Initial commit

Dockerfile

@@ -0,0 +1,20 @@
+FROM ubuntu:xenial
+
+RUN apt-get update && \
+    apt-get install -y python3-pip cron && \
+    pip3 install simp_le-client && \
+    find /etc/cron* -type f -delete && \
+    useradd simplecert && \
+    touch /etc/crontab
+
+ADD start /start
+ADD simplewrapper.py /usr/local/bin/simplewrapper.py
+ADD crontab /etc/cron.d/
+
+RUN chmod +x /start /usr/local/bin/simplewrapper.py && \
+    chmod 644 /etc/cron.d/crontab
+
+ENTRYPOINT ["/start"]
+
+VOLUME /srv/acme/webroot/.well-known/acme-challenge/
+VOLUME /srv/acme/conf/

README.md

@@ -0,0 +1,10 @@
+The conf dir (-v /host/conf:/srv/acme/conf/) needs:
+
+    <domain>.com/email    email address to use for the cert request
+    <domain>.com/aliases  all hostnames INCLUDING <domain> for cert request
+
+The webroot should be mounted to the real webhost's acme-challenge dir, like:
+
+    -v /host/real_webroot/.well-known/acme-challenge/:/srv/acme/webroot/.well-known/acme-challenge/
+
+Master process logs in /srv/acme/logs/ are useful for debugging

crontab

@@ -0,0 +1,4 @@
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+* * * * * simplecert /usr/bin/python3 /usr/local/bin/simplewrapper.py >> /srv/acme/logs/cron.log 2>&1

simplewrapper.py

@@ -0,0 +1,52 @@
+#!/usr/bin/env python3
+
+from subprocess import Popen, TimeoutExpired
+import os
+
+
+CONF_DIR = "/srv/acme/conf/"
+WEB_ROOT = "/srv/acme/webroot/"
+
+
+def main():
+    for name in os.listdir(CONF_DIR):
+        domain_dir = os.path.join(CONF_DIR, name)
+        with open(os.path.join(domain_dir, "email")) as f:
+            email = f.read().strip()
+        with open(os.path.join(domain_dir, "aliases")) as f:
+            aliases = [i.strip() for i in f.read().strip().split()]
+
+        call_le(email, aliases, domain_dir)
+
+
+def call_le(email, domain_names, cwd):
+    assert domain_names
+    os.chdir(cwd)
+
+    le_call = ["simp_le",
+               "--email", email,
+               "-f", "account_key.json",
+               "-f", "fullchain.pem",
+               "-f", "key.pem"]
+
+    for domain in domain_names:
+        le_call += ["-d", domain]
+
+    le_call += ["--default_root", WEB_ROOT]
+
+    p = Popen(le_call)
+    try:
+        p.wait(30)
+    except TimeoutExpired:
+        p.kill()
+
+    if p.returncode == 0:
+        print("renewed {}".format(domain_names[0]))
+    elif p.returncode == 1:
+        print("no renew needed for {}".format(domain_names[0]))
+    elif p.returncode == 2:
+        print("error updating {}1".format(domain_names[0]))
+
+
+if __name__ == '__main__':
+    main()

start

@@ -0,0 +1,6 @@
+#!/bin/bash -eux
+
+mkdir -p /srv/acme/webroot/.well-known/acme-challenge /srv/acme/conf /srv/acme/logs
+chown -R simplecert /srv/acme
+
+exec cron -f