Fabio/docker-letsencrypt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #2 from chrismazanec/alternative-domain

Browse source 
added option for alternate (alias) domain, added `docker-compose.yml`…
This commit is contained in:
Maksim Stojkovic 2021-10-07 05:40:51 +11:00 committed by GitHub
commit 06670f4a2d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 67 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
README.md
View file

@ -12,13 +12,24 @@ Automatically generates Let's Encrypt certificates using a lightweight Docker co
* `DUCKDNS_TOKEN`: Duck DNS account token (obtained from [Duck DNS](https://www.duckdns.org)) (*required*) * `DUCKDNS_TOKEN`: Duck DNS account token (obtained from [Duck DNS](https://www.duckdns.org)) (*required*)
* `DUCKDNS_DOMAIN`: Full Duck DNS domain (e.g. `test.duckdns.org`) (*required*) * `DUCKDNS_DOMAIN`: Full Duck DNS domain (e.g. `test.duckdns.org`) (*required*)
* `LETSENCRYPT_DOMAIN`: Domain to generate SSL cert for. By default the SSL certificate is generated for `DUCKDNS_DOMAIN` (optional)
* `LETSENCRYPT_WILDCARD`: `true` or `false`, indicating whether the SSL certificate should be for subdomains *only* of `LETSENCRYPT_DOMAIN` (i.e. `*.test.duckdns.org`), or for the main domain *only* (i.e. `test.duckdns.org`) (optional, default: `false`)
* `LETSENCRYPT_EMAIL`: Email used for certificate renewal notifications (optional) * `LETSENCRYPT_EMAIL`: Email used for certificate renewal notifications (optional)
* `LETSENCRYPT_WILDCARD`: `true` or `false`, indicating whether the SSL certificate should be for subdomains *only* of `DUCKDNS_DOMAIN` (i.e. `*.test.duckdns.org`), or for the main domain *only* (i.e. `test.duckdns.org`) (optional, default: `false`)
* `TESTING`: `true` or `false`, indicating whether a staging SSL certificate should be generated or not (optional, default: `false`) * `TESTING`: `true` or `false`, indicating whether a staging SSL certificate should be generated or not (optional, default: `false`)
* `UID`: User ID to apply to Let's Encrypt files generated (optional, recommended, default: `0` - root) * `UID`: User ID to apply to Let's Encrypt files generated (optional, recommended, default: `0` - root)
* `GID`: Group ID to apply to Let's Encrypt files generated (optional, recommended, default: `0` - root) * `GID`: Group ID to apply to Let's Encrypt files generated (optional, recommended, default: `0` - root)
**Note:** The format of `DUCKDNS_DOMAIN` should be the same regardless of the value of `LETSENCRYPT_WILDCARD`. ## Notes
* The `DUCKDNS_DOMAIN` should already be pointing to the server with a dynamic IP. The [maksimstojkovic/duckdns](https://github.com/maksimstojkovic/docker-duckdns) image can be used to automatically update the IP address.
* The format of `DUCKDNS_DOMAIN` should be `<subdomain>.duckdns.org`, regardless of the value of `LETSENCRYPT_WILDCARD`.
* To use `LETSENCRYPT_DOMAIN` feature, the following DNS records need to be created for ACME authentication (records should not be proxied):
| Type | Name | Value | Condition |
|-------|----------------------------------------|------------------------------------|-----------------------------------|
| CNAME | `*.<LETSENCRYPT_DOMAIN>` | `<DUCKDNS_DOMAIN>` | `LETSENCRYPT_WILDCARD` == `true` |
| CNAME | `<LETSENCRYPT_DOMAIN>` | `<DUCKDNS_DOMAIN>` | `LETSENCRYPT_WILDCARD` == `false` |
| CNAME | `_acme-challenge.<LETSENCRYPT_DOMAIN>` | `_acme-challenge.<DUCKDNS_DOMAIN>` | |
## Volumes ## Volumes

27
docker-compose.yml Normal file
View file

@ -0,0 +1,27 @@
version: '2.4'
services:
duckdns:
image: maksimstojkovic/duckdns
container_name: duckdns
environment:
- DUCKDNS_TOKEN=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
- DUCKDNS_DOMAIN=test.duckdns.org
- DUCKDNS_DELAY=5 #optional
restart: unless-stopped
letsencrypt:
image: maksimstojkovic/letsencrypt
container_name: letsencrypt
volumes:
- ./certs:/etc/letsencrypt
environment:
- DUCKDNS_TOKEN=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
- DUCKDNS_DOMAIN=test.duckdns.org
- LETSENCRYPT_DOMAIN= #optional
- LETSENCRYPT_WILDCARD=false #optional
- LETSENCRYPT_EMAIL= #optional
- TESTING=false #optional
- UID=0 #optional
- GID=0 #optional
restart: unless-stopped

2
scripts/auth.sh
View file

@ -1,3 +1,3 @@
#!/bin/sh #!/bin/sh
[[ "$(curl -s "https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN%.duckdns.org}&token=${DUCKDNS_TOKEN}&txt=${CERTBOT_VALIDATION}")" = "OK" ]] [[ "$(curl -s "https://www.duckdns.org/update?domains=${DUCKDNS_DOMAIN%.duckdns.org}&token=${DUCKDNS_TOKEN}&txt=${CERTBOT_VALIDATION}")" = "OK" ]]

2
scripts/cleanup.sh
View file

@ -1,2 +1,2 @@
#!/bin/sh #!/bin/sh
[[ "$(curl -s "https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN%.duckdns.org}&token=${DUCKDNS_TOKEN}&txt=${CERTBOT_VALIDATION}&clear=true")" = "OK" ]] [[ "$(curl -s "https://www.duckdns.org/update?domains=${DUCKDNS_DOMAIN%.duckdns.org}&token=${DUCKDNS_TOKEN}&txt=${CERTBOT_VALIDATION}&clear=true")" = "OK" ]]

34
scripts/start.sh
View file

@ -1,27 +1,32 @@
#!/bin/sh #!/bin/sh
# Check variables DUCKDNS_TOKEN, DUCKDNS_DOMAIN # Check variables DUCKDNS_TOKEN, DUCKDNS_DOMAIN
if [ -z "$DUCKDNS_TOKEN" ]; then if [ -z "$DUCKDNS_TOKEN" ] || [ "$DUCKDNS_TOKEN" = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" ]; then
echo "ERROR: Variable DUCKDNS_TOKEN is unset" echo "ERROR: Variable DUCKDNS_TOKEN is unset or still its default value"
exit 1 exit 1
fi fi
if [ -z "$DUCKDNS_DOMAIN" ]; then if [ -z "$DUCKDNS_DOMAIN" ]; then
echo "ERROR: Variable DUCKDNS_DOMAIN is unset" echo "ERROR: Variable DUCKDNS_DOMAIN is unset or still its default value"
exit 1 exit 1
fi fi
# Print email notice if applicable # Print email notice if applicable
if [ -z "$LETSENCRYPT_EMAIL" ]; then if [ -z "$LETSENCRYPT_EMAIL" ]; then
echo "INFO: You will not receive SSL certificate expiration notices" echo "WARNING: You will not receive SSL certificate expiration notices"
fi
# Set LETSENCRYPT_DOMAIN to DUCKDNS_DOMAIN if not specified
if [ -z "$LETSENCRYPT_DOMAIN" ]; then
echo "INFO: LETSENCRYPT_DOMAIN is unset, using DUCKDNS_DOMAIN"
LETSENCRYPT_DOMAIN=$DUCKDNS_DOMAIN
fi fi
# Set certificate url based on LETSENCRYPT_WILDCARD value # Set certificate url based on LETSENCRYPT_WILDCARD value
if [ "$LETSENCRYPT_WILDCARD" = "true" ]; then if [ "$LETSENCRYPT_WILDCARD" = "true" ]; then
echo "INFO: A wildcard SSL certificate will be created" echo "INFO: A wildcard SSL certificate will be created"
LETSENCRYPT_DOMAIN="*.$DUCKDNS_DOMAIN" LETSENCRYPT_DOMAIN="*.$LETSENCRYPT_DOMAIN"
else else
LETSENCRYPT_DOMAIN="$DUCKDNS_DOMAIN"
LETSENCRYPT_WILDCARD="false" LETSENCRYPT_WILDCARD="false"
fi fi
@ -39,6 +44,7 @@ fi
# Print variables # Print variables
echo "DUCKDNS_TOKEN: $DUCKDNS_TOKEN" echo "DUCKDNS_TOKEN: $DUCKDNS_TOKEN"
echo "DUCKDNS_DOMAIN: $DUCKDNS_DOMAIN" echo "DUCKDNS_DOMAIN: $DUCKDNS_DOMAIN"
echo "LETSENCRYPT_DOMAIN: $LETSENCRYPT_DOMAIN"
echo "LETSENCRYPT_EMAIL: $LETSENCRYPT_EMAIL" echo "LETSENCRYPT_EMAIL: $LETSENCRYPT_EMAIL"
echo "LETSENCRYPT_WILDCARD: $LETSENCRYPT_WILDCARD" echo "LETSENCRYPT_WILDCARD: $LETSENCRYPT_WILDCARD"
echo "TESTING: $TESTING" echo "TESTING: $TESTING"
@ -58,23 +64,25 @@ else
unset TEST_PARAM unset TEST_PARAM
fi fi
echo "certbot certonly --manual --preferred-challenges dns --manual-auth-hook \ echo "certbot certonly --manual --preferred-challenges dns \
/scripts/auth.sh --manual-cleanup-hook /scripts/cleanup.sh \ --manual-auth-hook /scripts/auth.sh \
--manual-cleanup-hook /scripts/cleanup.sh \
$EMAIL_PARAM -d $LETSENCRYPT_DOMAIN \ $EMAIL_PARAM -d $LETSENCRYPT_DOMAIN \
--agree-tos --manual-public-ip-logging-ok --keep $TEST_PARAM" --agree-tos --manual-public-ip-logging-ok --keep $TEST_PARAM"
# Create certificates # Create certificates
certbot certonly --manual --preferred-challenges dns --manual-auth-hook \ certbot certonly --manual --preferred-challenges dns \
/scripts/auth.sh --manual-cleanup-hook /scripts/cleanup.sh \ --manual-auth-hook /scripts/auth.sh \
--manual-cleanup-hook /scripts/cleanup.sh \
$EMAIL_PARAM -d $LETSENCRYPT_DOMAIN \ $EMAIL_PARAM -d $LETSENCRYPT_DOMAIN \
--agree-tos --manual-public-ip-logging-ok --keep $TEST_PARAM --agree-tos --manual-public-ip-logging-ok --keep $TEST_PARAM
chown -R $UID:$GID /etc/letsencrypt chown -R $UID:$GID /etc/letsencrypt
# Check for successful certificate generation # Check for successful certificate generation
if [ ! -d "/etc/letsencrypt/live/${DUCKDNS_DOMAIN}" ] || \ if [ ! -d "/etc/letsencrypt/live/${LETSENCRYPT_DOMAIN#\*\.}" ] || \
[ ! -f "/etc/letsencrypt/live/${DUCKDNS_DOMAIN}/fullchain.pem" ] || \ [ ! -f "/etc/letsencrypt/live/${LETSENCRYPT_DOMAIN#\*\.}/fullchain.pem" ] || \
[ ! -f "/etc/letsencrypt/live/${DUCKDNS_DOMAIN}/privkey.pem" ]; then [ ! -f "/etc/letsencrypt/live/${LETSENCRYPT_DOMAIN#\*\.}/privkey.pem" ]; then
echo "ERROR: Failed to create SSL certificates" echo "ERROR: Failed to create SSL certificates"
exit 1 exit 1
fi fi