From 6b5c016334448117f9117646e758fda8d58df994 Mon Sep 17 00:00:00 2001 From: jreichmann <34141868+jreichmann@users.noreply.github.com> Date: Thu, 30 Nov 2017 21:48:31 +0100 Subject: [PATCH 1/6] Add support for environment variables which control wether to use staging or not and which type of challenge is used --- Dockerfile | 13 ++++++++++--- root/etc/once/setup.sh | 23 +++++++++++++++++++++++ 2 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 root/etc/once/setup.sh diff --git a/Dockerfile b/Dockerfile index 077acd8..8863e6d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,12 @@ FROM jcgruenhage/baseimage-alpine MAINTAINER Jan Christian Grünhage ENV UID=192 \ - GID=192 + GID=192 \ + STAGING=1 \ + CHALLENGE="dns-01" + +# Set STAGING to false(0) by default, set to true(1) to use staging LE-Endpoint +# Set CHALLENGE to "dns-01" (DNS Challenge) by default, set to "http-01" to use the HTTP Challenge RUN apk update \ && apk add --upgrade \ @@ -14,12 +19,14 @@ RUN apk update \ bash \ su-exec \ libxml2-utils \ - && git clone https://github.com/lukas2511/dehydrated /dehydrated + && git clone https://github.com/lukas2511/dehydrated /dehydrated +# Add the files in the 'root' folder to the images filesystem ADD root / - VOLUME /etc/dehydrated VOLUME /var/www/dehydrated VOLUME /certs +# Execute the setup script +RUN bash /etc/once/setup.sh diff --git a/root/etc/once/setup.sh b/root/etc/once/setup.sh new file mode 100644 index 0000000..f17af00 --- /dev/null +++ b/root/etc/once/setup.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Copy the example config file to the config location +cp /dehydrated/docs/examples/config /etc/dehydrated/config + +# Use the staging endpoint? +if [ $STAGING -ne 0 ]; then + sed -ie 's/#CA=.*$/CA="https:\/\/acme-staging.api.letsencrypt.org\/directory"/g' /etc/dehydrated/config + sed -ie 's/#CA_TERMS=.*$/CA_TERMS="https:\/\/acme-staging.api.letsencrypt.org\/terms"/g' /etc/dehydrated/config +fi + +# Set the challenge-type +case "$CHALLENGE" in + "http-01") + sed -ie 's/#CHALLENGETYPE=.*$/CHALLENGETYPE="http-01"/g' /etc/dehydrated/config + ;; + "dns-01") + sed -ie 's/#CHALLENGETYPE=.*$/CHALLENGETYPE="dns-01"/g' /etc/dehydrated/config + ;; + *) + echo "WARNING: Unknown Challenge type! Using default from dehydrated" + ;; +esac From 29618dab22faa98d2613651be2a08177c773eb4d Mon Sep 17 00:00:00 2001 From: jreichmann <34141868+jreichmann@users.noreply.github.com> Date: Thu, 30 Nov 2017 22:17:34 +0100 Subject: [PATCH 2/6] Set default ACME endpoint to production --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8863e6d..2c64c9d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ MAINTAINER Jan Christian Grünhage ENV UID=192 \ GID=192 \ - STAGING=1 \ + STAGING=0 \ CHALLENGE="dns-01" # Set STAGING to false(0) by default, set to true(1) to use staging LE-Endpoint From ee8e15944f6380fb5cba7cb1f833a634faac8dbc Mon Sep 17 00:00:00 2001 From: jreichmann <34141868+jreichmann@users.noreply.github.com> Date: Fri, 1 Dec 2017 09:28:36 +0100 Subject: [PATCH 3/6] Refactor config-modification into a service, document the optional environment variables so not setting them will not modify the configuration file, introduce check to see if config file exists before blindly copying one --- Dockerfile | 9 +------ README.md | 10 ++++++++ root/etc/once/setup.sh | 23 ----------------- root/etc/s6.d/setup/run | 55 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 66 insertions(+), 31 deletions(-) create mode 100644 README.md delete mode 100644 root/etc/once/setup.sh create mode 100755 root/etc/s6.d/setup/run