Initial version

Dockerfile

@@ -0,0 +1,18 @@
+FROM python:2.7
+MAINTAINER Chris Smith <chris87@gmail.com> 
+
+RUN pip install \
+      dns-lexicon==1.1.4
+
+RUN apt-get update \
+ && apt-get install -y inotify-tools
+
+ADD https://raw.githubusercontent.com/lukas2511/letsencrypt.sh/v0.1.0/letsencrypt.sh /letsencrypt.sh
+ADD https://raw.githubusercontent.com/AnalogJ/lexicon/v1.1.4/examples/letsencrypt.default.sh /lexicon.sh
+COPY run.sh config.sh /
+RUN chmod +x /run.sh /letsencrypt.sh /lexicon.sh
+
+VOLUME ["/letsencrypt/"]
+
+ENTRYPOINT ["/bin/bash"]
+CMD ["/run.sh"]

README.md

@@ -0,0 +1,83 @@
+# Let's Encrypt Lexicon Service
+
+This container uses the awesome [Lexicon](https://github.com/AnalogJ/lexicon)
+library with [letsencrypt.sh](https://github.com/lukas2511/letsencrypt.sh) to
+automatically obtain SSL certs from [Let's Encrypt](https://letsencrypt.org/).
+
+Multiple domains, as well as SANs, are supported. Certificates will be
+renewed automatically, and obtained automatically as soon as new domains
+are added.
+
+## Usage
+
+### Defining domains
+
+The container defines one volume at `/letsencrypt`, and expects there to be
+a list of domains in `/letsencrypt/domains.txt`. Certificates are output to
+`/letsencrypt/certs/{domain}`.
+
+domains.txt should contain one line per certificate. If you want alternate
+names on the cert, these should be listed after the primary domain. e.g.
+
+```
+example.com www.example.com
+admin.example.com
+```
+
+This will request two certificates: one for example.com with a SAN of
+www.example.com, and a separate one for admin.example.com.
+
+The container uses inotify to monitor the domains.txt file for changes,
+so you can update it while the container is running and changes will be
+automatically applied.
+
+### DNS providers
+
+To verify that you own the domain, a TXT record needs to be automatically
+created for it. The Lexicon library handles this, and comes with support
+for a variety of providers including CloudFlare, EasyDNS, DigitalOcean and
+Vultr.
+
+Lexicon takes its configuration from environment variables. For full
+instructions, see its
+[README](https://github.com/AnalogJ/lexicon/blob/master/README.md).
+
+To configure Lexicon to update DNS hosted by CloudFlare, for example, you
+would pass in:
+
+```
+docker run ... \
+  -e "PROVIDER=cloudflare" \
+  -e "LEXICON_CLOUDFLARE_USERNAME=email@address.com" \
+  -e "LEXICON_CLOUDFLARE_TOKEN=api-key-here"
+```
+
+### Other configuration
+
+For testing purposes, you can set the `STAGING` environment variable to
+a non-empty value. This will use the Let's Encrypt staging server, which
+has much more relaxed limits.
+
+You should pass in a contact e-mail address by setting the `EMAIL` env var.
+This is passed on to Let's Encrypt, and may be used for important service
+announcements.
+
+### Running
+
+Here's a full worked example:
+
+```bash
+# The directory we'll use to store the domain list and certificates.
+# You could use a docker volume instead.
+mkdir /tmp/letsencrypt
+echo "domain.com www.domain.com" > /tmp/letsencrypt/domains.txt
+
+docker run -d --restart=always \
+  -e "EMAIL=admin@domain.com" \
+  -e "STAGING=true" \
+  -e "PROVIDER=cloudflare" \
+  -e "LEXICON_CLOUDFLARE_USERNAME=email@address.com" \
+  -e "LEXICON_CLOUDFLARE_TOKEN=api-key-here" \
+  -v /tmp/letsencrypt:/letsencrypt \
+  csmith/letsencrypt-lexicon:latest
+```

config.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+BASEDIR=/letsencrypt
+CONTACT_EMAIL="$EMAIL"
+
+if [[ -z "${STAGING}" ]]; then
+  CA="https://acme-staging.api.letsencrypt.org/directory"
+else
+  CA="https://acme-v01.api.letsencrypt.org/directory"
+fi

run.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+interrupt() {
+  echo
+  echo "Caught ^C, exiting."
+  exit 1
+}
+
+trap interrupt SIGINT
+
+while true; do
+  /letsencrypt.sh --cron --hook /lexicon.sh --challenge dns-01 
+  inotifywait --timeout 1440 /letsencrypt/domains.txt
+  sleep 60
+done