examples - add various certbot-dns examples

CHANGELOG.md

@@ -5,7 +5,7 @@
 - Fix static config (SERVER_NAME not empty) support when using autoconf/swarm/k8s
 - Fix config files overwrite when using Docker autoconf
 - Add log_default() plugin hook
-- Add certbot-dns-ovh example
+- Add various certbot-dns examples
 - Force NGINX version dependencies in Linux packages DEB/RPM
 - Add Discord to supported plugins
 

examples/certbot-dns-cloudflare/README.md

@@ -0,0 +1,7 @@
+Please have a look at the [certbot-dns-cloudflare documentation](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) first.
+
+Procedure :
+- Edit domains in the compose file
+- Edit CloudFlare credentials in cloudflare.ini file (generate using https://dash.cloudflare.com/?to=/:account/profile/api-tokens)
+- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
+- When certificates are generated, run your services : `docker-compose up -d`

examples/certbot-dns-cloudflare/cloudflare.ini

@@ -0,0 +1,5 @@
+# Cloudflare API token used by Certbot (recommended)
+dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef012345671
+# Cloudflare API credentials used by Certbot (not recommended)
+#dns_cloudflare_email = cloudflare@example.com
+#dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef012341

examples/certbot-dns-cloudflare/docker-compose.yml

@@ -0,0 +1,74 @@
+version: '3'
+
+services:
+
+  mybunker:
+    image: bunkerity/bunkerweb:1.4.1
+    ports:
+      - 80:8080
+      - 443:8443
+    # ⚠️ read this if you use local folders for volumes ⚠️
+    # bunkerweb runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
+    # or for an existing one : chown -R root:101 folder && chmod -R 770 folder
+    # more info at https://docs.bunkerweb.io
+    volumes:
+      - bw_data:/data
+      - certs:/certs
+    environment:
+      - MULTISITE=yes
+      - SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      - USE_CUSTOM_HTTPS=yes
+      - CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
+      - CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
+      - app1.example.com_REVERSE_PROXY_URL=/
+      - app1.example.com_REVERSE_PROXY_HOST=http://app1
+      - app2.example.com_REVERSE_PROXY_URL=/
+      - app2.example.com_REVERSE_PROXY_HOST=http://app2
+      - app3.example.com_REVERSE_PROXY_URL=/
+      - app3.example.com_REVERSE_PROXY_HOST=http://app3
+    networks:
+      - net_app1
+      - net_app2
+      - net_app3
+
+  mycertbot:
+    image: certbot/dns-cloudflare
+    environment:
+      - DOMAINS=*.example.com,example.com
+      - EMAIL=contact@example.com
+    volumes:
+      - certs:/etc/letsencrypt
+      - ./cloudflare.ini:/opt/cloudflare.ini
+      - ./entrypoint.sh:/opt/entrypoint.sh
+    entrypoint: /bin/sh /opt/entrypoint.sh    
+
+  app1:
+    image: tutum/hello-world
+    networks:
+      - net_app1
+
+  app2:
+    image: tutum/hello-world
+    networks:
+      - net_app2
+
+  app3:
+    image: tutum/hello-world
+    networks:
+      - net_app3
+
+volumes:
+  bw_data:
+  certs:
+
+networks:
+  net_app1:
+  net_app2:
+  net_app3:

examples/certbot-dns-cloudflare/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+echo "Certbot started, domains = $DOMAINS"
+
+first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
+if [ "$EMAIL" = "" ] ; then
+	EMAIL="contact@${first_domain}"
+fi
+
+if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
+	echo "Renewing certificates ..."
+	certbot renew
+else
+	echo "Asking for certificates ..."
+	certbot certonly -n --dns-cloudflare --dns-cloudflare-credentials /opt/cloudflare.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
+fi
+
+echo "Fixing permissions ..."
+chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
+
+echo "Certbot ended, sleeping for 24 hours"
+
+sleep 86400

