Chris Smith пре 3 година
комит
67107ccb3d
4 измењених фајлова са 247 додато и 0 уклоњено
  1. 15
    0
      Dockerfile
  2. 21
    0
      LICENCE
  3. 86
    0
      README.md
  4. 125
    0
      hook.sh

+ 15
- 0
Dockerfile Прегледај датотеку

@@ -0,0 +1,15 @@
1
+FROM csmith/letsencrypt-generic:latest
2
+MAINTAINER Chris Smith <dke@chameth.com> 
3
+
4
+RUN apt-get update \
5
+ && apt-get install -y \
6
+      git \
7
+      python3 \
8
+      python3-pip
9
+
10
+RUN pip3 install \
11
+      git+https://github.com/mydnshost/mydnshost-python-api.git
12
+
13
+ADD hook.sh /dns/hook
14
+RUN chmod +x /dns/hook
15
+

+ 21
- 0
LICENCE Прегледај датотеку

@@ -0,0 +1,21 @@
1
+The MIT License (MIT)
2
+
3
+Copyright (c) 2016 Chris Smith
4
+
5
+Permission is hereby granted, free of charge, to any person obtaining a copy
6
+of this software and associated documentation files (the "Software"), to deal
7
+in the Software without restriction, including without limitation the rights
8
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+copies of the Software, and to permit persons to whom the Software is
10
+furnished to do so, subject to the following conditions:
11
+
12
+The above copyright notice and this permission notice shall be included in all
13
+copies or substantial portions of the Software.
14
+
15
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+SOFTWARE.

+ 86
- 0
README.md Прегледај датотеку

@@ -0,0 +1,86 @@
1
+# Let's Encrypt MyDNSHost Service
2
+
3
+This container uses the [MyDNSHost](https://www.mydnshost.co.uk/) API with
4
+[dehydrated](https://github.com/lukas2511/dehydrated) to
5
+automatically obtain SSL certs from [Let's Encrypt](https://letsencrypt.org/).
6
+
7
+Multiple domains, as well as SANs, are supported. Certificates will be
8
+renewed automatically, and obtained automatically as soon as new domains
9
+are added.
10
+
11
+## Usage
12
+
13
+### Accepting Let's Encrypt's terms
14
+
15
+In order to issue certificates with Let's Encrypt, you must agree to the
16
+Let's Encrypt terms of service. You can do this by running the command
17
+`/dehydrated --register --accept-terms` from within the container.
18
+
19
+For ease of automation, you can define the `ACCEPT_CA_TERMS` env var
20
+(with any non-empty value) to automatically accept the terms. Be warned
21
+that doing so will automatically accept any future changes to the terms
22
+of service.
23
+
24
+### Defining domains
25
+
26
+The container defines one volume at `/letsencrypt`, and expects there to be
27
+a list of domains in `/letsencrypt/domains.txt`. Certificates are output to
28
+`/letsencrypt/certs/{domain}`.
29
+
30
+domains.txt should contain one line per certificate. If you want alternate
31
+names on the cert, these should be listed after the primary domain. e.g.
32
+
33
+```
34
+example.com www.example.com
35
+admin.example.com
36
+```
37
+
38
+This will request two certificates: one for example.com with a SAN of
39
+www.example.com, and a separate one for admin.example.com.
40
+
41
+The container uses inotify to monitor the domains.txt file for changes,
42
+so you can update it while the container is running and changes will be
43
+automatically applied.
44
+
45
+### Authorisation
46
+
47
+To verify that you own the domain, a TXT record needs to be automatically
48
+created for it. In order to create these records using the MyDNSHost API,
49
+you must supply an API key.
50
+
51
+The API client expects the username and API key as environment variables:
52
+
53
+```
54
+docker run ... \
55
+  -e "MYDNSHOST_AUTH_USER=email@address.com" \
56
+  -e "MYDNSHOST_AUTH_KEY=api-key-here"
57
+```
58
+
59
+### Other configuration
60
+
61
+For testing purposes, you can set the `STAGING` environment variable to
62
+a non-empty value. This will use the Let's Encrypt staging server, which
63
+has much more relaxed limits.
64
+
65
+You should pass in a contact e-mail address by setting the `EMAIL` env var.
66
+This is passed on to Let's Encrypt, and may be used for important service
67
+announcements.
68
+
69
+### Running
70
+
71
+Here's a full worked example:
72
+
73
+```bash
74
+# The directory we'll use to store the domain list and certificates.
75
+# You could use a docker volume instead.
76
+mkdir /tmp/letsencrypt
77
+echo "domain.com www.domain.com" > /tmp/letsencrypt/domains.txt
78
+
79
+docker run -d --restart=always \
80
+  -e "EMAIL=admin@domain.com" \
81
+  -e "STAGING=true" \
82
+  -e "MYDNSHOST_AUTH_USER=email@address.com" \
83
+  -e "MYDNSHOST_AUTH_KEY=api-key-here"
84
+  -v /tmp/letsencrypt:/letsencrypt \
85
+  csmith/letsencrypt-mydnshost:latest
86
+```

