1
0
Commit Graph

68 Commits

Author SHA1 Message Date
Jason Bailey
1e81aa6aca
Fix log typo when checking writable directories 2018-02-09 17:11:24 -06:00
Lilit
4c51c2d51c Log error if nginx-proxy is not running 2018-02-01 14:23:54 +03:00
myoung34
da5cc2becf Modify to work with AWS ECS (#300)
+ add foundation for future support of other container management services
2018-01-14 21:45:17 +01:00
Nicolas Duchon
6c6f131f6c
Set container clean exit code to 0 2017-12-30 09:28:43 +01:00
Jonathan Rosenbaum
3c34f99ccd fixes #311 by making account_key_dir into a relative link. 2017-12-30 03:57:16 +00:00
Nicolas Duchon
1bb6e861bf Don't pass --email to simp_le if no address is set
Prevents issues similar to #263
2017-12-07 14:24:08 +01:00
Nicolas Duchon
065c387d24 Treat use of LE staging API like test cert
This make the container behave exactly the same wether test certificates
are requested with the LETSENCRYPT_TEST env var or by setting ACME_CA_URI
to the Let's Encrypt stating API endpoint.
2017-12-07 13:48:58 +01:00
Nicolas Duchon
63403f7ec4 Change REUSE_KEY to REUSE_PRIVATE_KEYS
REUSE_KEY might be confusing now that there is a REUSE_ACCOUNT_KEYS env var
2017-12-07 13:36:49 +01:00
Nicolas Duchon
7f66758f01 Improve handling of ACME account keys
This commit enable the two strategies outlined on
https://letsencrypt.org/docs/integration-guide/
under the "One Account or Many?" paragraph, with
the single account key being the default.
2017-12-07 13:24:57 +01:00
Nicolas Duchon
4085f64c46 Fix trimming on the docker-gen template
Incorrect trimming did lead to empty domains being created on space separated domains
or with comma trailed LETSENCRYPT_HOST environment variable. This in turns led to the
container being caught in an endless loop trying to delete /etc/nginx/certs #254 #288
2017-11-24 14:23:19 +01:00
Nicolas Duchon
8bc51778b5 Do not rm -rf with a trailing empty var 2017-11-24 14:23:19 +01:00
Nicolas Duchon
a9c91da07e Fix update_certs for busybox pkill
As of Alpine 3.4 the procps package does not provide pkill.
Busybox's pkill usage is slightly different.
2017-11-22 22:48:42 +01:00
Nicolas Duchon
83174ed375 Shell linting
https://github.com/koalaman/shellcheck/wiki

start.sh:
Fix SC2173 on line 14.

letsencrypt_service:
Ignore SC2120 and SC1090.
Fix SC1087 on line 54, SC2068 on lines 54 and 124.
Fix SC2034 on lines 12, 13, 19 and 20.
+ use pushd / popd to change the CWD back to /etc/nginx/certs after simp_le execution.

functions.sh:
Ignore SC2155.
Add the missing shebang.

entrypoint.sh:
Ignore SC2155.
2017-11-22 18:27:39 +01:00
Ali
d42c846d8e Removed -only-exposed from from docker-gen calls (#281)
Remove the last remaining -only-exposed on /app/function.sh after #230
2017-11-20 19:59:51 +01:00
Nicolas Duchon
43b913e616
Merge pull request #230 from thmhoag/master
Remove -only-exposed from docker-gen statement so that it will pick u…
2017-11-20 01:06:54 +01:00
Nicolas Duchon
ef79d3b1ca Do not use hardcoded ACME ToS hash 2017-11-16 09:33:47 +01:00
Nicolas Duchon
420d32d397
Fix forced renewal of certificates 2017-11-01 18:21:47 +01:00
Nicolas Duchon
deaf20f71d add force_renew script 2017-08-12 12:41:39 +02:00
Nicolas Duchon
f6f2874003 add --force-renew arg to update_cert
Sets a minimum certificate validity of 90 days, meaning forced renewal for LE certificates.
2017-08-12 12:41:39 +02:00
Nicolas Duchon
86eef9ffb9 allow letsencrypt_service to be sourced 2017-08-12 12:41:39 +02:00
Yves Blusseau
51e9f888f1 Merge pull request #232 from buchdag/disable-auth
Disable auth for the acme-challenge location
2017-08-06 09:01:13 +02:00
Helder Correia
27d433cb63 Complete support for dynamic container names (#231)
* Allow setting NGINX_DOCKER_GEN_CONTAINER from a label
* Find labeled cid in runtime instead of startup time
2017-07-13 12:44:02 +02:00
Nicolas Duchon
429673197d disable auth for the acme-challenge location 2017-07-08 16:59:20 +02:00
Thomas Hoag
899376943f Remove -only-exposed from docker-gen statement so that it will pick up containers on internal networks 2017-07-05 21:51:22 -04:00
Yves Blusseau
1f678ed2c2 Revert "Set /.well-known/acme-challenge nginx location path as prefix string (#192)"
Don't need to use a regexp because the vhost.d/default configuration must be include
specificaly in each server configurations by the nginx.tmpl template file.
Something like:

