Merge pull request #334 from JrCs/dev

Merge dev into master (v1.8)

Author: buchdag

Dockerfile

@@ -3,7 +3,7 @@ FROM alpine:3.7
 LABEL maintainer="Yves Blusseau <[email protected]> (@blusseau)"
 
 ENV DEBUG=false \
-    DOCKER_GEN_VERSION=0.7.3 \
+    DOCKER_GEN_VERSION=0.7.4 \
     DOCKER_HOST=unix:///var/run/docker.sock
 
 # Install packages required by the image

README.md

@@ -168,13 +168,21 @@ If you want to create test certificates that don't have the 5 certs/week/domain
 Every hour (3600 seconds) the certificates are checked and every certificate that will expire in the next [30 days](https://github.com/kuba/simp_le/blob/ecf4290c4f7863bb5427b50cdd78bc3a5df79176/simp_le.py#L72) (90 days / 3) are renewed.
 
 ##### Force certificates renewal
-
 If needed, you can force a running letsencrypt-nginx-proxy-companion container to renew all certificates that are currently in use. Replace `nginx-letsencrypt` with the name of your letsencrypt-nginx-proxy-companion container in the following command:
 
 ```bash
 $ docker exec nginx-letsencrypt /app/force_renew
 ```
 
+##### Force certificates renewal
+To display informations about your existing certificates, use the following command:
+
+```bash
+$ docker exec nginx-letsencrypt /app/cert_status
+```
+
+As for the forced renewal command, replace `nginx-letsencrypt` with the name of your letsencrypt-nginx-proxy-companion container.
+
 ##### ACME account keys
 By default the container will save the first ACME account key created for each ACME API endpoint used, and will reuse it for all subsequent authorizations and issuances requests made to this endpoint. This behavior is enabled by default to avoid running into Let's Encrypt account [rate limits](https://letsencrypt.org/docs/rate-limits/).
 
@@ -213,8 +221,6 @@ $ docker run -d \
 
 * The `com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen` label - set this label on the docker-gen container to tell the docker-letsencrypt-nginx-proxy-companion container to use it as the docker-gen when it's split from nginx (separate containers).
 
-* `ACME_TOS_HASH` - Let´s you pass an alternative TOS hash to simp_le, to support other CA´s ACME implentation.
-
 * `DOCKER_PROVIDER` - Set this to change behavior on container ID retrieval. Optional. Current supported values:
   * No value (empty, not  set): no change in behavior.
   * `ecs` [Amazon ECS using ECS_CONTAINER_METADATA_FILE environment variable](http://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html)

app/cert_status

@@ -0,0 +1,58 @@
+#!/bin/bash
+function print_cert_info {
+  local enddate
+  local subject
+  local san_str
+
+  # Get the wanted informations with OpenSSL.
+  issuer="$(openssl x509 -noout -issuer -in "$1" | sed -n 's/.*CN=\(.*\)/\1/p')"
+  enddate="$(openssl x509 -noout -enddate -in "$1" | sed -n 's/notAfter=\(.*$\)/\1/p')"
+  subject="$(openssl x509 -noout -subject -in "$1" | sed -n 's/.*CN=\([a-z0-9.-]*\)/- \1/p')"
+  san_str="$(openssl x509 -text -in "$1" | grep 'DNS:')"
+
+  echo "Certificate was issued by $issuer"
+  echo "Certificate is valid until $enddate"
+  echo "Subject Name:"
+  echo "$subject"
+
+  # Display the SAN info only if there is more than one SAN domain.
+  while IFS=',' read -ra SAN; do
+      if [[ ${#SAN[@]} -gt 1 ]]; then
+          echo "Subject Alternative Name:"
+          for domain in "${SAN[@]}"; do
+              echo "$domain" | sed -n 's/.*DNS:\([a-z0-9.-]*\)/- \1/p'
+          done
+      fi
+  done <<< "$san_str"
+}
+
+echo '##### Certificate status #####'
+for cert in /etc/nginx/certs/*/fullchain.pem; do
+    [[ -e "$cert" ]] || continue
+    # Verify the certificate with OpenSSL.
+    openssl verify -CAfile "${cert%fullchain.pem}chain.pem" "$cert"
+
+    # Print certificate info.
+    print_cert_info "$cert"
+
+    # Find the .crt files in /etc/nginx/certs which are
+    # symlinks pointing to the current certificate.
+    unset symlinked_domains
+    for symlink in /etc/nginx/certs/*.crt; do
+        [[ -e "$symlink" ]] || continue
+        if [[ "$(readlink -f "$symlink")" == "$cert" ]]; then
+            domain="$(echo "${symlink%.crt}" | sed 's#/etc/nginx/certs/##g')"
+            symlinked_domains+=("$domain")
+        fi
+    done
+
+    # Display symlinks pointing to the current cert if there is any.
+    if [[ ${#symlinked_domains[@]} -gt 0 ]]; then
+        echo "Certificate is used by the following domain(s):"
+        for domain in "${symlinked_domains[@]}"; do
+          echo "- $domain"
+        done
+    fi
+
+    echo '##############################'
+done