+ 125
- 0
hook.sh Прегледај датотеку

@@ -0,0 +1,125 @@
1
+#!/usr/bin/env bash
2
+#
3
+# Hook for adding DNS entries using MyDNSHost 
4
+
5
+set -e
6
+set -u
7
+set -o pipefail
8
+
9
+function deploy_challenge {
10
+    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
11
+
12
+    echo "deploy_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}"
13
+
14
+    mydnshost records add "_acme-challenge.${DOMAIN}" TXT "${TOKEN_VALUE}"
15
+
16
+    sleep 10
17
+
18
+    # This hook is called once for every domain that needs to be
19
+    # validated, including any alternative names you may have listed.
20
+    #
21
+    # Parameters:
22
+    # - DOMAIN
23
+    #   The domain name (CN or subject alternative name) being
24
+    #   validated.
25
+    # - TOKEN_FILENAME
26
+    #   The name of the file containing the token to be served for HTTP
27
+    #   validation. Should be served by your web server as
28
+    #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
29
+    # - TOKEN_VALUE
30
+    #   The token value that needs to be served for validation. For DNS
31
+    #   validation, this is what you want to put in the _acme-challenge
32
+    #   TXT record. For HTTP validation it is the value that is expected
33
+    #   be found in the $TOKEN_FILENAME file.
34
+}
35
+
36
+function clean_challenge {
37
+    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
38
+
39
+    echo "clean_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}"
40
+
41
+    mydnshost records rm "_acme-challenge.${DOMAIN}" TXT "${TOKEN_VALUE}"
42
+
43
+    # This hook is called after attempting to validate each domain,
44
+    # whether or not validation was successful. Here you can delete
45
+    # files or DNS records that are no longer needed.
46
+    #
47
+    # The parameters are the same as for deploy_challenge.
48
+}
49
+
50
+function invalid_challenge() {
51
+    local DOMAIN="${1}" RESPONSE="${2}"
52
+
53
+    echo "invalid_challenge called: ${DOMAIN}, ${RESPONSE}"
54
+
55
+    # This hook is called if the challenge response has failed, so domain
56
+    # owners can be aware and act accordingly.
57
+    #
58
+    # Parameters:
59
+    # - DOMAIN
60
+    #   The primary domain name, i.e. the certificate common
61
+    #   name (CN).
62
+    # - RESPONSE
63
+    #   The response that the verification server returned
64
+}
65
+
66
+function deploy_cert {
67
+    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
68
+
69
+    echo "deploy_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}"
70
+
71
+    # This hook is called once for each certificate that has been
72
+    # produced. Here you might, for instance, copy your new certificates
73
+    # to service-specific locations and reload the service.
74
+    #
75
+    # Parameters:
76
+    # - DOMAIN
77
+    #   The primary domain name, i.e. the certificate common
78
+    #   name (CN).
79
+    # - KEYFILE
80
+    #   The path of the file containing the private key.
81
+    # - CERTFILE
82
+    #   The path of the file containing the signed certificate.
83
+    # - FULLCHAINFILE
84
+    #   The path of the file containing the full certificate chain.
85
+    # - CHAINFILE
86
+    #   The path of the file containing the intermediate certificate(s).
87
+}
88
+
89
+function unchanged_cert {
90
+    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
91
+
92
+    echo "unchanged_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}"
93
+
94
+    # This hook is called once for each certificate that is still
95
+    # valid and therefore wasn't reissued.
96
+    #
97
+    # Parameters:
98
+    # - DOMAIN
99
+    #   The primary domain name, i.e. the certificate common
100
+    #   name (CN).
101
+    # - KEYFILE
102
+    #   The path of the file containing the private key.
103
+    # - CERTFILE
104
+    #   The path of the file containing the signed certificate.
105
+    # - FULLCHAINFILE
106
+    #   The path of the file containing the full certificate chain.
107
+    # - CHAINFILE
108
+    #   The path of the file containing the intermediate certificate(s).
109
+}
110
+
111
+exit_hook() {
112
+  # This hook is called at the end of a dehydrated command and can be used
113
+  # to do some final (cleanup or other) tasks.
114
+
115
+  :
116
+}
117
+
118
+startup_hook() {
119
+  # This hook is called before the dehydrated command to do some initial tasks
120
+  # (e.g. starting a webserver).
121
+
122
+  :
123
+}
124
+
125
+HANDLER=$1; shift; $HANDLER "$@"

Loading…
Откажи
Сачувај