sh /app/install_simp_le.sh
-RUN chmod +rx /app/install_simp_le.sh \
+# Install acme.sh
+COPY /install_acme.sh /app/install_acme.sh
+RUN chmod +rx /app/install_acme.sh \
     && sync \
-    && /app/install_simp_le.sh \
-    && rm -f /app/install_simp_le.sh
+    && /app/install_acme.sh \
+    && rm -f /app/install_acme.sh
 
 COPY /app/ /app/
 
 WORKDIR /app
 
+VOLUME ["/etc/acme.sh", "/etc/nginx/certs"]
+
 ENTRYPOINT [ "/bin/bash", "/app/entrypoint.sh" ]
 CMD [ "/bin/bash", "/app/start.sh" ]

README.md

@@ -1,112 +1,117 @@
-[![Build Status](https://travis-ci.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion.svg?branch=master)](https://travis-ci.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion)
-[![GitHub release](https://img.shields.io/github/release/nginx-proxy/docker-letsencrypt-nginx-proxy-companion.svg)](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/releases)
-[![Image info](https://images.microbadger.com/badges/image/jrcs/letsencrypt-nginx-proxy-companion.svg)](https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion "Click to view the image on Docker Hub")
-[![Docker stars](https://img.shields.io/docker/stars/jrcs/letsencrypt-nginx-proxy-companion.svg)](https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion "Click to view the image on Docker Hub")
-[![Docker pulls](https://img.shields.io/docker/pulls/jrcs/letsencrypt-nginx-proxy-companion.svg)](https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion "Click to view the image on Docker Hub")
-
-**letsencrypt-nginx-proxy-companion** is a lightweight companion container for [**nginx-proxy**](https://github.com/jwilder/nginx-proxy).
-
-It handles the automated creation, renewal and use of Let's Encrypt certificates for proxied Docker containers.
-
-Please note that **letsencrypt-nginx-proxy-companion** no longer supports ACME v1 endpoints. The last tagged version that supports ACME v1 is [v1.11](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/releases/tag/v1.11.2)
-
-### Features:
-* Automated creation/renewal of Let's Encrypt (or other ACME CAs) certificates using [**simp_le**](https://github.com/zenhack/simp_le).
-* Let's Encrypt / ACME domain validation through `http-01` challenge only.
-* Automated update and reload of nginx config on certificate creation/renewal.
-* Support creation of [Multi-Domain (SAN) Certificates](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/blob/master/docs/Let's-Encrypt-and-ACME.md#multi-domains-certificates).
-* Creation of a Strong Diffie-Hellman Group at startup.
-* Work with all versions of docker.
-
-### Requirements:
-* Your host **must** be publicly reachable on **both** port `80` and `443`.
-* Check your firewall rules and **do not attempt to block port `80`** as that will prevent `http-01` challenges from completing.
-* For the same reason, you can't use nginx-proxy's [`HTTPS_METHOD=nohttp`](https://github.com/jwilder/nginx-proxy#how-ssl-support-works).
-* The (sub)domains you want to issue certificates for must correctly resolve to the host.
-* Your DNS provider must [answer correctly to CAA record requests](https://letsencrypt.org/docs/caa/).
-* If your (sub)domains have AAAA records set, the host must be publicly reachable over IPv6 on port `80` and `443`.
-
-![schema](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/schema.png)
-
-## Basic usage (with the nginx-proxy container)
-
-Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **letsencrypt-nginx-proxy-companion** container:
-
-* `/etc/nginx/certs` to store certificates, private keys and ACME account keys (readonly for the **nginx-proxy** container).
-* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
-* `/usr/share/nginx/html` to write `http-01` challenge files.
-
-Example of use:
-
-### Step 1 - nginx-proxy
-
-Start **nginx-proxy** with the three additional volumes declared:
-
-```shell
-$ docker run --detach \
-    --name nginx-proxy \
-    --publish 80:80 \
-    --publish 443:443 \
-    --volume /etc/nginx/certs \
-    --volume /etc/nginx/vhost.d \
-    --volume /usr/share/nginx/html \
-    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
-    jwilder/nginx-proxy
-```
-
-Binding the host docker socket (`/var/run/docker.sock`) inside the container to `/tmp/docker.sock` is a requirement of **nginx-proxy**.
-
-### Step 2 - letsencrypt-nginx-proxy-companion
-
-Start the **letsencrypt-nginx-proxy-companion** container, getting the volumes from **nginx-proxy** with `--volumes-from`:
-
-```shell
-$ docker run --detach \
-    --name nginx-proxy-letsencrypt \
-    --volumes-from nginx-proxy \
-    --volume /var/run/docker.sock:/var/run/docker.sock:ro \
-    --env "[email protected]" \
-    jrcs/letsencrypt-nginx-proxy-companion
-```
-
-The host docker socket has to be bound inside this container too, this time to `/var/run/docker.sock`.