app/entrypoint.sh

@@ -3,6 +3,11 @@
 
 set -u
 
+if [[ -n "${ACME_TOS_HASH:-}" ]]; then
+    echo "Info: the ACME_TOS_HASH environment variable is no longer used by simp_le and has been deprecated."
+    echo "simp_le now implicitly agree to the ACME CA ToS."
+fi
+
 DOCKER_PROVIDER=${DOCKER_PROVIDER:-docker}
 
 case "${DOCKER_PROVIDER}" in
@@ -29,33 +34,13 @@ function check_docker_socket {
     if [[ $DOCKER_HOST == unix://* ]]; then
         socket_file=${DOCKER_HOST#unix://}
         if [[ ! -S $socket_file ]]; then
-            cat >&2 <<-EOT
-ERROR: you need to share your Docker host socket with a volume at $socket_file
-Typically you should run your container with: \`-v /var/run/docker.sock:$socket_file:ro\`
-See the documentation at http://git.io/vZaGJ
-EOT
+            echo "Error: you need to share your Docker host socket with a volume at $socket_file" >&2
+            echo "Typically you should run your container with: '-v /var/run/docker.sock:$socket_file:ro'" >&2
             exit 1
         fi
     fi
 }
 
-function get_nginx_proxy_cid {
-    # Look for a NGINX_VERSION environment variable in containers that we have mount volumes from.
-    local volumes_from=$(docker_api "/containers/$CONTAINER_ID/json" | jq -r '.HostConfig.VolumesFrom[]' 2>/dev/null)
-    for cid in $volumes_from; do
-        cid=${cid%:*} # Remove leading :ro or :rw set by remote docker-compose (thx anoopr)
-        if [[ $(docker_api "/containers/$cid/json" | jq -r '.Config.Env[]' | egrep -c '^NGINX_VERSION=') = "1" ]];then
-            export NGINX_PROXY_CONTAINER=$cid
-            break
-        fi
-    done
-    if [[ -z "$(nginx_proxy_container)" ]]; then
-        echo "Error: can't get nginx-proxy container id !" >&2
-        echo "Check that you use the --volumes-from option to mount volumes from the nginx-proxy or label the nginx proxy container to use with 'com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true'." >&2
-        exit 1
-    fi
-}
-
 function check_writable_directory {
     local dir="$1"
     docker_api "/containers/$CONTAINER_ID/json" | jq ".Mounts[].Destination" | grep -q "^\"$dir\"$"
@@ -96,8 +81,19 @@ source /app/functions.sh
 
 if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
     check_docker_socket
-    if [[ -z "$(docker_gen_container)" ]]; then
-        [[ -z "${NGINX_PROXY_CONTAINER:-}" ]] && get_nginx_proxy_cid
+    if [[ -z "$(get_nginx_proxy_container)" ]]; then
+        echo "Error: can't get nginx-proxy container ID !" >&2
+        echo "Check that you are doing one of the following :" >&2
+        echo -e "\t- Use the --volumes-from option to mount volumes from the nginx-proxy container." >&2
+        echo -e "\t- Set the NGINX_PROXY_CONTAINER env var on the letsencrypt-companion container to the name of the nginx-proxy container." >&2
+        echo -e "\t- Label the nginx-proxy container to use with 'com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy'." >&2
+        exit 1
+    elif [[ -z "$(get_docker_gen_container)" ]] && ! is_docker_gen_container "$(get_nginx_proxy_container)"; then
+        echo "Error: can't get docker-gen container id !" >&2
+        echo "If you are running a three containers setup, check that you are doing one of the following :" >&2
+        echo -e "\t- Set the NGINX_DOCKER_GEN_CONTAINER env var on the letsencrypt-companion container to the name of the docker-gen container." >&2
+        echo -e "\t- Label the docker-gen container to use with 'com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen.'" >&2
+        exit 1
     fi
     check_writable_directory '/etc/nginx/certs'
     check_writable_directory '/etc/nginx/vhost.d'

app/functions.sh

@@ -9,7 +9,7 @@
  declare -r END_HEADER='## End of configuration add by letsencrypt container'
 
 function check_nginx_proxy_container_run {
-    local _nginx_proxy_container=$(nginx_proxy_container)
+    local _nginx_proxy_container=$(get_nginx_proxy_container)
     if [[ $(docker_api "/containers/${_nginx_proxy_container}/json" | jq -r '.State.Status') = "running" ]];then
         return 0
     fi
@@ -18,16 +18,7 @@ function check_nginx_proxy_container_run {
     return 1
 }
 
