mattermost · akrmhrjn · Jan 7, 2018 · Jan 7, 2018 · Jan 7, 2018 · Jan 7, 2018
diff --git a/README.md b/README.md
@@ -83,6 +83,30 @@ Put your SSL certificate as `./volumes/web/cert/cert.pem` and the private key th
 no password as `./volumes/web/cert/key-no-password.pem`. If you don't have
 them you may generate a self-signed SSL certificate.
 
+#### Install SSL certificate with Let's Encrypt automatically
+If you want to generate SSL certificate automatically from letsencrypt, you can set the following environment variables in **docker-compose.yml** to enable the auto SSL generation process:
+* `LETSENCRYPT_SSL_GENERATION`: true 
+* `DOMAIN_NAME`: Domain name of your application. If more than one domain name then it should be separated by comma.
+* `SERVER_NAME`: Server name of your application. If more than one domain name then it should be separated by space.
+* `EMAIL`: Email for SSL Certificate generation 
+
+```
+    # Uncomment for SSL
+    environment:
+    #  - MATTERMOST_ENABLE_SSL=true # leave this line commented
+    # Uncomment following lines to generate SSL from letsencrpt automatically
+      - LETSENCRYPT_SSL_GENERATION=true
+      - DOMAIN_NAME=yourdomainname.com
+      - SERVER_NAME=yourdomainname.com
+      - EMAIL=youremail@example.com
+```
+After editing the **docker-compose.yml** file. Do the following steps:
+```
+docker-compose build
+docker-compose up -d
+```
+ That is all. After the server is up you can check by browsing **https://yourdomainname.com** in the browser. Also, it checks for the SSL certificate expiration and renews the certificate automatically.
+
 ### Starting/Stopping Docker
 
 #### Start

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -50,4 +50,9 @@ services:
       - /etc/localtime:/etc/localtime:ro
     # Uncomment for SSL
     # environment:
-    #  - MATTERMOST_ENABLE_SSL=true
+    #  - MATTERMOST_ENABLE_SSL=true # comment this line if you want to generate SSL cerificate automatically from letsencrypt
+    # Uncomment following lines to generate SSL from letsencrpt automatically
+    #  - LETSENCRYPT_SSL_GENERATION=true
+    #  - DOMAIN_NAME=XXXX # if more than one domain name then it should be separated by comma
+    #  - SERVER_NAME=XXXX # if more than one domain name then it should be separated by space
+    #  - EMAIL=XXXX # Email for SSL Certificate generation 
diff --git a/web/Dockerfile b/web/Dockerfile
@@ -1,11 +1,23 @@
-FROM nginx:mainline-alpine
+FROM nginx
+
+# install cron, supervisor and certbot
+RUN echo "deb http://ftp.debian.org/debian stretch-backports main" | tee -a /etc/apt/sources.list
+RUN apt-get update
+RUN apt-get install -qy cron supervisor python-certbot-nginx -t stretch-backports
 
 # Remove default configuration and add our custom Nginx configuration files
 RUN rm /etc/nginx/conf.d/default.conf
 COPY ./mattermost /etc/nginx/sites-available/
 COPY ./mattermost-ssl /etc/nginx/sites-available/
 COPY ./security.conf /etc/nginx/conf.d/
 
-# Add and setup entrypoint
-COPY entrypoint.sh /
-ENTRYPOINT ["/entrypoint.sh"]
+# Add entrypoint script and letsencrypt script
+COPY entrypoint.sh letsencrypt.sh /usr/bin/
+
+RUN chmod +x /usr/bin/entrypoint.sh /usr/bin/letsencrypt.sh
+
+# Supervisor config
+COPY entrypoint.conf /etc/supervisor/conf.d/
+
+# Run Supervisor
+CMD ["supervisord", "-n"]
diff --git a/web/entrypoint.conf b/web/entrypoint.conf
@@ -0,0 +1,7 @@
+[program:entrypoint]
+command=/usr/bin/entrypoint.sh
+autostart=true
+autorestart=unexpected
+exitcodes=0
+stdout_logfile=/dev/stdout
+stderr_logfile=/dev/stderr
diff --git a/web/entrypoint.sh b/web/entrypoint.sh
@@ -14,9 +14,19 @@ fi
 # Linking Nginx configuration file
 ln -s /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf
 
+# add server name if letsencrypt ssl generation is enabled
+if [ ${LETSENCRYPT_SSL_GENERATION} ]; then
+  sed -i "s/{%SERVER_NAME%}/server_name ${SERVER_NAME};/g" /etc/nginx/conf.d/mattermost.conf
+else
+  sed -i "s/{%SERVER_NAME%}//g" /etc/nginx/conf.d/mattermost.conf 
+fi
+
 # Setup app host and port on configuration file
 sed -i "s/{%APP_HOST%}/${APP_HOST}/g" /etc/nginx/conf.d/mattermost.conf
 sed -i "s/{%APP_PORT%}/${APP_PORT_NUMBER}/g" /etc/nginx/conf.d/mattermost.conf
 
 # Run Nginx
-nginx -g 'daemon off;'
+nginx 
+
+# get certificate from letsencrypt
+/usr/bin/letsencrypt.sh
diff --git a/web/letsencrypt.sh b/web/letsencrypt.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+if [ ${LETSENCRYPT_SSL_GENERATION} ]; then
+  echo "Running certificate generation from Letsencrypt."
+  certbot -m ${EMAIL} -d ${DOMAIN_NAME} --agree-tos -n --nginx
+
+  # try to run renew certificate every day
+  echo "@midnight * * * * certbot renew" | crontab
+
+  #run cron
+  cron
+else
+  echo "Not running certificate generation from Letsencrypt."
+fi
diff --git a/web/mattermost b/web/mattermost
@@ -6,6 +6,8 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 server {
     listen 80;
 
+    {%SERVER_NAME%}
+
     location ~ /api/v[0-9]+/(users/)?websocket$ {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";