examples/certbot-dns-digitalocean/README.md

@@ -0,0 +1,7 @@
+Please have a look at the [certbot-dns-digitalocean documentation](https://certbot-dns-digitalocean.readthedocs.io/en/stable/) first.
+
+Procedure :
+- Edit domains in the compose file
+- Edit DigitalOcean credentials in digitalocean.ini file (generate using https://cloud.digitalocean.com/settings/api/tokens)
+- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
+- When certificates are generated, run your services : `docker-compose up -d`

examples/certbot-dns-digitalocean/digitalocean.ini

@@ -0,0 +1,2 @@
+# DigitalOcean API credentials used by Certbot
+dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

examples/certbot-dns-digitalocean/docker-compose.yml

@@ -0,0 +1,74 @@
+version: '3'
+
+services:
+
+  mybunker:
+    image: bunkerity/bunkerweb:1.4.1
+    ports:
+      - 80:8080
+      - 443:8443
+    # ⚠️ read this if you use local folders for volumes ⚠️
+    # bunkerweb runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
+    # or for an existing one : chown -R root:101 folder && chmod -R 770 folder
+    # more info at https://docs.bunkerweb.io
+    volumes:
+      - bw_data:/data
+      - certs:/certs
+    environment:
+      - MULTISITE=yes
+      - SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      - USE_CUSTOM_HTTPS=yes
+      - CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
+      - CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
+      - app1.example.com_REVERSE_PROXY_URL=/
+      - app1.example.com_REVERSE_PROXY_HOST=http://app1
+      - app2.example.com_REVERSE_PROXY_URL=/
+      - app2.example.com_REVERSE_PROXY_HOST=http://app2
+      - app3.example.com_REVERSE_PROXY_URL=/
+      - app3.example.com_REVERSE_PROXY_HOST=http://app3
+    networks:
+      - net_app1
+      - net_app2
+      - net_app3
+
+  mycertbot:
+    image: certbot/dns-digitalocean
+    environment:
+      - DOMAINS=*.example.com,example.com
+      - EMAIL=contact@example.com
+    volumes:
+      - certs:/etc/letsencrypt
+      - ./digitalocean.ini:/opt/digitalocean.ini
+      - ./entrypoint.sh:/opt/entrypoint.sh
+    entrypoint: /bin/sh /opt/entrypoint.sh    
+
+  app1:
+    image: tutum/hello-world
+    networks:
+      - net_app1
+
+  app2:
+    image: tutum/hello-world
+    networks:
+      - net_app2
+
+  app3:
+    image: tutum/hello-world
+    networks:
+      - net_app3
+
+volumes:
+  bw_data:
+  certs:
+
+networks:
+  net_app1:
+  net_app2:
+  net_app3:

examples/certbot-dns-digitalocean/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+echo "Certbot started, domains = $DOMAINS"
+
+first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
+if [ "$EMAIL" = "" ] ; then
+	EMAIL="contact@${first_domain}"
+fi
+
+if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
+	echo "Renewing certificates ..."
+	certbot renew
+else
+	echo "Asking for certificates ..."
+	certbot certonly -n --dns-digitalocean --dns-digitalocean-credentials /opt/digitalocean.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
+fi
+
+echo "Fixing permissions ..."
+chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
+
+echo "Certbot ended, sleeping for 24 hours"
+
+sleep 86400

examples/certbot-dns-google/README.md

@@ -0,0 +1,7 @@
+Please have a look at the [certbot-dns-google documentation](https://certbot-dns-google.readthedocs.io/en/stable/) first.
+
+Procedure :
+- Edit domains in the compose file
+- Edit Google credentials in google.json file (generate using https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
+- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
+- When certificates are generated, run your services : `docker-compose up -d`