-function check_two_containers_case() {
-    local _docker_gen_container=$(docker_gen_container)
-    if [[ -n "${_docker_gen_container:-}" ]]; then  #case with 3 containers
-        return 1
-    fi
-
-    return 0
-}
-
-add_location_configuration() {
+function add_location_configuration {
     local domain="${1:-}"
     [[ -z "$domain" || ! -f "${VHOST_DIR}/${domain}" ]] && domain=default
     [[ -f "${VHOST_DIR}/${domain}" && \
@@ -40,7 +31,7 @@ add_location_configuration() {
     return 1
 }
 
-remove_all_location_configurations() {
+function remove_all_location_configurations {
     local old_shopt_options=$(shopt -p) # Backup shopt options
     shopt -s nullglob
     for file in "${VHOST_DIR}"/*; do
@@ -96,18 +87,59 @@ function labeled_cid {
     docker_api "/containers/json" | jq -r '.[] | select(.Labels["'$1'"])|.Id'
 }
 
-function docker_gen_container {
-    echo ${NGINX_DOCKER_GEN_CONTAINER:-$(labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen)}
+function is_docker_gen_container {
+    local id="${1?missing id}"
+    if [[ $(docker_api "/containers/$id/json" | jq -r '.Config.Env[]' | egrep -c '^DOCKER_GEN_VERSION=') = "1" ]]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+function get_docker_gen_container {
+    # First try to get the docker-gen container ID from the container label.
+    local docker_gen_cid="$(labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen)"
+
+    # If the labeled_cid function dit not return anything and the env var is set, use it.
+    if [[ -z "$docker_gen_cid" ]] && [[ -n "${NGINX_DOCKER_GEN_CONTAINER:-}" ]]; then
+        docker_gen_cid="$NGINX_DOCKER_GEN_CONTAINER"
+    fi
+
+    # If a container ID was found, output it. The function will return 1 otherwise.
+    [[ -n "$docker_gen_cid" ]] && echo "$docker_gen_cid"
 }
 
-function nginx_proxy_container {
-    echo ${NGINX_PROXY_CONTAINER:-$(labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy)}
+function get_nginx_proxy_container {
+    local volumes_from
+    # First try to get the nginx container ID from the container label.
+    local nginx_cid="$(labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy)"
+
+    # If the labeled_cid function dit not return anything ...
+    if [[ -z "${nginx_cid}" ]]; then
+        # ... and the env var is set, use it ...
+        if [[ -n "${NGINX_PROXY_CONTAINER:-}" ]]; then
+            nginx_cid="$NGINX_PROXY_CONTAINER"
+        # ... else try to get the container ID with the volumes_from method.
+        else
+            volumes_from=$(docker_api "/containers/$CONTAINER_ID/json" | jq -r '.HostConfig.VolumesFrom[]' 2>/dev/null)
+            for cid in $volumes_from; do
+                cid="${cid%:*}" # Remove leading :ro or :rw set by remote docker-compose (thx anoopr)
+                if [[ $(docker_api "/containers/$cid/json" | jq -r '.Config.Env[]' | egrep -c '^NGINX_VERSION=') = "1" ]];then
+                    nginx_cid="$cid"
+                    break
+                fi
+            done
+        fi
+    fi
+
+    # If a container ID was found, output it. The function will return 1 otherwise.
+    [[ -n "$nginx_cid" ]] && echo "$nginx_cid"
 }
 
 ## Nginx
-reload_nginx() {
-    local _docker_gen_container=$(docker_gen_container)
-    local _nginx_proxy_container=$(nginx_proxy_container)
+function reload_nginx {
+    local _docker_gen_container=$(get_docker_gen_container)
+    local _nginx_proxy_container=$(get_nginx_proxy_container)
 
     if [[ -n "${_docker_gen_container:-}" ]]; then
         # Using docker-gen and nginx in separate container
@@ -130,6 +162,6 @@ reload_nginx() {
 }
 
 # Convert argument to lowercase (bash 4 only)
-function lc() {
+function lc {
 	echo "${@,,}"
 }