certbot

Dockerfile

@@ -1,2 +1,21 @@
 FROM sutty/monit:latest
 MAINTAINER "f <f@sutty.nl>"
+
+# Install requisites
+RUN apk add --no-cache certbot jq wget
+
+# Run certbot 
+COPY ./monit.conf /etc/monit.d/certbot.conf
+# Get more output
+RUN echo "set limits { programoutput: 1 MB }" >> /etc/monit.d/limits.conf
+
+# Install certbot's script
+COPY ./certbot.sh /usr/local/bin/certbot
+RUN chmod +x /usr/local/bin/certbot
+
+# Check monit's config
+RUN monit -t
+
+# Access to certificates and challenges
+VOLUME /etc/letsencrypt
+VOLUME /var/lib/letsencrypt

certbot.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+set -e
+
+case $1 in
+  # Renew certificates, trust in certbot's algorithms
+  renew) /usr/bin/certbot renew --quit --agree-tos ;;
+  bootstrap)
+    test -d "/etc/letsencrypt/live/api.${SUTTY}" && exit 0
+
+    # Get the certificate for the domain, the webserver will need
+    # access to this directory
+    /usr/bin/certbot certonly --email "certbot@${SUTTY}" \
+                              --webroot \
+                              --agree-tos \
+                              --webroot-path /var/lib/letsencrypt \
+                              -d "api.${SUTTY}" ;;
+  # Generate certificates
+  *)
+    # Save headers here
+    headers=/tmp/headers
+    # Gets ETag from previous headers
+    test -f "${headers}" \
+      && etag="$(grep "^  Etag: " "${headers}" | cut -d : -f 2)"
+
+    # Get site list from the API and transform to a list.  Save headers
+    # for next run.  Use ETag to avoid running when nothing changed
+    wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \
+         --header="If-None-Match:${etag}" -qSO - \
+          "https://api.${SUTTY}/v1/sites.json" \
+          2>"${headers}" \
+      | jq --raw-output .[] \
+      | while read name; do
+          # If the site name doesn't end with a dot, it's a subdomain
+          domain="$(echo "${name}" | sed "s/[^\.]$/&${SUTTY}/")"
+          domain="${domain%.}"
+
+          # Skip already existing domains
+          test -d "/etc/letsencrypt/live/${domain}" && continue
+
+          # Get the certificate for the domain, the webserver will need
+          # access to this directory
+          /usr/bin/certbot certonly --email "certbot@${SUTTY}" \
+                                    --webroot \
+                                    --agree-tos \
+                                    --webroot-path /var/lib/letsencrypt \
+                                    -d "${domain}"
+        done
+esac

monit.conf

@@ -0,0 +1,17 @@
+# Get first certificate!
+check program certbot_bootstrap
+  with path "/usr/local/bin/certbot bootstrap"
+  every 1 cycle
+  if status = 0 then unmonitor
+
+# Renew certificates once a week
+check program certbot_renew
+  with path "/usr/local/bin/certbot renew"
+  every "13 5 * * *"
+  if status != 0 then alert
+
+# Get missing certificates for every cycle.
+check program certbot
+  with path "/usr/local/bin/certbot"
+  every 1 cycle
+  if status != 0 then alert