-
-Albeit **optional**, it is **recommended** to provide a valid default email address through the `DEFAULT_EMAIL` environment variable, so that Let's Encrypt can warn you about expiring certificates and allow you to recover your account.
-
-### Step 3 - proxied container(s)
-
-Once both **nginx-proxy** and **letsencrypt-nginx-proxy-companion** containers are up and running, start any container you want proxied with environment variables `VIRTUAL_HOST` and `LETSENCRYPT_HOST` both set to the domain(s) your proxied container is going to use.
-
-[`VIRTUAL_HOST`](https://github.com/jwilder/nginx-proxy#usage) control proxying by **nginx-proxy** and `LETSENCRYPT_HOST` control certificate creation and SSL enabling by **letsencrypt-nginx-proxy-companion**.
-
-Certificates will only be issued for containers that have both `VIRTUAL_HOST` and `LETSENCRYPT_HOST` variables set to domain(s) that correctly resolve to the host, provided the host is publicly reachable.
-
-```shell
-$ docker run --detach \
-    --name your-proxied-app \
-    --env "VIRTUAL_HOST=subdomain.yourdomain.tld" \
-    --env "LETSENCRYPT_HOST=subdomain.yourdomain.tld" \
-    nginx
-```
-
-The containers being proxied must expose the port to be proxied, either by using the `EXPOSE` directive in their Dockerfile or by using the `--expose` flag to `docker run` or `docker create`.
-
-If the proxied container listen on and expose another port than the default `80`, you can force **nginx-proxy** to use this port with the [`VIRTUAL_PORT`](https://github.com/jwilder/nginx-proxy#multiple-ports) environment variable.
-
-Example using [Grafana](https://hub.docker.com/r/grafana/grafana/) (expose and listen on port 3000):
-
-```shell
-$ docker run --detach \
-    --name grafana \
-    --env "VIRTUAL_HOST=othersubdomain.yourdomain.tld" \
-    --env "VIRTUAL_PORT=3000" \
-    --env "LETSENCRYPT_HOST=othersubdomain.yourdomain.tld" \
-    --env "[email protected]" \
-    grafana/grafana
-```
-
-Repeat [Step 3](#step-3---proxied-containers) for any other container you want to proxy.
-
-## Additional documentation
-
-Please check the [docs section](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/tree/master/docs) or the [project's wiki](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/wiki).
+[![Build Status](https://travis-ci.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion.svg?branch=master)](https://travis-ci.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion)
+[![GitHub release](https://img.shields.io/github/release/nginx-proxy/docker-letsencrypt-nginx-proxy-companion.svg)](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/releases)
+[![Image info](https://images.microbadger.com/badges/image/jrcs/letsencrypt-nginx-proxy-companion.svg)](https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion "Click to view the image on Docker Hub")
+[![Docker stars](https://img.shields.io/docker/stars/jrcs/letsencrypt-nginx-proxy-companion.svg)](https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion "Click to view the image on Docker Hub")
+[![Docker pulls](https://img.shields.io/docker/pulls/jrcs/letsencrypt-nginx-proxy-companion.svg)](https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion "Click to view the image on Docker Hub")
+
+**letsencrypt-nginx-proxy-companion** is a lightweight companion container for [**nginx-proxy**](https://github.com/nginx-proxy/nginx-proxy).
+
+It handles the automated creation, renewal and use of Let's Encrypt certificates for proxied Docker containers.
+
+The `v2.0.0` release of this project mark the switch of the ACME client used by the Docker image from [**simp.le**](https://github.com/zenhack/simp_le) to [**acme.sh**](https://github.com/acmesh-official/acme.sh). This switch result in some backward incompatible changes, so please read [this issue](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/issues/510) for more details before updating your image. The last tagged version that uses **simp_le** is `v1.13.1`.
+
+### Features:
+* Automated creation/renewal of Let's Encrypt (or other ACME CAs) certificates using [**acme.sh**](https://github.com/acmesh-official/acme.sh).
+* Let's Encrypt / ACME domain validation through `http-01` challenge only.
+* Automated update and reload of nginx config on certificate creation/renewal.
+* Support creation of [Multi-Domain (SAN) Certificates](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/blob/master/docs/Let's-Encrypt-and-ACME.md#multi-domains-certificates).
+* Creation of a Strong Diffie-Hellman Group at startup.
+* Work with all versions of docker.
+
+### Requirements:
+* Your host **must** be publicly reachable on **both** port `80` and `443`.
