Another attempt

docker-compose.yml

@@ -17,6 +17,19 @@ services:
             - NGINX_HOST=${NGINX_HOST}
         restart: always
 
+    certbot:
+        build: ./etc/certbot
+        container_name: certbot
+        volumes:
+              - ./etc/letsencrypt/certs:/certs
+        restart: always
+        environment:
+            - WEBROOT="/opt/bitnami/nginx/html"
+            - DOMAINS=wolfkingdom.net
+            - EMAIL=cleako@gmail.com
+            - CONCAT=false
+            - SEPARATE=true
+
     myadmin:
         image: phpmyadmin/phpmyadmin
         container_name: phpmyadmin

etc/certbot/Dockerfile

@@ -0,0 +1,21 @@
+FROM python:2-alpine
+MAINTAINER Henri Dwyer <henri@dwyer.io>
+
+VOLUME /certs
+VOLUME /etc/letsencrypt
+EXPOSE 80
+
+RUN apk add --no-cache --virtual .build-deps linux-headers gcc musl-dev\
+  && apk add --no-cache libffi-dev openssl-dev dialog\
+  && pip install certbot\
+  && apk del .build-deps\
+  && mkdir /scripts
+
+ADD crontab /etc/crontabs
+RUN crontab /etc/crontabs/crontab
+
+COPY ./scripts/ /scripts
+RUN chmod +x /scripts/run_certbot.sh
+
+ENTRYPOINT []
+CMD ["crond", "-f"]

etc/certbot/run_certbot.sh

@@ -0,0 +1,59 @@
+echo "Running certbot for domains $DOMAINS"
+
+get_certificate() {
+  # Gets the certificate for the domain(s) CERT_DOMAINS (a comma separated list)
+  # The certificate will be named after the first domain in the list
+  # To work, the following variables must be set:
+  # - CERT_DOMAINS : comma separated list of domains
+  # - EMAIL
+  # - CONCAT
+  # - args
+
+  local d=${CERT_DOMAINS//,*/} # read first domain
+  echo "Getting certificate for $CERT_DOMAINS"
+  certbot certonly --agree-tos --renew-by-default -n \
+  --text --server https://acme-v01.api.letsencrypt.org/directory \
+  --email $EMAIL -d $CERT_DOMAINS $args
+  ec=$?
+  echo "certbot exit code $ec"
+  if [ $ec -eq 0 ]
+  then
+    if $CONCAT
+    then
+      # concat the full chain with the private key (e.g. for haproxy)
+      cat /etc/letsencrypt/live/$d/fullchain.pem /etc/letsencrypt/live/$d/privkey.pem > /certs/$d.pem
+    else
+      # keep full chain and private key in separate files (e.g. for nginx and apache)
+      cp /etc/letsencrypt/live/$d/fullchain.pem /certs/$d.pem
+      cp /etc/letsencrypt/live/$d/privkey.pem /certs/$d.key
+    fi
+    echo "Certificate obtained for $CERT_DOMAINS! Your new certificate - named $d - is in /certs"
+  else
+    echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details."
+  fi
+}
+
+args=""
+if [ $WEBROOT ]
+then
+  args=" --webroot -w $WEBROOT"
+else
+  args=" --standalone --standalone-supported-challenges http-01"
+fi
+
+if $DEBUG
+then
+  args=$args" --debug"
+fi
+
+if $SEPARATE
+then
+  for d in $DOMAINS
+  do
+    CERT_DOMAINS=$d
+    get_certificate
+  done
+else
+  CERT_DOMAINS=${DOMAINS// /,}
+  get_certificate
+fi

etc/nginx/HTTPS_default.conf.BAK

@@ -15,6 +15,11 @@ server {
     error_log                               /opt/bitnami/nginx/logs/error.log;
     access_log                              /opt/bitnami/nginx/logs/access.log;
 
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        proxy_pass http://certbot_upstream;
+    }
+
     rewrite ^ https://$http_host$request_uri? permanent; #Redirect traffic to HTTPS
 
 }
@@ -50,6 +55,11 @@ server {
         root   /opt/bitnami/nginx/html;
     }
 
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        proxy_pass http://certbot_upstream;
+    }
+
     ####### Proxies #######
     # PHP proxy
 #    location /board {
@@ -81,9 +91,4 @@ server {
         proxy_pass                          http://tomcat;
     }
 
-    location ~ /\.well-known/acme-challenge {
-            root   /opt/bitnami/nginx/html;
-            allow all;
-    }
-
 }

etc/nginx/nginx.conf

@@ -6,6 +6,10 @@ upstream ghost {
     server ghost:2368;
 }
 
+upstream certbot_upstream{
+  server certbot:80;
+}
+
 # HTTP
 server {
     listen 8080                             default_server;
@@ -24,6 +28,11 @@ server {
         root   /opt/bitnami/nginx/html;
     }
 
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        proxy_pass http://certbot_upstream;
+    }
+
     ####### Proxies #######
     # PHP proxy
 #    location /board {
@@ -55,9 +64,4 @@ server {
         proxy_pass                          http://tomcat;
     }
 
-    location ~ /\.well-known/acme-challenge {
-            root   /opt/bitnami/nginx/html;
-            allow all;
-    }
-
 }