examples/certbot-dns-google/docker-compose.yml

@@ -0,0 +1,74 @@
+version: '3'
+
+services:
+
+  mybunker:
+    image: bunkerity/bunkerweb:1.4.1
+    ports:
+      - 80:8080
+      - 443:8443
+    # ⚠️ read this if you use local folders for volumes ⚠️
+    # bunkerweb runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
+    # or for an existing one : chown -R root:101 folder && chmod -R 770 folder
+    # more info at https://docs.bunkerweb.io
+    volumes:
+      - bw_data:/data
+      - certs:/certs
+    environment:
+      - MULTISITE=yes
+      - SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      - USE_CUSTOM_HTTPS=yes
+      - CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
+      - CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
+      - app1.example.com_REVERSE_PROXY_URL=/
+      - app1.example.com_REVERSE_PROXY_HOST=http://app1
+      - app2.example.com_REVERSE_PROXY_URL=/
+      - app2.example.com_REVERSE_PROXY_HOST=http://app2
+      - app3.example.com_REVERSE_PROXY_URL=/
+      - app3.example.com_REVERSE_PROXY_HOST=http://app3
+    networks:
+      - net_app1
+      - net_app2
+      - net_app3
+
+  mycertbot:
+    image: certbot/dns-google
+    environment:
+      - DOMAINS=*.example.com,example.com
+      - EMAIL=contact@example.com
+    volumes:
+      - certs:/etc/letsencrypt
+      - ./google.json:/opt/google.json
+      - ./entrypoint.sh:/opt/entrypoint.sh
+    entrypoint: /bin/sh /opt/entrypoint.sh    
+
+  app1:
+    image: tutum/hello-world
+    networks:
+      - net_app1
+
+  app2:
+    image: tutum/hello-world
+    networks:
+      - net_app2
+
+  app3:
+    image: tutum/hello-world
+    networks:
+      - net_app3
+
+volumes:
+  bw_data:
+  certs:
+
+networks:
+  net_app1:
+  net_app2:
+  net_app3:

examples/certbot-dns-google/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+echo "Certbot started, domains = $DOMAINS"
+
+first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
+if [ "$EMAIL" = "" ] ; then
+	EMAIL="contact@${first_domain}"
+fi
+
+if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
+	echo "Renewing certificates ..."
+	certbot renew
+else
+	echo "Asking for certificates ..."
+	certbot certonly -n --dns-google --dns-google-credentials /opt/google.json --email "$EMAIL" --agree-tos -d "$DOMAINS"
+fi
+
+echo "Fixing permissions ..."
+chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
+
+echo "Certbot ended, sleeping for 24 hours"
+
+sleep 86400

examples/certbot-dns-google/google.json

@@ -0,0 +1,12 @@
+{
+   "type": "service_account",
+   "project_id": "...",
+   "private_key_id": "...",
+   "private_key": "...",
+   "client_email": "...",
+   "client_id": "...",
+   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+   "token_uri": "https://accounts.google.com/o/oauth2/token",
+   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+   "client_x509_cert_url": "..."
+}

examples/certbot-dns-ovh/README.md

@@ -2,6 +2,6 @@ Please have a look at the [certbot-dns-ovh documentation](https://certbot-dns-ov
 
 Procedure :
 - Edit domains in the compose file
-- Edit OVH infos (use https://eu.api.ovh.com/createToken/)
+- Edit OVH credentials in ovh.ini file (generate using https://eu.api.ovh.com/createToken/)
 - Run certbot only and wait for certificate to be generated : `docker-compose up -d mycertbot`
 - When certificates are generated, run your services : `docker-compose up -d`

examples/certbot-dns-ovh/entrypoint.sh

@@ -12,7 +12,7 @@ if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
 	certbot renew
 else
 	echo "Asking for certificates ..."
-	certbot certonly --dns-ovh --dns-ovh-credentials /opt/ovh.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
+	certbot certonly -n --dns-ovh --dns-ovh-credentials /opt/ovh.ini --email "$EMAIL" --agree-tos -d "$DOMAINS"
 fi
 
 echo "Fixing permissions ..."

