From 82bc1016d5e31304f1cd6e406363bcc5c7b9b00a Mon Sep 17 00:00:00 2001
From: Marwolf <cleako@gmail.com>
Date: Sat, 18 Aug 2018 16:52:28 -0400
Subject: [PATCH] Another attempt

---
 docker-compose.yml               | 13 +++++++
 etc/certbot/Dockerfile           | 21 ++++++++++++
 etc/certbot/run_certbot.sh       | 59 ++++++++++++++++++++++++++++++++
 etc/nginx/HTTPS_default.conf.BAK | 15 +++++---
 etc/nginx/nginx.conf             | 14 +++++---
 5 files changed, 112 insertions(+), 10 deletions(-)
 create mode 100755 etc/certbot/Dockerfile
 create mode 100755 etc/certbot/run_certbot.sh

diff --git a/docker-compose.yml b/docker-compose.yml
index baa8f61..5a06deb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -17,6 +17,19 @@ services:
             - NGINX_HOST=${NGINX_HOST}
         restart: always
 
+    certbot:
+        build: ./etc/certbot
+        container_name: certbot
+        volumes:
+              - ./etc/letsencrypt/certs:/certs
+        restart: always
+        environment:
+            - WEBROOT="/opt/bitnami/nginx/html"
+            - DOMAINS=wolfkingdom.net
+            - EMAIL=cleako@gmail.com
+            - CONCAT=false
+            - SEPARATE=true
+
     myadmin:
         image: phpmyadmin/phpmyadmin
         container_name: phpmyadmin
diff --git a/etc/certbot/Dockerfile b/etc/certbot/Dockerfile
new file mode 100755
index 0000000..94bedd6
--- /dev/null
+++ b/etc/certbot/Dockerfile
@@ -0,0 +1,21 @@
+FROM python:2-alpine
+MAINTAINER Henri Dwyer <henri@dwyer.io>
+
+VOLUME /certs
+VOLUME /etc/letsencrypt
+EXPOSE 80
+
+RUN apk add --no-cache --virtual .build-deps linux-headers gcc musl-dev\
+  && apk add --no-cache libffi-dev openssl-dev dialog\
+  && pip install certbot\
+  && apk del .build-deps\
+  && mkdir /scripts
+
+ADD crontab /etc/crontabs
+RUN crontab /etc/crontabs/crontab
+
+COPY ./scripts/ /scripts
+RUN chmod +x /scripts/run_certbot.sh
+
+ENTRYPOINT []
+CMD ["crond", "-f"]
diff --git a/etc/certbot/run_certbot.sh b/etc/certbot/run_certbot.sh
new file mode 100755
index 0000000..4287eba
--- /dev/null
+++ b/etc/certbot/run_certbot.sh
@@ -0,0 +1,59 @@
+echo "Running certbot for domains $DOMAINS"
+
+get_certificate() {
+  # Gets the certificate for the domain(s) CERT_DOMAINS (a comma separated list)
+  # The certificate will be named after the first domain in the list
+  # To work, the following variables must be set:
+  # - CERT_DOMAINS : comma separated list of domains
+  # - EMAIL
+  # - CONCAT
+  # - args
+
+  local d=${CERT_DOMAINS//,*/} # read first domain
+  echo "Getting certificate for $CERT_DOMAINS"
+  certbot certonly --agree-tos --renew-by-default -n \
+  --text --server https://acme-v01.api.letsencrypt.org/directory \
+  --email $EMAIL -d $CERT_DOMAINS $args
+  ec=$?
+  echo "certbot exit code $ec"
+  if [ $ec -eq 0 ]
+  then
+    if $CONCAT
+    then
+      # concat the full chain with the private key (e.g. for haproxy)
+      cat /etc/letsencrypt/live/$d/fullchain.pem /etc/letsencrypt/live/$d/privkey.pem > /certs/$d.pem
+    else
+      # keep full chain and private key in separate files (e.g. for nginx and apache)
+      cp /etc/letsencrypt/live/$d/fullchain.pem /certs/$d.pem
+      cp /etc/letsencrypt/live/$d/privkey.pem /certs/$d.key
+    fi
+    echo "Certificate obtained for $CERT_DOMAINS! Your new certificate - named $d - is in /certs"
+  else
+    echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details."
+  fi
+}
+
+args=""
+if [ $WEBROOT ]
+then
+  args=" --webroot -w $WEBROOT"
+else
+  args=" --standalone --standalone-supported-challenges http-01"
+fi
+
+if $DEBUG
+then
+  args=$args" --debug"
+fi
+
+if $SEPARATE
+then
+  for d in $DOMAINS
+  do
+    CERT_DOMAINS=$d
+    get_certificate
+  done
+else
+  CERT_DOMAINS=${DOMAINS// /,}
+  get_certificate
+fi
diff --git a/etc/nginx/HTTPS_default.conf.BAK b/etc/nginx/HTTPS_default.conf.BAK
index 29b9a1f..2a4e745 100755
--- a/etc/nginx/HTTPS_default.conf.BAK
+++ b/etc/nginx/HTTPS_default.conf.BAK
@@ -15,6 +15,11 @@ server {
     error_log                               /opt/bitnami/nginx/logs/error.log;
     access_log                              /opt/bitnami/nginx/logs/access.log;
 
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        proxy_pass http://certbot_upstream;
+    }
+
     rewrite ^ https://$http_host$request_uri? permanent; #Redirect traffic to HTTPS
 
 }
@@ -50,6 +55,11 @@ server {
         root   /opt/bitnami/nginx/html;
     }
 
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        proxy_pass http://certbot_upstream;
+    }
+
     ####### Proxies #######
     # PHP proxy
 #    location /board {
@@ -81,9 +91,4 @@ server {
         proxy_pass                          http://tomcat;
     }
 
-    location ~ /\.well-known/acme-challenge {
-            root   /opt/bitnami/nginx/html;
-            allow all;
-    }
-
 }
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 3b52dc3..ed7d935 100755
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -6,6 +6,10 @@ upstream ghost {
     server ghost:2368;
 }
 
+upstream certbot_upstream{
+  server certbot:80;
+}
+
 # HTTP
 server {
     listen 8080                             default_server;
@@ -24,6 +28,11 @@ server {
         root   /opt/bitnami/nginx/html;
     }
 
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        proxy_pass http://certbot_upstream;
+    }
+
     ####### Proxies #######
     # PHP proxy
 #    location /board {
@@ -55,9 +64,4 @@ server {
         proxy_pass                          http://tomcat;
     }
 
-    location ~ /\.well-known/acme-challenge {
-            root   /opt/bitnami/nginx/html;
-            allow all;
-    }
-
 }