[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt

2020-05-05 01:23:55 +00:00
parent 3b5789639b
commit a97c511c7a
14 changed files with 272 additions and 49 deletions
--- a/docker/bootstrap/Dockerfile
+++ b/docker/bootstrap/Dockerfile
@@ -0,0 +1,16 @@
+FROM nginx:alpine
+
+RUN echo "Installing bootstrap utils"
+
+RUN apk add curl certbot openssl > /dev/null
+
+RUN echo '                                  \
+server {                                    \
+    listen [::]:80;                         \
+    listen 80;                              \
+    server_name %hostname%;                 \
+    location /.well-known/acme-challenge/ { \
+        root /var/www/certbot;              \
+    }                                       \
+}                                           \
+' > /etc/nginx/conf.d/challenge.conf
--- a/docker/bootstrap/bootstrap.env
+++ b/docker/bootstrap/bootstrap.env
@@ -0,0 +1,2 @@
+email=example@foo.bar
+domain=domain.foo
--- a/docker/bootstrap/bootstrap.sh
+++ b/docker/bootstrap/bootstrap.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf
+
+nginx
+
+rsa_key_size=4096
+certbot_path="/var/www/certbot"
+lets_path="/etc/letsencrypt"
+
+echo "Starting bootstrap"
+
+if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \
+    || [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then
+
+    echo "### Downloading recommended TLS parameters ..."
+    mkdir -p "${lets_path}/live"
+
+    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \
+         "${lets_path}/options-ssl-nginx.conf"
+    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
+         "${lets_path}/ssl-dhparams.pem"
+
+    echo "### Creating dummy certificate for ${root_domain} ..."
+    openssl req -x509 -nodes -newkey rsa:1024 -days 1\
+            -keyout "${lets_path}/live/privkey.pem" \
+            -out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost'
+
+    nginx -s reload
+
+    rm -Rf "${lets_path}/live/${root_domain}"
+    rm -Rf "${lets_path}/archive/${root_domain}"
+    rm -Rf "${lets_path}/renewal/${root_domain}.conf"
+
+    echo "### Requesting Let's Encrypt certificate for $root_domain ..."
+    # Format domain_args with the cartesian product of `root_domain` and `subdomains`
+
+    email_arg="--email $email"
+    domain_arg="-d $domain"
+
+    # Ask Let's Encrypt to create certificates, if challenge passed
+    certbot certonly --webroot -w /var/www/certbot \
+            $email_arg \
+            $domain_arg \
+            --non-interactive \
+            --rsa-key-size $rsa_key_size \
+            --agree-tos \
+            --force-renewal
+
+else
+    echo "Certificate related files exists, exiting"
+fi
--- a/docker/bootstrap/bootstrap.yaml
+++ b/docker/bootstrap/bootstrap.yaml
@@ -0,0 +1,14 @@
+version: "3.3"
+
+services:
+  bootstrap:
+    build: .
+    volumes:
+      - ../certbot/www:/var/www/certbot
+      - ../certbot/files:/etc/letsencrypt
+      - ./bootstrap.sh:/bootstrap.sh
+    ports:
+      - 80:80
+    env_file:
+      - bootstrap.env
+    entrypoint: /bootstrap.sh