Initial Commit

solidnerd · solidnerd · commit 1bbd2537a5e3 · 2017-02-04T20:54:43.000+01:00
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,3 @@
+.gitlab-ci.yml
+README.md
+LICENSE
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -0,0 +1,23 @@
+stages:
+  - build
+  - release
+
+before_script:
+  - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
+
+build:
+  stage: build
+  image: docker:1.12
+  script:
+   - docker build -t $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME .
+   - docker push $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME
+
+release-latest:
+  stage: release
+  image: docker:1.12
+  variables:
+    GIT_STRATEGY: none
+  script:
+   - docker pull $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME
+   - docker tag $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME $CI_REGISTRY_IMAGE:latest
+   - docker push $CI_REGISTRY_IMAGE:latest
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,19 @@
+FROM  quay.io/letsencrypt/letsencrypt:v0.11.1
+
+COPY letsencrypt-hooks/* /letsencrypt/hooks/
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN apt-get update && apt-get install -y curl && \
+  chmod +x /letsencrypt/hooks/authenticator.sh \
+  /letsencrypt/hooks/cleanup.sh \
+  /docker-entrypoint.sh  && \
+   apt-get clean && \
+   rm -rf /var/lib/apt/lists/* \
+    /tmp/* \
+    /var/tmp/*
+
+ENV PATH="$PATH:/letsencrypt/hooks"
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+VOLUME ["/etc/letsencrypt","/var/lib/letsencrypt","/var/log/letsencrypt"]
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Niclas Mietz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -0,0 +1,52 @@
+Let's Encrypt DNS Challenge
+===========================
+
+This repo contains only an image for an letsencrpyt container to use dns challenge with cloudflare.
+
+It uses the certbot image directly.
+
+## How to run this ?
+
+### With interactive mode for to decide if you want ip logging
+
+```bash
+docker run --rm  -it -v "/etc/letsencrypt:/etc/letsencrypt" \
+  -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
+  -v "/var/log/letsencrypt:/var/log/letsencrypt" \
+  -e CERTBOT_DOMAIN=<domain> \
+  -e CLOUDFLARE_API_KEY=<cloudflare api key> \
+  -e CLOUDFLARE_EMAIL=<email address> \
+solidnerd/letsencrpyt-dns:0.1.0
+```
+
+### Accept IP Logging 
+
+```bash
+docker run --rm -it -v "/etc/letsencrypt:/etc/letsencrypt"  \
+  -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
+  -v "/var/log/letsencrypt:/var/log/letsencrypt" \
+  -e CERTBOT_DOMAIN=<domain> \
+  -e CLOUDFLARE_API_KEY=<cloudflare api key> \
+  -e CLOUDFLARE_EMAIL=<email address> \
+  -e CERBOT_IP_LOGGING=true \
+solidnerd/letsencrpyt-dns:0.1.0
+```
+
+## Configuration
+
+|Variable | Description |
+|:-------| :---------- |
+|CERTBOT_DOMAIN| Domain that should receive a certificate |
+| CLOUDFLARE_API_KEY | Global Api Key from Cloudflare |
+| CLOUDFLARE_EMAIL | Email Address that is used to login in cloudflare |
+| CERTBOT_IP_LOGGING | Accepts that the IP will be logged from the server that requests a certificate | 
+
+## Issues
+
+Make an issue on the [GitHub Repo](https://github.com/solidnerd/letsencrypt-dns) .
+
+## Inspiration 
+
+This repo got a lot of inspiration from the lets encrypt user guide.
+
+- http://letsencrypt.readthedocs.io/en/latest/using.html#hooks
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [[ -n "${CLOUDFLARE_API_KEY}"  &&  -n "${CLOUDFLARE_EMAIL}" && -n "${CERTBOT_DOMAIN}" ]]; then
+  if [[ $CERBOT_IP_LOGGING == true ]]; then
+    exec certbot certonly --manual --preferred-challenges=dns --manual-public-ip-logging-ok  --manual-auth-hook authenticator.sh --manual-cleanup-hook  cleanup.sh -d ${CERTBOT_DOMAIN}
+  else
+    exec certbot certonly --manual --preferred-challenges=dns --manual-auth-hook authenticator.sh --manual-cleanup-hook  cleanup.sh -d ${CERTBOT_DOMAIN}
+  fi
+else 
+echo "One of the following variables were not set: "
+echo "CLOUDFLARE_API_KEY"
+echo "CLOUDFLARE_EMAIL"
+echo "CERTBOT_DOMAIN"
+exit 1
+fi
+
+
diff --git a/letsencrypt-hooks/authenticator.sh b/letsencrypt-hooks/authenticator.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Get your API key from https://www.cloudflare.com/a/account/my-account
+CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY:-"your-api-key"}
+CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL:-"your.CLOUDFLARE_EMAIL@example.com"}
+
+# Strip only the top domain to get the zone id
+DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
+
+# Get the Cloudflare zone id
+ZONE_EXTRA_PARAMS="status=active&page=1&per_page=20&order=status&direction=desc&match=all"
+ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN&$ZONE_EXTRA_PARAMS" \
+     -H     "X-Auth-Email: $CLOUDFLARE_EMAIL" \
+     -H     "X-Auth-Key: $CLOUDFLARE_API_KEY" \
+     -H     "Content-Type: application/json" | python -c "import sys,json;print(json.load(sys.stdin)['result'][0]['id'])")
+
+# Create TXT record
+CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
+RECORD_ID=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
+     -H     "X-Auth-Email: $CLOUDFLARE_EMAIL" \
+     -H     "X-Auth-Key: $CLOUDFLARE_API_KEY" \
+     -H     "Content-Type: application/json" \
+     --data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' \
+             | python -c "import sys,json;print(json.load(sys.stdin)['result']['id'])")
+# Save info for cleanup
+if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then
+        mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN
+fi
+echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
+echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID
+
+# Sleep to make sure the change has time to propagate over to DNS
+sleep 25
diff --git a/letsencrypt-hooks/cleanup.sh b/letsencrypt-hooks/cleanup.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Get your API key from https://www.cloudflare.com/a/account/my-account
+CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY:-"your-api-key"}
+CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL:-"your.CLOUDFLARE_EMAIL@example.com"}
+
+if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID ]; then
+        ZONE_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID)
+        rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
+fi
+
+if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID ]; then
+        RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID)
+        rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID
+fi
+
+# Remove the challenge TXT record from the zone
+if [ -n "${ZONE_ID}" ]; then
+    if [ -n "${RECORD_ID}" ]; then
+        curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
+                -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \
+                -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \
+                -H "Content-Type: application/json"
+    fi
+fi

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+.gitlab-ci.yml`
	`2`	`+README.md`
	`3`	`+LICENSE`