{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
{{ else if (exists "/etc/nginx/vhost.d/default") }}
include /etc/nginx/vhost.d/default;
{{ end }}
2017-07-02 11:26:10 +02:00
Nicolas Duchon
a093ebf36b enable simp_le private key reutilisation 2017-06-16 16:58:44 +02:00
Yves Blusseau
2f88f79cbd Merge pull request #212 from ravenpride/master
Added support for choosing a certain key size via environment variable 'LETSENCRYPT_KEYSIZE'.
2017-05-28 17:37:39 +02:00
PauRE
a1a6732812 Fix renewals on separate containers (#165)
* Added support to reload nginx containter in case only certificates renewal happend. Reusing the autodetection from --volumes-from.
2017-05-28 17:30:10 +02:00
root
2cb951d596 Added support for choosing a certain key size via environment variable 'LETSENCRYPT_KEYSIZE'. 2017-05-27 12:31:55 +00:00
Yves Blusseau
86ee8793a4 Use CONTAINER_ID instead of HOSTNAME variable when using docker_api 2017-05-18 13:36:00 +02:00
Yves Blusseau
794d77793d Merge pull request #181 from emmetog/patch-1
Get nginx container id from labelled container
2017-04-13 13:15:35 +02:00
Emmet O'Grady
a1af285d46
Use fully qualified label name 2017-04-13 12:09:13 +01:00
Jarek Lipski
44560270b7 Do not generate certs if LETSENCRYPT_HOST is empty (#183) 2017-04-13 12:24:48 +02:00
Julien Blondeau
a9b9c74c07 Set /.well-known/acme-challenge nginx location path as prefix string (#192)
In nginx.tmpl, vhosts.d are included before the 'location /' target, and last basic location wins.
If our /.well-known location is defined as a prefix string (or as a regex), it takes priority over basic locations
Details on http://nginx.org/en/docs/http/ngx_http_core_module.html#location
2017-04-13 12:08:32 +02:00
trondvh
232ade6e2f Support for alternative TOS hashes (#189) 2017-03-27 12:29:03 +02:00
Emmet O'Grady
3c877181d8 Get nginx container id from labelled container 2017-03-04 14:15:15 -06:00
Bjoern Busch
783ae214cf Update docker API call
Based on the docker issue (https://github.com/docker/docker/issues/26099) the docker api needs to be called with `localhost` in the URL.
2017-01-19 21:14:10 +01:00
Yves Blusseau
8d3b18894d Output certificate trust chain for OCSP stapling
Close #108 #129
2016-12-30 09:11:06 -08:00
Yves Blusseau
eba7581d82 Revert "[FEATURE] Create SAN certificates only for common domains" 2016-12-30 14:34:05 +01:00
Mickaël Perrin
d25099ee7b [FEATURE] Create SAN certificates only for common domains
SAN certificates are now only created if the domain is contained in the base_domain.

For example:
LETSENCRYPT_HOST=domain.tld,sub.domain.tld,sub2.domain.tld,newdomain.tld,sub.newdomain.tld
will create 2 SAN certificates for domain.tld and newdomain.tld.
2016-12-29 19:30:37 +01:00
ryneeverett
fa2a85c60d Warn if volumes don't appear to be setup correctly
Assuming they're following a conventional setup, this will warn users
that they likely didn't set their volumes up correctly. It's not an
error though because they may have done something like mount the entire
/etc/nginx directory.
2016-08-17 22:31:23 -04:00
Yves Blusseau
bc32889e37 Allow to migrate CN domains to AltNames
Close #77
2016-08-15 10:33:40 +02:00
Yves Blusseau
dca804a362 Change the SHA-256 hash of the contents of Terms Of Service 2016-08-02 13:32:05 +02:00
Yves Blusseau
9295c1d151 Don't remove created configuration files in vhost.d
Close #69
2016-07-28 13:11:57 +02:00
Yves Blusseau
5ba68d20bd Merge pull request #76 from ryneeverett/functions-file-extension
functions.lib -> functions.sh
2016-06-26 11:44:55 +02:00
ryneeverett
7c16aaa2a1 functions.lib -> functions.sh
This way any editor can figure out the file type automatically.
2016-06-25 18:31:15 -04:00
ryneeverett
4953c16bbe Document letsencrypt_service loop.
I hadn't seen this pattern before and it took me a while to figure out
where the loop was happening. (It could have been in the docker
invocation, in entrypoint.sh, or in start.sh too.)
2016-06-25 18:25:24 -04:00
ryneeverett
a8e5131803 Fix typo. 2016-06-25 18:25:16 -04:00
Ben Smith
e2f0abfa3e enable public access to validation endpoints despite existing IP whitelisting or basic auth settings 2016-05-23 15:04:38 -04:00
MrsKensington
76ed161b35 break in location in case the upstream is protected
Add a break into the letsencrypt block so that no more rules are executed otherwise if you have a block like...

    ## Start of configuration add by letsencrypt container
    location /.well-known/acme-challenge/ {
        auth_basic off;
        root /usr/share/nginx/html;
        try_files $uri =404;
    }
    ## End of configuration add by letsencrypt container

    if (!-f /code/home/cookies/$cookie_AUTH_COOKIE) {
        rewrite ^ https://auth.example.org break;
    }

Then lets encrypt never manages to verify the domain as the request gets re-written to the authentication URL.
2016-05-06 18:47:50 +01:00