web: replace certbot with acme.sh

The former seems to be in a pretty bad state for usage with Debian based
containers:

- The Debian provided package is too old
- certbot-auto no longer works on Debian
- The recommended way of using snap is not Docker friendly

Thus, we are migrating to acme.sh, which has the advantage of also
making the web container slimmer.
pull/852/head
Saúl Ibarra Corretgé 4 years ago
parent 43f678d967
commit 06012127e9
  1. 2
      docker-compose.yml
  2. 3
      env.example
  3. 11
      web/Dockerfile
  4. 10
      web/rootfs/defaults/letsencrypt-renew
  5. 4
      web/rootfs/defaults/ssl.conf
  6. 48
      web/rootfs/etc/cont-init.d/10-config

@ -10,7 +10,6 @@ services:
- '${HTTPS_PORT}:443' - '${HTTPS_PORT}:443'
volumes: volumes:
- ${CONFIG}/web:/config:Z - ${CONFIG}/web:/config:Z
- ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
environment: environment:
- ENABLE_LETSENCRYPT - ENABLE_LETSENCRYPT
@ -19,6 +18,7 @@ services:
- DISABLE_HTTPS - DISABLE_HTTPS
- LETSENCRYPT_DOMAIN - LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL - LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- PUBLIC_URL - PUBLIC_URL
- TZ - TZ
- AMPLITUDE_ID - AMPLITUDE_ID

@ -71,6 +71,9 @@ TZ=UTC
# E-Mail for receiving important account notifications (mandatory) # E-Mail for receiving important account notifications (mandatory)
#LETSENCRYPT_EMAIL=alice@atlanta.net #LETSENCRYPT_EMAIL=alice@atlanta.net
# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1
# #
# Etherpad integration (for document sharing) # Etherpad integration (for document sharing)

@ -1,13 +1,12 @@
ARG JITSI_REPO=jitsi ARG JITSI_REPO=jitsi
FROM ${JITSI_REPO}/base FROM ${JITSI_REPO}/base
ADD https://dl.eff.org/certbot-auto /usr/local/bin/ ADD https://raw.githubusercontent.com/acmesh-official/acme.sh/2.8.8/acme.sh /opt
COPY rootfs/ / COPY rootfs/ /
RUN \ RUN \
apt-dpkg-wrap apt-get update && \ apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web python3-venv && \ apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web socat && \
apt-dpkg-wrap apt-get -d install -y jitsi-meet-web-config && \ apt-dpkg-wrap apt-get -d install -y jitsi-meet-web-config && \
dpkg -x /var/cache/apt/archives/jitsi-meet-web-config*.deb /tmp/pkg && \ dpkg -x /var/cache/apt/archives/jitsi-meet-web-config*.deb /tmp/pkg && \
mv /tmp/pkg/usr/share/jitsi-meet-web-config/config.js /defaults && \ mv /tmp/pkg/usr/share/jitsi-meet-web-config/config.js /defaults && \
@ -16,10 +15,6 @@ RUN \
apt-cleanup && \ apt-cleanup && \
rm -rf /tmp/pkg /var/cache/apt rm -rf /tmp/pkg /var/cache/apt
RUN \
chmod a+x /usr/local/bin/certbot-auto && \
USE_PYTHON_3=1 certbot-auto --noninteractive --install-only --no-bootstrap
EXPOSE 80 443 EXPOSE 80 443
VOLUME ["/config", "/etc/letsencrypt", "/usr/share/jitsi-meet/transcripts"] VOLUME ["/config", "/usr/share/jitsi-meet/transcripts"]

@ -1,10 +0,0 @@
#!/bin/bash
# stop nginx
s6-svc -d /var/run/s6/services/nginx
# renew cert
certbot-auto --no-self-upgrade -n renew >> /config/le-renew.log
# start nginx
s6-svc -u /var/run/s6/services/nginx

@ -5,8 +5,8 @@ ssl_session_tickets off;
# ssl certs # ssl certs
{{ if .Env.ENABLE_LETSENCRYPT | default "0" | toBool }} {{ if .Env.ENABLE_LETSENCRYPT | default "0" | toBool }}
ssl_certificate /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem; ssl_certificate /etc/nginx/acme/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/privkey.pem; ssl_certificate_key /etc/nginx/acme/{{ .Env.LETSENCRYPT_DOMAIN }}/key.pem;
{{ else }} {{ else }}
ssl_certificate /config/keys/cert.crt; ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key; ssl_certificate_key /config/keys/cert.key;

@ -10,17 +10,25 @@ mkdir -p \
# generate keys (maybe) # generate keys (maybe)
if [[ $DISABLE_HTTPS -ne 1 ]]; then if [[ $DISABLE_HTTPS -ne 1 ]]; then
if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then if [[ ! -f /config/acme.sh/acme.sh ]]; then
if ! certbot-auto \ mkdir /config/acme.sh
certonly \ pushd /opt
--no-self-upgrade \ sh ./acme.sh --install --home /config/acme.sh --accountemail $LETSENCRYPT_EMAIL
--noninteractive \ popd
fi
if [[ ! -f /etc/nginx/acme/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
STAGING=""
if [[ $LETSENCRYPT_USE_STAGING -eq 1 ]]; then
STAGING="--staging"
fi
# TODO: move away from standalone mode to webroot mode.
if ! /config/acme.sh/acme.sh \
$STAGING \
--issue \
--standalone \ --standalone \
--preferred-challenges http \ --pre-hook "if [[ -f /var/run/s6/services/nginx ]]; then s6-svc -d /var/run/s6/services/nginx; fi" \
-d $LETSENCRYPT_DOMAIN \ --post-hook "if [[ -f /var/run/s6/services/nginx ]]; then s6-svc -u /var/run/s6/services/nginx; fi" \
--agree-tos \ -d $LETSENCRYPT_DOMAIN ; then
--email $LETSENCRYPT_EMAIL ; then
echo "Failed to obtain a certificate from the Let's Encrypt CA." echo "Failed to obtain a certificate from the Let's Encrypt CA."
# this tries to get the user's attention and to spare the # this tries to get the user's attention and to spare the
# authority's rate limit: # authority's rate limit:
@ -28,16 +36,18 @@ if [[ $DISABLE_HTTPS -ne 1 ]]; then
echo "Exiting." echo "Exiting."
exit 1 exit 1
fi fi
mkdir -p /etc/nginx/acme/$LETSENCRYPT_DOMAIN
if ! /config/acme.sh/acme.sh \
--install-cert -d $LETSENCRYPT_DOMAIN \
--key-file /etc/nginx/acme/$LETSENCRYPT_DOMAIN/key.pem \
--fullchain-file /etc/nginx/acme/$LETSENCRYPT_DOMAIN/fullchain.pem ; then
echo "Failed to install certificate."
# this tries to get the user's attention and to spare the
# authority's rate limit:
sleep 15
echo "Exiting."
exit 1
fi fi
# remove default certbot renewal
if [[ -f /etc/cron.d/certbot ]]; then
rm /etc/cron.d/certbot
fi
# setup certbot renewal script
if [[ ! -f /etc/cron.daily/letencrypt-renew ]]; then
cp /defaults/letsencrypt-renew /etc/cron.daily/
fi fi
else else
# use self-signed certs # use self-signed certs

Loading…
Cancel
Save