diff --git a/Dockerfile b/Dockerfile index 2c64c9d..858e51e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,12 +2,7 @@ FROM jcgruenhage/baseimage-alpine MAINTAINER Jan Christian Grünhage ENV UID=192 \ - GID=192 \ - STAGING=0 \ - CHALLENGE="dns-01" - -# Set STAGING to false(0) by default, set to true(1) to use staging LE-Endpoint -# Set CHALLENGE to "dns-01" (DNS Challenge) by default, set to "http-01" to use the HTTP Challenge + GID=192 RUN apk update \ && apk add --upgrade \ @@ -28,5 +23,3 @@ VOLUME /etc/dehydrated VOLUME /var/www/dehydrated VOLUME /certs -# Execute the setup script -RUN bash /etc/once/setup.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..b7efaa8 --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +#docker-dehydrated + +This is a docker container that wraps around [dehydrated](https://github.com/lukas2511/dehydrated). + +## Environment variables + +The following environment variables can be set to influence the container's behaviour: + +- $ENDPOINT which ACME-Endpoint you want to use, supported values: "staging", "production" (default). +- $CHALLENGE what type of challenge should be used, supported values: "http-01" (default), "dns-01" diff --git a/root/etc/once/setup.sh b/root/etc/once/setup.sh deleted file mode 100644 index f17af00..0000000 --- a/root/etc/once/setup.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -# Copy the example config file to the config location -cp /dehydrated/docs/examples/config /etc/dehydrated/config - -# Use the staging endpoint? -if [ $STAGING -ne 0 ]; then - sed -ie 's/#CA=.*$/CA="https:\/\/acme-staging.api.letsencrypt.org\/directory"/g' /etc/dehydrated/config - sed -ie 's/#CA_TERMS=.*$/CA_TERMS="https:\/\/acme-staging.api.letsencrypt.org\/terms"/g' /etc/dehydrated/config -fi - -# Set the challenge-type -case "$CHALLENGE" in - "http-01") - sed -ie 's/#CHALLENGETYPE=.*$/CHALLENGETYPE="http-01"/g' /etc/dehydrated/config - ;; - "dns-01") - sed -ie 's/#CHALLENGETYPE=.*$/CHALLENGETYPE="dns-01"/g' /etc/dehydrated/config - ;; - *) - echo "WARNING: Unknown Challenge type! Using default from dehydrated" - ;; -esac diff --git a/root/etc/s6.d/setup/run b/root/etc/s6.d/setup/run new file mode 100755 index 0000000..f5c0887 --- /dev/null +++ b/root/etc/s6.d/setup/run @@ -0,0 +1,55 @@ +#!/bin/bash +s6-svc -O /etc/s6.d/dehydrated + +# Check if and which configuration file exists +CONFIGFILE="none" +for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SCRIPTDIR}"; do + if [[ -f "${check_config}/config" ]]; then + CONFIGFILE="${check_config}/config" + fi +done + +# At this point, no configuration file exists, so copy the example into /etc/dehydrated +if [[ "$CONFIGFILE" == "none" ]]; then + cp /dehydrated/docs/examples/config /etc/dehydrated/config + CONFIGFILE="/etc/dehydrated/config" +fi + +# Determine if the staging endpoint should be used +case "$ENDPOINT" in + "staging") + # If CA=... is commented, uncomment and set it to staging, if it is set to production, set it to staging + sed -ie 's/#CA=.*$/CA="https:\/\/acme-staging.api.letsencrypt.org\/directory/g' $CONFIGFILE + sed -ie 's/CA=.+acme-v01\.api\..+$/CA="https:\/\/acme-staging.api.letsencrypt.org\/directory/g' $CONFIGFILE + # Same procedure for CA_TERMS=... + sed -ie 's/#CA_TERMS=.*$/CA_TERMS="https:\/\/acme-staging.api.letsencrypt.org\/terms"/g' $CONFIGFILE + sed -ie 's/CA_TERMS=.+acme-v01\.api\..+$/CA_TERMS="https:\/\/acme-staging.api.letsencrypt.org\/terms"/g' $CONFIGFILE + ;; + "production") + # If CA=... is commented, uncomment and set to production, if it was set to staging, set it to production + sed -ie 's/#CA=.