#
# This simply allows the script to find the private key, chain certifiate, and root cert for any sub-domain that was triggered in automation using Lets Encrypt and a Jwilder proxy # # # companion container and their awesome API!
#
# 1. With LynsLang/Fish or Bash you can first `docker ps` with a filter for "name=nginx-proxy-lets" which will provide the container id easily,
# provided you supply the correct go-lang template parameters:
#
in lyns / fish
lyn$ abbr nginx-proxy-get 'docker ps --filter "name=nginx-proxy-lets" --format "{{.ID}}"'
> or in bash:
bash-4.2$ alias nginx-proxy-get='docker ps --filter "name=nginx-proxy-lets" --format "{{.ID}}"'
#
# then supply your abbreviation/alias as a container id filter to the exec command from that point forward:
in lynslang / fish
lyn$ docker exec -it (nginx-proxy-get) find -L /etc/acme.sh/ -name "*.key"
> or in bash:
docker exec -it $(nginx-proxy-get) find -L /etc/acme.sh/ -name "*.key"
/etc/acme.sh/jane@does.com/ca/acme-v02.api.letsencrypt.org/account.key
/etc/acme.sh/jane@does.com/registry.site.com/site.com.key
/etc/acme.sh/jane@does.comm/releases.site.com/site.com.key
- Run the above command till you are satisfied you have the key path and cert path, then you can set those in the docker-compose by first adding them to the .env file.
# So your .env file might look something like:
> ` NGINX_FULLCHAIN_PEM=$(docker exec -it $(nginx-proxy-get) find -L /etc/acme.sh/ -name "mywebsite.pem")`
> ` NGINX_CERT_CER=$(docker exec -it $(nginx-proxy-get) find -L /etc/acme.sh/ -name "mywebsite.cer")`
> `NGINX_RSA_KEY=$(docker exec -it $(nginx-proxy-get) find -L /etc/acme.sh/ -name "mywebsite.key")`
This would dynamically turn your env vars into variables which supply the volume mount path, you just gotta be sure you attach that volume to your container.
- IMPORTANT TO NOTE:
if you hit the path and the
$(nginx-proxy-get)alias/abbr path is in a volume that cannot be read by your target container, then it simply "won't work".
- Attach your volume to the paths. which we setup in the env, for docker-compose:
version: '2.3'
services:
registry:
image: lynsei/lang:0.9.86
container_name: test
entrypoint: sleep(10)
environment:
- VIRTUAL_HOST=${VIRTUAL_HOST}
- LETSENCRYPT_EMAIL=${LE_EMAIL}
- LETSENCRYPT_HOST=${VIRTUAL_HOST}
volumes:
- type: bind
source: ${NGINX_FULLCHAIN_CER}
target: /cust_cert_cer
- type: bind
source: ${NGINX_FULLCHAIN_PEM}
target: /cust_cert_pem
networks:
- harbor
depends_on:
- "nginx-proxy-lets"
- That's all, just make sure you use a proxy like this one:
#!/usr/bin/bash
OS=`uname -s`
REV=`uname -r`
MACH=`uname -m`
if [ "${OS}" = "SunOS" ] ; then
OS=Solaris
ARCH=`uname -p`
OSSTR="${OS} ${REV}(${ARCH} `uname -v`)"
elif [ "${OS}" = "AIX" ] ; then
OSSTR="${OS} `oslevel` (`oslevel -r`)"
elif [ "${OS}" = "Linux" ] ; then
KERNEL=`uname -r`
if [ -f /etc/redhat-release ] ; then
DIST=$(cat /etc/redhat-release | awk '{print $1}')
if [ "${DIST}" = "CentOS" ]; then
DIST="CentOS"
elif [ "${DIST}" = "Mandriva" ]; then
DIST="Mandriva"
PSEUDONAME=`cat /etc/mandriva-release | sed s/.*\(// | sed s/\)//`
REV=`cat /etc/mandriva-release | sed s/.*release\ // | sed s/\ .*//`
elif [ "${DIST}" = "Fedora" ]; then
DIST="Fedora"
else
DIST="RedHat"
fi
PSEUDONAME=`cat /etc/redhat-release | sed s/.*\(// | sed s/\)//`
REV=`cat /etc/redhat-release | sed s/.*release\ // | sed s/\ .*//`
elif [ -f /etc/SuSE-release ] ; then
DIST=`cat /etc/SuSE-release | tr "\n" ' '| sed s/VERSION.*//`
REV=`cat /etc/SuSE-release | tr "\n" ' ' | sed s/.*=\ //`
elif [ -f /etc/mandrake-release ] ; then
DIST='Mandrake'
PSEUDONAME=`cat /etc/mandrake-release | sed s/.*\(// | sed s/\)//`
REV=`cat /etc/mandrake-release | sed s/.*release\ // | sed s/\ .*//`
elif [ -f /etc/debian_version ] ; then
if [ -f /etc/mailcleaner/etc/mailcleaner/version.def ] ; then
DIST="MailCleaner"
REV=`cat /etc/mailcleaner/etc/mailcleaner/version.def`
else
DIST="Debian `cat /etc/debian_version`"
REV=""
fi
fi
if [ -f /etc/UnitedLinux-release ] ; then
DIST="${DIST}[`cat /etc/UnitedLinux-release | tr "\n" ' ' | sed s/VERSION.*//`]"
fi
if [ -f /etc/slackware-version ] ; then
DIST="Slackware";
REV=$(cat /etc/slackware-version | awk '{print $2}')
fi
if [ -f /etc/lsb-release ] ; then
LSB_DIST="`cat /etc/lsb-release | grep DISTRIB_ID | cut -d "=" -f2`"
LSB_REV="`cat /etc/lsb-release | grep DISTRIB_RELEASE | cut -d "=" -f2`"
if [ "$LSB_DIST" != "" ] ; then
DIST=$LSB_DIST
REV=$LSB_REV
fi
fi
# OSSTR="${OS} ${DIST} ${REV}(${PSEUDONAME} ${KERNEL} ${MACH})"
OSSTR="${DIST} ${REV}"
elif [ "${OS}" = "Darwin" ] ; then
if [ -f /usr/bin/sw_vers ] ; then
OSSTR=`/usr/bin/sw_vers|grep -v Build|sed 's/^.*:.//'| tr "\n" ' '`
fi
fi
echo ${OSSTR}
declare x=`docker ps --filter "name=nginx-proxy" --format "{{.ID}}" | tail -n 1`
if [[ $x ]]; then
echo "Your port 443 is bound to an existing proxy container. You must first remove any existing proxies to launch a new nginx-proxy... run:"
echo "-------- "
echo docker rm -f `docker ps --filter "name=nginx-proxy" --format "{{.ID}}" | tail -n 1 `\
" && ./proxy.sh"
else
echo "Instantiating a reverse proxy container bound to 80 and 443";
docker run -d --name nginx-proxy --restart=always -p 80:80 -p 443:443 -v /etc/nginx/vhost.d \
-v /usr/share/nginx/html \
-v /etc/nginx/ssl:/etc/nginx/certs \
-v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:alpine
docker run --detach \
--name nginx-proxy-letsencrypt \
--volumes-from nginx-proxy -v /var/run/docker.sock:/var/run/docker.sock:ro \
--env "DEFAULT_EMAIL=jane@janedoe.com" \
jrcs/letsencrypt-nginx-proxy-companion
fi