From d17f14a58990d004e969c2f370548d4dfdefade0 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 10 Sep 2019 20:17:04 -0300 Subject: [PATCH] certbot --- Dockerfile | 19 +++++++++++++++++++ certbot.sh | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ monit.conf | 17 +++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 certbot.sh create mode 100644 monit.conf diff --git a/Dockerfile b/Dockerfile index 59c5898..2cec2a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,2 +1,21 @@ FROM sutty/monit:latest MAINTAINER "f " + +# Install requisites +RUN apk add --no-cache certbot jq wget + +# Run certbot +COPY ./monit.conf /etc/monit.d/certbot.conf +# Get more output +RUN echo "set limits { programoutput: 1 MB }" >> /etc/monit.d/limits.conf + +# Install certbot's script +COPY ./certbot.sh /usr/local/bin/certbot +RUN chmod +x /usr/local/bin/certbot + +# Check monit's config +RUN monit -t + +# Access to certificates and challenges +VOLUME /etc/letsencrypt +VOLUME /var/lib/letsencrypt diff --git a/certbot.sh b/certbot.sh new file mode 100644 index 0000000..6b03373 --- /dev/null +++ b/certbot.sh @@ -0,0 +1,48 @@ +#!/bin/sh +set -e + +case $1 in + # Renew certificates, trust in certbot's algorithms + renew) /usr/bin/certbot renew --quit --agree-tos ;; + bootstrap) + test -d "/etc/letsencrypt/live/api.${SUTTY}" && exit 0 + + # Get the certificate for the domain, the webserver will need + # access to this directory + /usr/bin/certbot certonly --email "certbot@${SUTTY}" \ + --webroot \ + --agree-tos \ + --webroot-path /var/lib/letsencrypt \ + -d "api.${SUTTY}" ;; + # Generate certificates + *) + # Save headers here + headers=/tmp/headers + # Gets ETag from previous headers + test -f "${headers}" \ + && etag="$(grep "^ Etag: " "${headers}" | cut -d : -f 2)" + + # Get site list from the API and transform to a list. Save headers + # for next run. Use ETag to avoid running when nothing changed + wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \ + --header="If-None-Match:${etag}" -qSO - \ + "https://api.${SUTTY}/v1/sites.json" \ + 2>"${headers}" \ + | jq --raw-output .[] \ + | while read name; do + # If the site name doesn't end with a dot, it's a subdomain + domain="$(echo "${name}" | sed "s/[^\.]$/&${SUTTY}/")" + domain="${domain%.}" + + # Skip already existing domains + test -d "/etc/letsencrypt/live/${domain}" && continue + + # Get the certificate for the domain, the webserver will need + # access to this directory + /usr/bin/certbot certonly --email "certbot@${SUTTY}" \ + --webroot \ + --agree-tos \ + --webroot-path /var/lib/letsencrypt \ + -d "${domain}" + done +esac diff --git a/monit.conf b/monit.conf new file mode 100644 index 0000000..7d1eb88 --- /dev/null +++ b/monit.conf @@ -0,0 +1,17 @@ +# Get first certificate! +check program certbot_bootstrap + with path "/usr/local/bin/certbot bootstrap" + every 1 cycle + if status = 0 then unmonitor + +# Renew certificates once a week +check program certbot_renew + with path "/usr/local/bin/certbot renew" + every "13 5 * * *" + if status != 0 then alert + +# Get missing certificates for every cycle. +check program certbot + with path "/usr/local/bin/certbot" + every 1 cycle + if status != 0 then alert