+* Check your firewall rules and **do not attempt to block port `80`** as that will prevent `http-01` challenges from completing.
+* For the same reason, you can't use nginx-proxy's [`HTTPS_METHOD=nohttp`](https://github.com/nginx-proxy/nginx-proxy#how-ssl-support-works).
+* The (sub)domains you want to issue certificates for must correctly resolve to the host.
+* Your DNS provider must [answer correctly to CAA record requests](https://letsencrypt.org/docs/caa/).
+* If your (sub)domains have AAAA records set, the host must be publicly reachable over IPv6 on port `80` and `443`.
+
+![schema](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/blob/master/schema.png)
+
+## Basic usage (with the nginx-proxy container)
+
+Three writable volumes must be declared on the **nginx-proxy** container so that they can be shared with the **letsencrypt-nginx-proxy-companion** container:
+
+* `/etc/nginx/certs` to store certificates and private keys (readonly for the **nginx-proxy** container).
+* `/etc/nginx/vhost.d` to change the configuration of vhosts (required so the CA may access `http-01` challenge files).
+* `/usr/share/nginx/html` to write `http-01` challenge files.
+
+Additionally, a fourth volume must be declared on the **letsencrypt-nginx-proxy-companion** container to store `acme.sh` configuration and state: `/etc/acme.sh`.
+
+Please also read the doc about [data persistence](./docs/persistent-data.md).
+
+Example of use:
+
+### Step 1 - nginx-proxy
+
+Start **nginx-proxy** with the three additional volumes declared:
+
+```shell
+$ docker run --detach \
+    --name nginx-proxy \
+    --publish 80:80 \
+    --publish 443:443 \
+    --volume /etc/nginx/certs \
+    --volume /etc/nginx/vhost.d \
+    --volume /usr/share/nginx/html \
+    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
+    jwilder/nginx-proxy
+```
+
+Binding the host docker socket (`/var/run/docker.sock`) inside the container to `/tmp/docker.sock` is a requirement of **nginx-proxy**.
+
+### Step 2 - letsencrypt-nginx-proxy-companion
+
+Start the **letsencrypt-nginx-proxy-companion** container, getting the volumes from **nginx-proxy** with `--volumes-from`:
+
+```shell
+$ docker run --detach \
+    --name nginx-proxy-letsencrypt \
+    --volumes-from nginx-proxy \
+    --volume /var/run/docker.sock:/var/run/docker.sock:ro \
+    --volume /etc/acme.sh \
+    --env "[email protected]" \
+    jrcs/letsencrypt-nginx-proxy-companion
+```
+
+The host docker socket has to be bound inside this container too, this time to `/var/run/docker.sock`.
+
+Albeit **optional**, it is **recommended** to provide a valid default email address through the `DEFAULT_EMAIL` environment variable, so that Let's Encrypt can warn you about expiring certificates and allow you to recover your account.
+
+### Step 3 - proxied container(s)
+
+Once both **nginx-proxy** and **letsencrypt-nginx-proxy-companion** containers are up and running, start any container you want proxied with environment variables `VIRTUAL_HOST` and `LETSENCRYPT_HOST` both set to the domain(s) your proxied container is going to use.
+
+[`VIRTUAL_HOST`](https://github.com/nginx-proxy/nginx-proxy#usage) control proxying by **nginx-proxy** and `LETSENCRYPT_HOST` control certificate creation and SSL enabling by **letsencrypt-nginx-proxy-companion**.
+
+Certificates will only be issued for containers that have both `VIRTUAL_HOST` and `LETSENCRYPT_HOST` variables set to domain(s) that correctly resolve to the host, provided the host is publicly reachable.
+
+```shell
+$ docker run --detach \
+    --name your-proxied-app \
+    --env "VIRTUAL_HOST=subdomain.yourdomain.tld" \
+    --env "LETSENCRYPT_HOST=subdomain.yourdomain.tld" \
+    nginx
+```
+
+The containers being proxied must expose the port to be proxied, either by using the `EXPOSE` directive in their Dockerfile or by using the `--expose` flag to `docker run` or `docker create`.
+
+If the proxied container listen on and expose another port than the default `80`, you can force **nginx-proxy** to use this port with the [`VIRTUAL_PORT`](https://github.com/nginx-proxy/nginx-proxy#multiple-ports) environment variable.
+
+Example using [Grafana](https://hub.docker.com/r/grafana/grafana/) (expose and listen on port 3000):
+
+```shell
+$ docker run --detach \
+    --name grafana \
+    --env "VIRTUAL_HOST=othersubdomain.yourdomain.tld" \
+    --env "VIRTUAL_PORT=3000" \
+    --env "LETSENCRYPT_HOST=othersubdomain.yourdomain.tld" \
+    --env "[email protected]" \
+    grafana/grafana
+```
+
+Repeat [Step 3](#step-3---proxied-containers) for any other container you want to proxy.
+
+## Additional documentation
+
+Please check the [docs section](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/tree/master/docs) or the [project's wiki](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/wiki).