examples/certbot-dns-route53/README.md

@@ -0,0 +1,7 @@
+Please have a look at the [certbot-dns-route53 documentation](https://certbot-dns-route53.readthedocs.io/en/stable/) first.
+
+Procedure :
+- Edit domains in the compose file
+- Edit AWS credentials in aws.ini file (generate using https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html)
+- Run certbot only and wait for certificates to be generated : `docker-compose up -d mycertbot`
+- When certificates are generated, run your services : `docker-compose up -d`

examples/certbot-dns-route53/aws.ini

@@ -0,0 +1,3 @@
+[default]
+aws_access_key_id=AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

examples/certbot-dns-route53/docker-compose.yml

@@ -0,0 +1,74 @@
+version: '3'
+
+services:
+
+  mybunker:
+    image: bunkerity/bunkerweb:1.4.1
+    ports:
+      - 80:8080
+      - 443:8443
+    # ⚠️ read this if you use local folders for volumes ⚠️
+    # bunkerweb runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
+    # or for an existing one : chown -R root:101 folder && chmod -R 770 folder
+    # more info at https://docs.bunkerweb.io
+    volumes:
+      - bw_data:/data
+      - certs:/certs
+    environment:
+      - MULTISITE=yes
+      - SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      - USE_CUSTOM_HTTPS=yes
+      - CUSTOM_HTTPS_CERT=/certs/live/example.com/fullchain.pem
+      - CUSTOM_HTTPS_KEY=/certs/live/example.com/privkey.pem
+      - app1.example.com_REVERSE_PROXY_URL=/
+      - app1.example.com_REVERSE_PROXY_HOST=http://app1
+      - app2.example.com_REVERSE_PROXY_URL=/
+      - app2.example.com_REVERSE_PROXY_HOST=http://app2
+      - app3.example.com_REVERSE_PROXY_URL=/
+      - app3.example.com_REVERSE_PROXY_HOST=http://app3
+    networks:
+      - net_app1
+      - net_app2
+      - net_app3
+
+  mycertbot:
+    image: certbot/dns-google
+    environment:
+      - DOMAINS=*.example.com,example.com
+      - EMAIL=contact@example.com
+    volumes:
+      - certs:/etc/letsencrypt
+      - ./aws.ini:/opt/aws.ini
+      - ./entrypoint.sh:/opt/entrypoint.sh
+    entrypoint: /bin/sh /opt/entrypoint.sh    
+
+  app1:
+    image: tutum/hello-world
+    networks:
+      - net_app1
+
+  app2:
+    image: tutum/hello-world
+    networks:
+      - net_app2
+
+  app3:
+    image: tutum/hello-world
+    networks:
+      - net_app3
+
+volumes:
+  bw_data:
+  certs:
+
+networks:
+  net_app1:
+  net_app2:
+  net_app3:

examples/certbot-dns-route53/entrypoint.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo "Certbot started, domains = $DOMAINS"
+
+first_domain="$(echo -n $DOMAINS | cut -d ',' -f 1 | sed 's/*\.//g')"
+if [ "$EMAIL" = "" ] ; then
+	EMAIL="contact@${first_domain}"
+fi
+
+if [ -f "/etc/letsencrypt/live/${first_domain}/fullchain.pem" ] ; then
+	echo "Renewing certificates ..."
+	certbot renew
+else
+	echo "Asking for certificates ..."
+	export AWS_CONFIG_FILE=/opt/aws.ini
+	certbot certonly -n --dns-route53 --email "$EMAIL" --agree-tos -d "$DOMAINS"
+fi
+
+echo "Fixing permissions ..."
+chown -R 0:101 /etc/letsencrypt && chmod -R 770 /etc/letsencrypt
+
+echo "Certbot ended, sleeping for 24 hours"
+
+sleep 86400