├── Dockerfile ├── README.md ├── LICENSE └── start.sh /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM quay.io/letsencrypt/letsencrypt 2 | MAINTAINER kvaps 3 | 4 | RUN apt-get update && apt-get -y install docker.io 5 | 6 | ADD start.sh /bin/start.sh 7 | 8 | ENTRYPOINT [ "/bin/start.sh" ] 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Let’s Encrypt (webroot) in a Docker 2 | ![Letsencrypt Logo](https://letsencrypt.org/images/letsencrypt-logo-horizontal.svg) 3 | 4 | Letsencrypt cert auto getting and renewal script based on [letsencrypt](https://quay.io/repository/letsencrypt/letsencrypt) base image. 5 | 6 | ## Deprecated 7 | 8 | This project has been deprecated and is being stored here for historical reasons. 9 | If you're looking for most viable fork, please check this one: 10 | 11 | * **Repo:** https://github.com/vdhpieter/docker-letsencrypt-webroot 12 | * **DockerHub:** https://hub.docker.com/r/vdhpieter/letsencrypt-webroot/ 13 | 14 | Thanks to everyone who was using it. 15 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 kvaps 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$DOMAINS" ] ; then 4 | echo "No domains set, please fill -e 'DOMAINS=example.com www.example.com'" 5 | exit 1 6 | fi 7 | 8 | if [ -z "$EMAIL" ] ; then 9 | echo "No email set, please fill -e 'EMAIL=your@email.tld'" 10 | exit 1 11 | fi 12 | 13 | if [ -z "$WEBROOT_PATH" ] ; then 14 | echo "No webroot path set, please fill -e 'WEBROOT_PATH=/tmp/letsencrypt'" 15 | exit 1 16 | fi 17 | 18 | if [[ -z $STAGING ]]; then 19 | echo "Using the staging environment" 20 | ADDITIONAL="--staging" 21 | fi 22 | 23 | DARRAYS=(${DOMAINS}) 24 | EMAIL_ADDRESS=${EMAIL} 25 | LE_DOMAINS=("${DARRAYS[*]/#/-d }") 26 | 27 | exp_limit="${EXP_LIMIT:-30}" 28 | check_freq="${CHECK_FREQ:-30}" 29 | 30 | le_hook() { 31 | all_links=($(env | grep -oP '^[0-9A-Z_-]+(?=_ENV_LE_RENEW_HOOK)')) 32 | compose_links=($(env | grep -oP '^[0-9A-Z]+_[a-zA-Z0-9_.-]+_[0-9]+(?=_ENV_LE_RENEW_HOOK)')) 33 | 34 | except_links=($( 35 | for link in ${compose_links[@]}; do 36 | compose_project=$(echo $link | cut -f1 -d"_") 37 | compose_name=$(echo $link | cut -f2- -d"_" | sed 's/_[^_]*$//g') 38 | compose_instance=$(echo $link | grep -o '[^_]*$') 39 | echo ${compose_name}_${compose_instance} 40 | echo ${compose_name} 41 | done 42 | )) 43 | 44 | containers=($( 45 | for link in ${all_links[@]}; do 46 | [[ " ${except_links[@]} " =~ " ${link} " ]] || echo $link 47 | done 48 | )) 49 | 50 | for container in ${containers[@]}; do 51 | command=$(eval echo \$${container}_ENV_LE_RENEW_HOOK) 52 | command=$(echo $command | sed "s/@CONTAINER_NAME@/${container,,}/g") 53 | echo "[INFO] Run: $command" 54 | eval $command 55 | done 56 | } 57 | 58 | le_fixpermissions() { 59 | echo "[INFO] Fixing permissions" 60 | chown -R ${CHOWN:-root:root} /etc/letsencrypt 61 | find /etc/letsencrypt -type d -exec chmod 755 {} \; 62 | find /etc/letsencrypt -type f -exec chmod ${CHMOD:-644} {} \; 63 | } 64 | 65 | le_renew() { 66 | certbot certonly --webroot --agree-tos --renew-by-default --text ${ADDITIONAL} --email ${EMAIL_ADDRESS} -w ${WEBROOT_PATH} ${LE_DOMAINS} 67 | le_fixpermissions 68 | le_hook 69 | } 70 | 71 | le_check() { 72 | cert_file="/etc/letsencrypt/live/$DARRAYS/fullchain.pem" 73 | 74 | if [ -f $cert_file ]; then 75 | 76 | exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s) 77 | datenow=$(date -d "now" +%s) 78 | days_exp=$[ ( $exp - $datenow ) / 86400 ] 79 | 80 | echo "Checking expiration date for $DARRAYS..." 81 | 82 | if [ "$days_exp" -gt "$exp_limit" ] ; then 83 | echo "The certificate is up to date, no need for renewal ($days_exp days left)." 84 | else 85 | echo "The certificate for $DARRAYS is about to expire soon. Starting webroot renewal script..." 86 | le_renew 87 | echo "Renewal process finished for domain $DARRAYS" 88 | fi 89 | 90 | echo "Checking domains for $DARRAYS..." 91 | 92 | domains=($(openssl x509 -in $cert_file -text -noout | grep -oP '(?<=DNS:)[^,]*')) 93 | new_domains=($( 94 | for domain in ${DARRAYS[@]}; do 95 | [[ " ${domains[@]} " =~ " ${domain} " ]] || echo $domain 96 | done 97 | )) 98 | 99 | if [ -z "$new_domains" ] ; then 100 | echo "The certificate have no changes, no need for renewal" 101 | else 102 | echo "The list of domains for $DARRAYS certificate has been changed. Starting webroot renewal script..." 103 | le_renew 104 | echo "Renewal process finished for domain $DARRAYS" 105 | fi 106 | 107 | 108 | else 109 | echo "[INFO] certificate file not found for domain $DARRAYS. Starting webroot initial certificate request script..." 110 | if [[ -z $CHICKENEGG ]]; then 111 | echo "Making a temporary self signed certificate to prevent chicken and egg problems" 112 | openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout "/etc/letsencrypt/live/$DARRAYS/privkey.pem" -out "${cert_file}" -subj "/CN=example.com" -days 1 113 | fi 114 | le_renew 115 | echo "Certificate request process finished for domain $DARRAYS" 116 | fi 117 | 118 | if [ "$1" != "once" ]; then 119 | sleep ${check_freq}d 120 | le_check 121 | fi 122 | } 123 | 124 | le_check $1 125 | --------------------------------------------------------------------------------