Use default config for empty DEFAULT_EMAIL only

Then there is no more need to update the default config accounts on DEFAULT_EMAIL changes. No more need for LE_ACMESH_CONFIG either Doc acme.sh.md
nginx-proxy · Oct 10, 2020 · fca180c · fca180c
1 parent 4b61870
commit fca180c
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 48 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -38,7 +38,7 @@ RUN apk add --update \
 # Install docker-gen from build stage
 COPY --from=go-builder /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/
 
-# Install simp_le
+# Install acme.sh
 COPY /install_acme.sh /app/install_acme.sh
 RUN chmod +rx /app/install_acme.sh \
     && sync \

diff --git a/README.md b/README.md
@@ -89,23 +89,42 @@ $ docker run --detach \
     nginx
 ```
 
-The containers being proxied must expose the port to be proxied, either by using the `EXPOSE` directive in their Dockerfile or by using the `--expose` flag to `docker run` or `docker create`.
+As for the forced renewal command, replace `nginx-letsencrypt` with the name of your letsencrypt-nginx-proxy-companion container.
 
 If the proxied container listen on and expose another port than the default `80`, you can force **nginx-proxy** to use this port with the [`VIRTUAL_PORT`](https://github.com/jwilder/nginx-proxy#multiple-ports) environment variable.
 
-Example using [Grafana](https://hub.docker.com/r/grafana/grafana/) (expose and listen on port 3000):
+Repeat [Step 3](#step-3---proxied-containers) for any other container you want to proxy.
 
-```shell
-$ docker run --detach \
-    --name grafana \
-    --env "VIRTUAL_HOST=othersubdomain.yourdomain.tld" \
-    --env "VIRTUAL_PORT=3000" \
-    --env "LETSENCRYPT_HOST=othersubdomain.yourdomain.tld" \
-    --env "LETSENCRYPT_EMAIL=mail@yourdomain.tld" \
-    grafana/grafana
+#### Optional container environment variables
+
+Optional letsencrypt-nginx-proxy-companion container environment variables for custom configuration.
+
+* `ACME_CA_URI` - Directory URI for the CA ACME API endpoint (default: ``https://acme-v01.api.letsencrypt.org/directory``). If you set it's value to `https://acme-staging.api.letsencrypt.org/directory` letsencrypt will use test servers that don't have the 5 certs/week/domain limits. You can also create test certificates per container (see [let's encrypt test certificates](#test-certificates))
+
+For example
+
+```bash
+$ docker run -d \
+    -e "ACME_CA_URI=https://acme-staging.api.letsencrypt.org/directory" \
+    -v /path/to/certs:/etc/nginx/certs:rw \
+    --volumes-from nginx-proxy \
+    -v /var/run/docker.sock:/var/run/docker.sock:ro \
+    jrcs/letsencrypt-nginx-proxy-companion
 ```
 
-Repeat [Step 3](#step-3---proxied-containers) for any other container you want to proxy.
+* `DEBUG` - Set it to `1` to enable debugging of the entrypoint script and generation of LetsEncrypt certificates, which could help you pin point any configuration issues.
+
+* `RENEW_PRIVATE_KEYS` - Set it to `false` to make simp_le reuse previously generated private key for each certificate instead of creating a new one on certificate renewal. Recommended if you intend to use HPKP.
+
+* The `com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy` label - set this label on the nginx-proxy container to tell the docker-letsencrypt-nginx-proxy-companion container to use it as the proxy.
+
+* The `com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen` label - set this label on the docker-gen container to tell the docker-letsencrypt-nginx-proxy-companion container to use it as the docker-gen when it's split from nginx (separate containers).
+
+* `DOCKER_PROVIDER` - Set this to change behavior on container ID retrieval. Optional. Current supported values:
+  * No value (empty, not  set): no change in behavior.
+  * `ecs` [Amazon ECS using ECS_CONTAINER_METADATA_FILE environment variable](http://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html)
+
+* `DHPARAM_BITS` - Change the size of the Diffie-Hellman key generated by the container from the default value of 2048 bits. For example `-e DHPARAM_BITS=1024` to support some older clients like Java 6 and 7.
 
