From afd88220aacbc8e9184067ad55cea882162a974d Mon Sep 17 00:00:00 2001 From: MrMeeb Date: Sat, 18 Jun 2022 23:08:39 +0000 Subject: [PATCH] first commit --- Dockerfile | 22 ++++++++++++++++ README.md | 36 +++++++++++++++++++++++-- renew.sh | 18 +++++++++++++ run.sh | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 151 insertions(+), 2 deletions(-) create mode 100644 Dockerfile create mode 100644 renew.sh create mode 100644 run.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..65cac6d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,22 @@ +FROM debian:bullseye-slim + +RUN apt update && apt install -y bash cron python3 python3-venv procps tini + +RUN python3 -m venv /opt/certbot/ && /opt/certbot/bin/pip install --upgrade pip + +RUN /opt/certbot/bin/pip install certbot certbot-dns-cloudflare && \ + ln -s /opt/certbot/bin/certbot /usr/bin/certbot + +RUN mkdir -p /config + +COPY run.sh / renew.sh / + +RUN chmod +x /run.sh /renew.sh + +ENV DOMAINS= +ENV EMAIL= +ENV INTERVAL="0 */6 * * *" +ENV STAGING=false + +ENTRYPOINT ["/usr/bin/tini", "-s", "/run.sh"] + diff --git a/README.md b/README.md index 1d54b4e..6928d8e 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,35 @@ -# certbot-cron-docker +## Cerbot Docker -Docker container that runs certbot on a schedule to create and renew SSL certificates \ No newline at end of file +Docker Certbot that runs on a schedule to create and renew SSL certificates. Uses Cloudflare for DNS-01 verification. Automatic renewal attempt happens every 6 hours. + +# Building + +```git clone https://git.mrmeeb.stream/certbot-cron-docker + +cd certbot-cron-docker + +docker build -t certbot-cron . + +docker run -d --name certbot-cron \ + -e EMAIL=admin@domain.com \ + -e DOMAINS=domain.com \ + -v /docker/certbot-cron:/config \ + certbot-cron +``` + +# Environment Variables: + +| Variable | Default Value | Description | +| --- | --- | --- | +| EMAIL | None | Email address for renewal information & other communications | +| DOMAINS | None | Domains to be included in the certificate. Comma separated list, no spaces. Wildcards supported | +| INTERVAL | 0 */6 * * * | How often certbot attempts to renew the certificate. Cron syntax | +| STAGING | false | Uses the LetsEncrypt staging endpoint for testing - avoids the aggressive rate-limiting of the production endpoint | + +# Volumes + +| Docker path | Purpose | +| --- | --- | +| /config | Stores configs and LetsEncrypt output for mounting in other containers + +Thanks to [this guy](https://stackoverflow.com/questions/63447441/docker-stop-for-crond-times-out) for explaining how to make cron actually shutdown when stopping the container. \ No newline at end of file diff --git a/renew.sh b/renew.sh new file mode 100644 index 0000000..75eba59 --- /dev/null +++ b/renew.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +echo "Attempting to renew certificates" +if [[ $STAGING = true ]] +then + echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY" + certbot certonly --staging --non-interactive --agree-tos --dns-cloudflare --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --email $EMAIL -d $DOMAINS + echo "Renewal attempt complete" +elif [[ $STAGING = false ]] +then + echo "Using production endpoint" + certbot certonly --non-interactive --agree-tos --dns-cloudflare --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --email $EMAIL -d $DOMAINS + echo "Renewal attempt complete" +else + echo "Unrecognised option for STAGING variable - check your configuration" + + exit 8 +fi \ No newline at end of file diff --git a/run.sh b/run.sh new file mode 100644 index 0000000..313a2e8 --- /dev/null +++ b/run.sh @@ -0,0 +1,77 @@ +#!/bin/bash +echo "" +echo "" +echo "================================================" +echo "| __ _______ __ ___________________ |" +echo "| / |/ / __ \/ |/ / ____/ ____/ __ ) |" +echo "| / /|_/ / /_/ / /|_/ / __/ / __/ / __ | |" +echo "| / / / / _, _/ / / / /___/ /___/ /_/ / |" +echo "| /_/ /_/_/ |_/_/ /_/_____/_____/_____/ |" +echo "| |" +echo "================================================" +echo "" +echo "" + + +#Creating needed folders and files if they don't already exist +if [ ! -d /config/.secrets ] +then + mkdir /config/.secrets +fi + +if [ ! -d /config/letsencrypt ] +then + mkdir /config/letsencrypt +fi + +if [ ! -f /config/.secrets/cloudflare.ini ] +then + touch /config/.secrets/cloudflare.ini +fi + +if [ ! -f /crontab.txt ] +then + touch /crontab.txt +fi + +if [ ! -s /config/.secrets/cloudflare.ini ] +then + echo "cloudflare.ini is empty - please add your Cloudflare credentials or API key before continuing" + + exit 8 +fi + +#Securing cloudflare.ini to supress warnings +chmod 600 /config/.secrets/cloudflare.ini + +#Outputting Environment Variables to /etc/environment for use by cron-based scripts +env >> /etc/environment + +ln -s /config/letsencrypt /etc/letsencrypt + +echo "Domains being added to the certificate are "$DOMAINS + +echo "Creating certificates, or attempting to renew if they already exist" + +if [[ $STAGING = true ]] +then + echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY" + certbot certonly --staging --non-interactive --agree-tos --dns-cloudflare --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --email $EMAIL -d $DOMAINS + echo "Creation/renewal attempt complete" +elif [[ $STAGING = false ]] +then + echo "Using production endpoint" + certbot certonly --non-interactive --agree-tos --dns-cloudflare --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --email $EMAIL -d $DOMAINS + echo "Creation/renewal attempt complete" +else + echo "Unrecognised option for STAGING variable - check your configuration" + + exit 8 +fi + +echo "$INTERVAL /renew.sh > /proc/1/fd/1 2>/proc/1/fd/2" > /crontab.txt + +echo "Starting automatic renewal job. Schedule is $INTERVAL" +crontab /crontab.txt + +exec cron -f \ No newline at end of file