*$/CA="https:\/\/acme-v01.api.letsencrypt.org\/directory"/g' $CONFIGFILE + sed -ie 's/CA=.+acme-staging\.api\..+$/https:\/\/acme-v01.api.letsencrypt.org\/directory/g' $CONFIGFILE + # Same thing for CA_TERMS=... + sed -ie 's/#CA_TERMS=.*$/CA_TERMS="https:\/\/acme-v01.api.letsencrypt.org\/terms"/g' $CONFIGFILE + sed -ie 's/CA_TERMS=.+acme-staging\.api\..+$/CA_TERMS="https:\/\/acme-v01.api.letsencrypt.org\/terms"/g' $CONFIGFILE + *) + ;; +esac + +# Determine which type of challenge should be used +case "$CHALLENGE" in + "http-01") + # If we have a "fresh" config, uncomment the challengetype-line and set our value + sed -ie 's/#CHALLENGETYPE=.*$/CHALLENGETYPE="http-01"/g' $CONFIGFILE + # If a challengetype is already set, overwrite it + sed -ie 's/CHALLENGETYPE=.+$/CHALLENGETYPE="http-01"/g' $CONFIGFILE + ;; + "dns-01") + # If we have the default config, uncomment the line and set our challengetype + sed -ie 's/#CHALLENGETYPE=.*$/CHALLENGETYPE="dns-01"/g' $CONFIGFILE + # If a challengetype was already set, overwrite it with the new value + sed -ie 's/CHALLENGETYPE=.+$/CHALLENGETYPE="dns-01"/g' $CONFIGFILE + ;; + *) + ;; +esac From 52883558b59adbba474c4a21b6f80282a969f9c7 Mon Sep 17 00:00:00 2001 From: jreichmann <34141868+jreichmann@users.noreply.github.com> Date: Fri, 1 Dec 2017 11:29:31 +0100 Subject: [PATCH 4/6] Documented container-startup behaviour regarding configuration files, and behaviour with environment variables --- README.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b7efaa8..971f907 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -#docker-dehydrated +# docker-dehydrated This is a docker container that wraps around [dehydrated](https://github.com/lukas2511/dehydrated). @@ -6,5 +6,13 @@ This is a docker container that wraps around [dehydrated](https://github.com/luk The following environment variables can be set to influence the container's behaviour: -- $ENDPOINT which ACME-Endpoint you want to use, supported values: "staging", "production" (default). -- $CHALLENGE what type of challenge should be used, supported values: "http-01" (default), "dns-01" +- `$ENDPOINT` which ACME-Endpoint you want to use, supported values: "staging", "production" (default). +- `$CHALLENGE` what type of challenge should be used, supported values: "http-01" (default), "dns-01" + +If the environment variables were not explicitely set, no modification to the configuration file is made + +## Behaviour on startup + +When the container is started, a script is run which looks for the configuration file in the places supported by dehydrated, +and if no configuration file is found, it will copy the [example configuration file](https://github.com/lukas2511/dehydrated/docs/examples/config) +into `/etc/dehydrated/config`. From 7916402f7875216fdd69dcc95e39514c6e53fadc Mon Sep 17 00:00:00 2001 From: jreichmann <34141868+jreichmann@users.noreply.github.com> Date: Fri, 1 Dec 2017 11:32:55 +0100 Subject: [PATCH 5/6] Set the correct service name in setup-script --- root/etc/s6.d/setup/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6.d/setup/run b/root/etc/s6.d/setup/run index f5c0887..664a80e 100755 --- a/root/etc/s6.d/setup/run +++ b/root/etc/s6.d/setup/run @@ -1,5 +1,5 @@ #!