-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added wildcard cert support using AWS Route53
- Loading branch information
Showing
5 changed files
with
149 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,7 +8,6 @@ MAINTAINER [email protected] | |
|
||
USER root | ||
|
||
ARG ACME_PLUGIN_VERSION=0.1.1 | ||
ENV DOMAINNAME ${DOMAINNAME} | ||
ENV DOMAINNAMES ${DOMAINNAMES} | ||
ENV TERM xterm | ||
|
@@ -25,10 +24,11 @@ ENV CERT_DIR /deployment/certs | |
ENV LE_DIR /deployment/letsencrypt | ||
ENV CHROOT_DIR /etc/haproxy/webroot | ||
|
||
# Install certbot | ||
# Install certbot and Route53 DNS plugin | ||
RUN apk update \ | ||
&& apk add --no-cache certbot inotify-tools tar curl openssl \ | ||
&& rm -f /var/cache/apk/* | ||
&& apk add --no-cache certbot py-pip inotify-tools tar curl openssl \ | ||
&& rm -f /var/cache/apk/* \ | ||
&& pip install certbot-dns-route53 --break-system-packages | ||
|
||
# Add ACME LUA plugin | ||
ADD acme-plugin.tar.gz /etc/haproxy/lua/ | ||
|
@@ -39,9 +39,9 @@ RUN mkdir -p ${CHROOT_DIR} \ | |
&& mkdir -p ${LE_DIR} && chown haproxy:haproxy ${LE_DIR} \ | ||
&& mkdir -p /etc/letsencrypt \ | ||
&& mkdir -p /var/lib/letsencrypt \ | ||
&& touch /etc/periodic/daily/certbot-renew \ | ||
&& printf "#!/bin/sh\ncertbot renew --deploy-hook \"/entrypoint.sh sync-haproxy\"\n" > /etc/periodic/daily/certbot-renew \ | ||
&& chmod +x /etc/periodic/daily/certbot-renew \ | ||
&& touch /etc/periodic/daily/cert-renew \ | ||
&& printf "#!/bin/sh\n/entrypoint.sh auto-renew\n" > /etc/periodic/daily/cert-renew \ | ||
&& chmod +x /etc/periodic/daily/cert-renew \ | ||
&& chown -R haproxy:haproxy /etc/letsencrypt \ | ||
&& chown -R haproxy:haproxy /etc/haproxy \ | ||
&& chown -R haproxy:haproxy /var/lib/letsencrypt \ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
#!/usr/bin/env bash | ||
# | ||
|
||
set -euf -o pipefail | ||
|
||
# ************** USAGE ************** | ||
# | ||
# This is an example hook that can be used with Certbot. | ||
# | ||
# Example usage (with certbot-auto and this hook file saved in /root/): | ||
# | ||
# sudo ./certbot-auto -d example.org -d www.example.org -a manual -i nginx --preferred-challenges dns \ | ||
# --manual-auth-hook "/root/certbot.default.sh auth" --manual-cleanup-hook "/root/certbot.default.sh cleanup" | ||
# | ||
# This hook requires configuration, continue reading. | ||
# | ||
# ************** CONFIGURATION ************** | ||
# | ||
# PROXY_DNS_PROVIDER and PROXY_DNS_PROVIDER_CREDENTIALS must be supplied as environment variables. | ||
# | ||
# PROXY_DNS_PROVIDER: | ||
# Set this to whatever DNS host your domain is using: | ||
# | ||
# route53 cloudflare cloudns cloudxns digitalocean | ||
# dnsimple dnsmadeeasy dnspark dnspod easydns gandi | ||
# glesys godaddy linode luadns memset namecheap namesilo | ||
# nsone ovh pointhq powerdns rackspace rage4 softlayer | ||
# transip vultr yandex zonomi | ||
# | ||
# The full list is in Lexicon's README. | ||
# | ||
# PROXY_DNS_PROVIDER_CREDENTIALS: | ||
# Lexicon needs to know how to authenticate to your DNS Host. | ||
# This will vary from DNS host to host. | ||
# To figure out which flags to use, you can look at the Lexicon help. | ||
# For example, for help with Cloudflare: | ||
# | ||
# lexicon cloudflare -h | ||
# | ||
# Example cloudflare credentials: "--auth-username=MY_USERNAME" "--auth-token=MY_API_KEY" | ||
|
||
if [ -z $PROXY_DNS_PROVIDER ]; then | ||
echo "PROXY_DNS_PROVIDER is not set" | ||
exit 1 | ||
fi | ||
if [ -z $PROXY_DNS_PROVIDER_CREDENTIALS ]; then | ||
echo "PROXY_DNS_PROVIDER_CREDENTIALS is not set" | ||
exit 1 | ||
fi | ||
|
||
# | ||
# PROVIDER_UPDATE_DELAY: | ||
# How many seconds to wait after updating your DNS records. This may be required, | ||
# depending on how slow your DNS host is to begin serving new DNS records after updating | ||
# them via the API. 30 seconds is a safe default, but some providers can be very slow | ||
# (e.g. Linode). | ||
# | ||
# Defaults to 30 seconds. | ||
# | ||
if [ -z $PROXY_DNS_PROVIDER_UPDATE_DELAY ]; then | ||
PROXY_DNS_PROVIDER_UPDATE_DELAY=30 | ||
fi | ||
|
||
# To be invoked via Certbot's --manual-auth-hook | ||
function auth { | ||
lexicon --resolve-zone-name "${PROXY_DNS_PROVIDER}" "${PROXY_DNS_PROVIDER_CREDENTIALS[@]}" \ | ||
create "${CERTBOT_DOMAIN}" TXT --name "_acme-challenge.${CERTBOT_DOMAIN}" --content "${CERTBOT_VALIDATION}" | ||
|
||
sleep "${PROXY_DNS_PROVIDER_UPDATE_DELAY}" | ||
} | ||
|
||
# To be invoked via Certbot's --manual-cleanup-hook | ||
function cleanup { | ||
lexicon --resolve-zone-name "${PROXY_DNS_PROVIDER}" "${PROXY_DNS_PROVIDER_CREDENTIALS[@]}" \ | ||
delete "${CERTBOT_DOMAIN}" TXT --name "_acme-challenge.${CERTBOT_DOMAIN}" --content "${CERTBOT_VALIDATION}" | ||
} | ||
|
||
HANDLER=$1; shift; | ||
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then | ||
$HANDLER "$@" | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters