diff --git a/Dockerfile b/Dockerfile index 3c13372..8fa0e97 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,9 @@ -FROM debian:jessie +FROM debian:stretch WORKDIR / ENV DEBIAN_FRONTEND=noninteractive -ENV CERTBOT_VERSION=0.31.0 RUN apt-get update \ - && apt-get install -y unzip curl python-pip \ - && pip install --upgrade pip \ - && pip install virtualenv --upgrade \ - && curl -Ls -o /certbot.zip https://github.com/certbot/certbot/archive/v${CERTBOT_VERSION}.zip \ - && unzip certbot.zip \ - && mv certbot-${CERTBOT_VERSION} certbot \ - && cd certbot \ - && ./certbot-auto --os-packages-only --noninteractive \ + && apt-get install -y certbot curl python python-requests \ && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* EXPOSE 80 diff --git a/README.md b/README.md index c14df78..ab417f9 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,15 @@ This is a sample [Marathon](https://github.com/mesosphere/marathon) app for encr ## Getting started +Ensure you have **at least 2 or more** public agents in your DC/OS cluster, and that marathon-lb is scaled out to more than 1 public agent. Deploying this app requires this since it entails restarting marathon-lb. + Clone (or manually copy) this repo, and modify the [letsencrypt-dcos.json](letsencrypt-dcos.json) file to include: - The list of hostnames (must be FQDNs) for which you want to generate SSL certs (in `HAPROXY_0_VHOST`) - An admin email address for your certificate (in `LETSENCRYPT_EMAIL`) - The Marathon API endpoint (in `MARATHON_URL`) - The Marathon-lb app ID (in `MARATHON_LB_ID`) - - Ensure you have **at least 2 or more** public agents in your DC/OS cluster, and that marathon-lb is scaled out to more than 1 public agent. Deploying this app requires this since it entails restarting marathon-lb. + +This app also now supports specifying the Lets Encrypt server, for situations where users may be running their own Boulder server on an internal network, or for using the Lets Encrypt staging servers for testing. By default it is set to the Lets Encrypt staging server, so for production use change the LETSENCRYPT_SERVER_URL variable - if you are using the Lets Encrypt servers the default should be https://acme-v01.api.letsencrypt.org/directory Now launch the `letsencrypt-dcos` Marathon app: diff --git a/letsencrypt-dcos.json b/letsencrypt-dcos.json index 9a05b64..0571aeb 100644 --- a/letsencrypt-dcos.json +++ b/letsencrypt-dcos.json @@ -20,7 +20,8 @@ } ], "docker": { - "image": "dcoslabs/letsencrypt-dcos:v1.0.5", + "forcePullImage": true, + "image": "dcoslabs/letsencrypt-dcos:v1.0.7", "network": "BRIDGE", "portMappings": [ { @@ -34,7 +35,8 @@ "env": { "MARATHON_LB_ID": "marathon-lb", "MARATHON_URL": "http://marathon.mesos:8080", - "LETSENCRYPT_EMAIL": "matt@example.com" + "LETSENCRYPT_EMAIL": "matt@example.com", + "LETSENCRYPT_SERVER_URL": "https://acme-staging-v02.api.letsencrypt.org/directory" }, "labels": { "HAPROXY_0_VHOST": "ssl-test-1.example.com,ssl-test-2.example.com", diff --git a/run.sh b/run.sh index 1b05f24..f4ffb48 100755 --- a/run.sh +++ b/run.sh @@ -7,7 +7,6 @@ sleep 15 # Get our SSL domains from the Marathon app label SSL_DOMAINS=$(curl -s ${MARATHON_URL}/v2/apps${MARATHON_APP_ID} | python -c 'import sys, json; print(json.load(sys.stdin)["app"]["labels"]["HAPROXY_0_VHOST"])') - IFS=',' read -ra ADDR <<< "$SSL_DOMAINS" DOMAIN_ARGS="" DOMAIN_FIRST="" @@ -18,15 +17,17 @@ for i in "${ADDR[@]}"; do DOMAIN_ARGS="$DOMAIN_ARGS -d $i" done - echo "DOMAIN_ARGS: ${DOMAIN_ARGS}" echo "DOMAIN_FIRST: ${DOMAIN_FIRST}" -echo "Running certbot-auto to generate initial signed cert" -./certbot-auto --no-self-upgrade certonly --standalone \ - --preferred-challenges http-01 $DOMAIN_ARGS \ - --email $LETSENCRYPT_EMAIL --agree-tos --noninteractive --no-redirect \ - --rsa-key-size 4096 --expand +echo "Running certbot to generate initial signed cert" +echo "Using server ${LETSENCRYPT_SERVER_URL}" + +certbot certonly --server ${LETSENCRYPT_SERVER_URL} --standalone \ + --preferred-challenges http-01 $DOMAIN_ARGS \ + --email $LETSENCRYPT_EMAIL --agree-tos \ + --noninteractive --no-redirect \ + --rsa-key-size 4096 --expand while [ true ]; do cat /etc/letsencrypt/live/$DOMAIN_FIRST/fullchain.pem \ @@ -39,5 +40,5 @@ while [ true ]; do sleep 24h echo "About to attempt renewal" - ./certbot-auto --no-self-upgrade renew + certbot renew done