/bin/bash -s6-svc -O /etc/s6.d/dehydrated +s6-svc -O /etc/s6.d/setup # Check if and which configuration file exists CONFIGFILE="none" From 7d1f62af77a19e35254cdd72b5aa72600bb4f4a0 Mon Sep 17 00:00:00 2001 From: jreichmann <34141868+jreichmann@users.noreply.github.com> Date: Fri, 1 Dec 2017 17:32:19 +0100 Subject: [PATCH 6/6] Added missing quotation marks, configured dehydrated to run once to register initially --- root/etc/periodic/weekly/dehydrated | 3 ++- root/etc/s6.d/dehydrated/run | 8 ++++++++ root/etc/s6.d/setup/run | 11 +++++++---- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/root/etc/periodic/weekly/dehydrated b/root/etc/periodic/weekly/dehydrated index 1857327..83adba3 100755 --- a/root/etc/periodic/weekly/dehydrated +++ b/root/etc/periodic/weekly/dehydrated @@ -1,3 +1,4 @@ #!/bin/bash chown -R ${UID}:${GID} /etc/dehydrated /certs /var/www/dehydrated -su-exec ${UID}:${GID} /dehydrated/dehydrated -c +# Run dehydrated +su-exec ${UID}:${GID} /dehydrated/dehydrated --cron --keep-going diff --git a/root/etc/s6.d/dehydrated/run b/root/etc/s6.d/dehydrated/run index 3db9186..388cdf0 100755 --- a/root/etc/s6.d/dehydrated/run +++ b/root/etc/s6.d/dehydrated/run @@ -1,3 +1,11 @@ #!/bin/sh s6-svc -O /etc/s6.d/dehydrated + +# Set ownership to dehydrated on the relevant folders +chown -R ${UID}:${GID} /etc/dehydrated /certs /var/www/dehydrated + +# Register to the CA +su-exec ${UID}:${GID} /dehydrated/dehydrated --register --accept-terms + +# Run the weekly script once /etc/periodic/weekly/dehydrated diff --git a/root/etc/s6.d/setup/run b/root/etc/s6.d/setup/run index 664a80e..d9ec739 100755 --- a/root/etc/s6.d/setup/run +++ b/root/etc/s6.d/setup/run @@ -9,7 +9,7 @@ for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SC fi done -# At this point, no configuration file exists, so copy the example into /etc/dehydrated +# At this point, if no configuration file exists, copy the example into /etc/dehydrated if [[ "$CONFIGFILE" == "none" ]]; then cp /dehydrated/docs/examples/config /etc/dehydrated/config CONFIGFILE="/etc/dehydrated/config" @@ -19,8 +19,8 @@ fi case "$ENDPOINT" in "staging") # If CA=... is commented, uncomment and set it to staging, if it is set to production, set it to staging - sed -ie 's/#CA=.*$/CA="https:\/\/acme-staging.api.letsencrypt.org\/directory/g' $CONFIGFILE - sed -ie 's/CA=.+acme-v01\.api\..+$/CA="https:\/\/acme-staging.api.letsencrypt.org\/directory/g' $CONFIGFILE + sed -ie 's/#CA=.*$/CA="https:\/\/acme-staging.api.letsencrypt.org\/directory"/g' $CONFIGFILE + sed -ie 's/CA=.+acme-v01\.api\..+$/CA="https:\/\/acme-staging.api.letsencrypt.org\/directory"/g' $CONFIGFILE # Same procedure for CA_TERMS=... sed -ie 's/#CA_TERMS=.*$/CA_TERMS="https:\/\/acme-staging.api.letsencrypt.org\/terms"/g' $CONFIGFILE sed -ie 's/CA_TERMS=.+acme-v01\.api\..+$/CA_TERMS="https:\/\/acme-staging.api.letsencrypt.org\/terms"/g' $CONFIGFILE @@ -28,11 +28,13 @@ case "$ENDPOINT" in "production") # If CA=... is commented, uncomment and set to production, if it was set to staging, set it to production sed -ie 's/#CA=.*$/CA="https:\/\/acme-v01.api.letsencrypt.org\/directory"/g' $CONFIGFILE - sed -ie 's/CA=.+acme-staging\.api\..+$/https:\/\/acme-v01.api.letsencrypt.org\/directory/g' $CONFIGFILE + sed -ie 's/CA=.+acme-staging\.api\..+$/https:\/\/acme-v01.api.letsencrypt.org\/directory"/g' $CONFIGFILE # Same thing for CA_TERMS=... sed -ie 's/#CA_TERMS=.*$/CA_TERMS="https:\/\/acme-v01.api.letsencrypt.org\/terms"/g' $CONFIGFILE sed -ie 's/CA_TERMS=.+acme-staging\.api\..+$/CA_TERMS="https:\/\/acme-v01.api.letsencrypt.org\/terms"/g' $CONFIGFILE + ;; *) + echo "INFO: No endpoint was specifically set, dehydrated will use its default" ;; esac @@ -51,5 +53,6 @@ case "$CHALLENGE" in sed -ie 's/CHALLENGETYPE=.+$/CHALLENGETYPE="dns-01"/g' $CONFIGFILE ;; *) + echo "INFO: No challenge-type was specified, the default from dehydrated will be used" ;; esac