Merge pull request #2 from dcos-labs/mattj/switch_docker_image

Support configuring Boulder server and improve Docker image

Dockerfile

@@ -1,17 +1,9 @@
-FROM debian:jessie
+FROM debian:stretch
 
 WORKDIR /
 ENV DEBIAN_FRONTEND=noninteractive
-ENV CERTBOT_VERSION=0.31.0
 RUN apt-get update \
-  && apt-get install -y unzip curl python-pip \
-  && pip install --upgrade pip \
-  && pip install virtualenv --upgrade \
-  && curl -Ls -o /certbot.zip https://github.com/certbot/certbot/archive/v${CERTBOT_VERSION}.zip \
-  && unzip certbot.zip \
-  && mv certbot-${CERTBOT_VERSION} certbot \
-  && cd certbot \
-  && ./certbot-auto --os-packages-only --noninteractive \
+  && apt-get install -y certbot curl python python-requests \
   && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 EXPOSE 80

README.md

@@ -4,12 +4,15 @@ This is a sample [Marathon](https://github.com/mesosphere/marathon) app for encr
 
 ## Getting started
 
+Ensure you have **at least 2 or more** public agents in your DC/OS cluster, and that marathon-lb is scaled out to more than 1 public agent. Deploying this app requires this since it entails restarting marathon-lb.
+
 Clone (or manually copy) this repo, and modify the [letsencrypt-dcos.json](letsencrypt-dcos.json) file to include:
  - The list of hostnames (must be FQDNs) for which you want to generate SSL certs (in `HAPROXY_0_VHOST`)
  - An admin email address for your certificate (in `LETSENCRYPT_EMAIL`)
  - The Marathon API endpoint (in `MARATHON_URL`)
  - The Marathon-lb app ID (in `MARATHON_LB_ID`)
- - Ensure you have **at least 2 or more** public agents in your DC/OS cluster, and that marathon-lb is scaled out to more than 1 public agent. Deploying this app requires this since it entails restarting marathon-lb.
+
+This app also now supports specifying the Lets Encrypt server, for situations where users may be running their own Boulder server on an internal network, or for using the Lets Encrypt staging servers for testing. By default it is set to the Lets Encrypt staging server, so for production use change the LETSENCRYPT_SERVER_URL variable - if you are using the Lets Encrypt servers the default should be https://acme-v01.api.letsencrypt.org/directory
 
 Now launch the `letsencrypt-dcos` Marathon app:
 

letsencrypt-dcos.json

@@ -20,7 +20,8 @@
       }
     ],
     "docker": {
-      "image": "dcoslabs/letsencrypt-dcos:v1.0.5",
+      "forcePullImage": true,
+      "image": "dcoslabs/letsencrypt-dcos:v1.0.7",
       "network": "BRIDGE",
       "portMappings": [
         {
@@ -34,7 +35,8 @@
   "env": {
     "MARATHON_LB_ID": "marathon-lb",
     "MARATHON_URL": "http://marathon.mesos:8080",
-    "LETSENCRYPT_EMAIL": "matt@example.com"
+    "LETSENCRYPT_EMAIL": "matt@example.com",
+    "LETSENCRYPT_SERVER_URL": "https://acme-staging-v02.api.letsencrypt.org/directory"
   },
   "labels": {
     "HAPROXY_0_VHOST": "ssl-test-1.example.com,ssl-test-2.example.com",

run.sh

@@ -7,7 +7,6 @@ sleep 15
 # Get our SSL domains from the Marathon app label
 SSL_DOMAINS=$(curl -s ${MARATHON_URL}/v2/apps${MARATHON_APP_ID} | python -c 'import sys, json; print(json.load(sys.stdin)["app"]["labels"]["HAPROXY_0_VHOST"])')
 
-
 IFS=',' read -ra ADDR <<< "$SSL_DOMAINS"
 DOMAIN_ARGS=""
 DOMAIN_FIRST=""
@@ -18,15 +17,17 @@ for i in "${ADDR[@]}"; do
   DOMAIN_ARGS="$DOMAIN_ARGS -d $i"
 done
 
-
 echo "DOMAIN_ARGS: ${DOMAIN_ARGS}"
 echo "DOMAIN_FIRST: ${DOMAIN_FIRST}"
 
-echo "Running certbot-auto to generate initial signed cert"
-./certbot-auto --no-self-upgrade certonly --standalone \
-  --preferred-challenges http-01 $DOMAIN_ARGS \
-  --email $LETSENCRYPT_EMAIL --agree-tos --noninteractive --no-redirect \
-  --rsa-key-size 4096 --expand
+echo "Running certbot to generate initial signed cert"
+echo "Using server ${LETSENCRYPT_SERVER_URL}"
+
+certbot certonly --server ${LETSENCRYPT_SERVER_URL} --standalone \
+        --preferred-challenges http-01 $DOMAIN_ARGS \
+        --email $LETSENCRYPT_EMAIL --agree-tos \
+        --noninteractive --no-redirect \
+        --rsa-key-size 4096 --expand
 
 while [ true ]; do
   cat /etc/letsencrypt/live/$DOMAIN_FIRST/fullchain.pem \
@@ -39,5 +40,5 @@ while [ true ]; do
   sleep 24h
 
   echo "About to attempt renewal"
-  ./certbot-auto --no-self-upgrade renew
+  certbot renew
 done