app/cleanup_test_artifacts

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# This script should not be run outside of a test container
+[[ "$TEST_MODE" == 'true' ]] || exit 1
+
+while [[ $# -gt 0 ]]; do
+    flag="$1"
+
+    case $flag in
+        --default-cert)
+        for filename in default.crt default.key; do
+            filepath="/etc/nginx/certs/$filename"
+            [[ -f "$filepath" ]] && rm -rf "$filepath"
+        done
+        shift
+        ;;
+
+        --location-config)
+        for filepath in '/etc/nginx/vhost.d/le1.wtf' '/etc/nginx/vhost.d/*.example.com' '/etc/nginx/vhost.d/test.*'; do
+            [[ -f "$filepath" ]] && rm -rf "$filepath"
+        done
+        shift
+        ;;
+
+        *) #Unknown option
+        shift
+        ;;
+    esac
+done
+
+for domain in le1.wtf le2.wtf le3.wtf le4.wtf lim.it; do
+    folder="/etc/nginx/certs/$domain"
+    [[ -d "$folder" ]] && rm -rf "$folder"
+    location_file="/etc/nginx/vhost.d/$domain"
+    [[ -f "$location_file" ]] && rm -rf "$location_file" 2> /dev/null
+    for extension in key crt chain.pem dhparam.pem; do
+        symlink="/etc/nginx/certs/${domain}.${extension}"
+        [[ -L "$symlink" ]] && rm -rf "$symlink"
+    done
+done