 ## Additional documentation
 

diff --git a/app/entrypoint.sh b/app/entrypoint.sh
@@ -5,12 +5,9 @@ set -u
 # shellcheck source=functions.sh
 source /app/functions.sh
 
-function check_deprecated_env_var {
-    if [[ -n "${ACME_TOS_HASH:-}" ]]; then
-        echo "Info: the ACME_TOS_HASH environment variable is no longer used by simp_le and has been deprecated."
-        echo "simp_le now implicitly agree to the ACME CA ToS."
-    fi
-}
+if [[ ${DEBUG:-} == true ]]; then
+  DEBUG=1 && export DEBUG
+fi
 
 function check_docker_socket {
     if [[ $DOCKER_HOST == unix://* ]]; then
@@ -134,23 +131,13 @@ function check_default_cert_key {
     set_ownership_and_permissions "/etc/nginx/certs/default.crt"
 }
 
-function configure_default_email {
-    # Configure the email used by the default config
-    [[ -d /etc/acme.sh/default ]] || mkdir -p /etc/acme.sh/default
+function check_default_account {
+    # The default account is now for empty account email
     if [[ -f /etc/acme.sh/default/account.conf ]]; then
-        if [[ -f /etc/acme.sh/default/ca/acme-v01.api.letsencrypt.org/account.json ]]; then
-            acme.sh --update-account --accountemail "${DEFAULT_EMAIL:-}"
-            return 0
-        elif grep -q ACCOUNT_EMAIL /etc/acme.sh/default/account.conf; then
-            if grep -q "${DEFAULT_EMAIL:-}" /etc/acme.sh/default/account.conf; then
-                return 0
-            else
-                sed -i "s/^ACCOUNT_EMAIL=.*$/ACCOUNT_EMAIL='${DEFAULT_EMAIL:-}'/g" /etc/acme.sh/default/account.conf
-                return 0
-            fi
+        if grep -q ACCOUNT_EMAIL /etc/acme.sh/default/account.conf; then
+            sed -i '/ACCOUNT_EMAIL/d' /etc/acme.sh/default/account.conf
         fi
     fi
-    echo "ACCOUNT_EMAIL='${DEFAULT_EMAIL:-}'" >> /etc/acme.sh/default/account.conf
 }
 
 if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
@@ -177,7 +164,7 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
     check_default_cert_key
     check_dh_group
     reload_nginx
-    [[ -n ${DEFAULT_EMAIL:-} ]] && configure_default_email
+    check_default_account
 fi
 
 exec "$@"
diff --git a/app/letsencrypt_service b/app/letsencrypt_service
@@ -3,6 +3,10 @@
 # shellcheck source=functions.sh
 source /app/functions.sh
 
+if [[ ${DEBUG:-} == true ]]; then
+  DEBUG=1 && export DEBUG
+fi
+
 seconds_to_wait=3600
 ACME_CA_URI="${ACME_CA_URI:-https://acme-v02.api.letsencrypt.org/directory}"
 DEFAULT_KEY_SIZE="${DEFAULT_KEY_SIZE:-4096}"
@@ -169,26 +173,38 @@ function update_certs {
             cert_keysize=$DEFAULT_KEY_SIZE
         fi
 
+        accountemail_varname="LETSENCRYPT_${cid}_EMAIL"
+        accountemail="${!accountemail_varname}"
+        if [[ "$accountemail" == "<no value>" ]]; then
+            accountemail="${DEFAULT_EMAIL:-}"
+        fi
+        config_name="${accountemail:-default}"
+
+        acme_ca_uri_varname="LETSENCRYPT_${cid}_ACME_CA_URI"
+        acme_ca_uri="${!acme_ca_uri_varname}"
+        if [[ "$acme_ca_uri" == "<no value>" ]]; then
+            # Use default or user provided ACME end point
+            acme_ca_uri="$ACME_CA_URI"
+        fi
+
         test_certificate_varname="LETSENCRYPT_${cid}_TEST"
-        le_staging_uri="https://acme-staging-v02.api.letsencrypt.org/directory"
-        if [[ $(lc "${!test_certificate_varname:-}") == true ]] || \
-          [[ "$ACME_CA_URI" == "$le_staging_uri" ]]; then
-            # Use staging Let's Encrypt ACME end point
-            acme_ca_uri="$le_staging_uri"
-            # Prefix test certificate directory with _test_
-            certificate_dir="/etc/nginx/certs/_test_$base_domain"
+        if [[ $(lc "${!test_certificate_varname:-}") == true ]]; then
+            # Use Let's Encrypt ACME V2 staging end point
+            # Unset accountemail
+            # force config dir to 'staging'
+            acme_ca_uri="https://acme-staging-v02.api.letsencrypt.org/directory"
+            accountemail=
+            config_name=staging
         else
             # Use default or user provided ACME end point
             acme_ca_uri="$ACME_CA_URI"
-            certificate_dir="/etc/nginx/certs/$base_domain"
         fi
+        [[ ! -d "/etc/acme.sh/$config_name" ]] && mkdir -p "/etc/acme.sh/$config_name"
 
-        config_varname="LETSENCRYPT_${cid}_ACMESH_CONFIG"
-        config_name="${!config_varname:-"<no value>"}"
-        if [[ "$config_name" == "<no value>" ]]; then
-            config_name=default
+        if [[ $acme_ca_uri =~ ^https://acme-staging.* ]]; then
+            certificate_dir="/etc/nginx/certs/_test_$base_domain"
         else
-            [[ ! -d "/etc/acme.sh/$config_name" ]] && mkdir -p "/etc/acme.sh/$config_name"
+            certificate_dir="/etc/nginx/certs/$base_domain"
         fi
 
         [[ "$DEBUG" == 1 ]] && params_d_arr+=("--debug")
@@ -210,6 +226,7 @@ function update_certs {
         acme.sh --issue \
                 --log /dev/null \
                 --config-home "/etc/acme.sh/$config_name" \
+                ${accountemail:+--accountemail ${accountemail}} \
                 "${params_d_arr[@]}" \
                 --keylength "$cert_keysize" \
                 --server "$acme_ca_uri" \

diff --git a/app/letsencrypt_service_data.tmpl b/app/letsencrypt_service_data.tmpl
@@ -27,14 +27,16 @@ LETSENCRYPT_CONTAINERS=(
                 LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_HOST=('{{ $host }}')
                 LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
                 LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
-                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_ACMESH_CONFIG="{{ $container.Env.LETSENCRYPT_ACMESH_CONFIG }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_ACME_CA_URI="{{ $container.Env.LETSENCRYPT_ACME_CA_URI }}"
                 LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
             {{ end }}
         {{ else }}
             LETSENCRYPT_{{ $cid }}_HOST=( {{ range $host := split $hosts "," }}{{ $host := trim $host }}{{ $host := trimSuffix "." $host }}'{{ $host }}' {{ end }})
             LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
             LETSENCRYPT_{{ $cid }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
-            LETSENCRYPT_{{ $cid }}_ACMESH_CONFIG="{{ $container.Env.LETSENCRYPT_ACMESH_CONFIG }}"
+            LETSENCRYPT_{{ $cid }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
+            LETSENCRYPT_{{ $cid }}_ACME_CA_URI="{{ $container.Env.LETSENCRYPT_ACME_CA_URI }}"
             LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
         {{ end }}
     {{ end }}

diff --git a/docs/acme.sh.md b/docs/acme.sh.md
@@ -0,0 +1,8 @@
+### Design decisions:
+
+1. Use one acme.sh configuration directory (`--config-home`) per account email address
+1. Each acme.sh configuration directory can hold several accounts on different ACME service providers. But only one per servie provider.
+1. The `defaut`configuration directory holds the configuration for empty account email address
+1. When in testing mode (`LETSENCRYPT_TEST=true`):
+   1. The directory URL is forced to The Let's Encrypt v2 staging one (`ACME_CA_URI`is ignored)
+   1. The account email address is forced empty (`DEFAULT_EMAIL`and `LETSENCRYPT_EMAIL` are ignored)
diff --git a/install_acme.sh b/install_acme.sh
@@ -15,6 +15,7 @@ git checkout "$tag"
 # Install acme.sh in /app
 ./acme.sh --install \
   --nocron \
+  --noprofile \
   --auto-upgrade 0 \
   --home /app \
   --config-home /etc/acme.sh/default