From b3125d02b3cd4028c0e512800c0982aaae3a8daa Mon Sep 17 00:00:00 2001
From: deflax <daniel@deflax.net>
Date: Tue, 28 Jan 2025 18:13:50 +0000
Subject: [PATCH] Replace certbot with acme.sh container

---
 README.md                  | 25 ++++++++++++++++++++++---
 config/haproxy/haproxy.cfg | 12 +++---------
 docker-compose.yml         | 23 ++++++++++-------------
 init.sh                    | 17 ++---------------
 renew-certificates.sh      | 17 -----------------
 5 files changed, 37 insertions(+), 57 deletions(-)
 delete mode 100755 renew-certificates.sh

diff --git a/README.md b/README.md
index b8260cd..a8c3385 100644
--- a/README.md
+++ b/README.md
@@ -3,9 +3,28 @@ Multi channel stream setup with Flask REST API for scheduling channels.
 
 ### Install
 1. `cp variables.env.dist variables.env` and set the required variables
-2. run `./init.sh` to prepare data directories and generate self signed certs to bootstrap the load balancer
-3. run the docker-compose stack using `docker-compose up -d --build --remove-orphans`
-4. run `./renew-certificates.sh` periodically to generate/update the certificates
+
+2. Start the acme-sh service:
+`docker-compose up -d acme-sh`
+
+3. Register acme account:
+`source variables.env; docker exec acme.sh --register-account -m $EMAIL`
+
+4. Set the `ACCOUNT_THUMBPRINT` variable
+
+5. Run the stack using `docker-compose up -d --build --remove-orphans`
+
+6. Issue a certificate:
+`source variables.env; docker exec acme.sh --issue -d $BASE_URL -d $SCHEDULER_API_HOSTNAME -d $CORE_API_HOSTNAME --stateless`
+
+7. Install the certificate:
+`source variables.env; docker exec acme.sh --install-cert -d $BASE_URL --reloadcmd "cat \$CERT_KEY_PATH \$CERT_FULLCHAIN_PATH > /certificates/$BASE_URL.pem"
+
+8. Reastart haproxy container:
+`docker kill -s USR2 haproxy`
+
+9. Set crontab:
+`0 0 1 * * docker exec acme.sh --cron && docker kill -s USR2 haproxy`
 
 ### Usage
 1. Access the admin panel at `https://stream.example.com/ui`
diff --git a/config/haproxy/haproxy.cfg b/config/haproxy/haproxy.cfg
index e02627b..45f5dcf 100644
--- a/config/haproxy/haproxy.cfg
+++ b/config/haproxy/haproxy.cfg
@@ -36,17 +36,11 @@ defaults
     #stats refresh 5s
 
 # PUBLIC
-frontend http
+frontend web
     bind :80
-    option http-server-close
-    redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
-    default_backend certbot
+    bind :443 ssl crt /certificates strict-sni
 
-backend certbot
-    server c1 certbot:80
-
-frontend https
-    bind :443 ssl crt /certificates alpn http/1.1
+    http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
 
     http-request set-header X-Forwarded-Protocol https
     http-request set-header X-Forwarded-Proto https
diff --git a/docker-compose.yml b/docker-compose.yml
index 59d297b..790f78d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,7 @@ networks:
 services:
   haproxy:
     image: haproxy:lts
+    container_name: haproxy
     env_file:
        - "variables.env"
     ports:
@@ -16,7 +17,6 @@ services:
       - "./data/certificates:/certificates"
       - "./config/haproxy:/usr/local/etc/haproxy"
     depends_on:
-      - "certbot"
       - "restreamer"
       - "api"
     restart: unless-stopped
@@ -25,20 +25,17 @@ services:
     labels:
       - meta.role=haproxy
 
-  certbot:
-    image: "certbot/certbot"
-    hostname: certbot
+  acme-sh:
+    image: neilpang/acme.sh
+    container_name: acme.sh
     volumes:
+      - "./data/acme:/acme.sh"
       - "./data/certificates:/certificates"
-      - "./data/certbot/etc:/etc/letsencrypt"
-      - "./data/certbot/var:/var/lib/letsencrypt"
-      - "./logs/certbot:/var/log/letsencrypt"
-    restart: unless-stopped
-    networks:
-      - net
-    labels:
-      - meta.role=certbot
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 15d & wait $${!}; done;'"
+    network_mode: host
+    command: daemon
+    stdin_open: true
+    tty: true
+    restart: "no"
 
   restreamer:
     image: datarhei/restreamer:2.11.0
diff --git a/init.sh b/init.sh
index fc52ef1..8424f6e 100755
--- a/init.sh
+++ b/init.sh
@@ -2,11 +2,8 @@
 
 echo "creating data dir structure"
 
-# certbot
-mkdir -v -p data/certbot/etc
-mkdir -v -p data/certbot/var
-mkdir -v -p logs/certbot
-
+# acme.sh
+mkdir -v -p data/acme
 mkdir -v -p data/certificates
 
 # restreamer
@@ -24,13 +21,3 @@ touch logs/icecast/access.log
 touch logs/icecast/error.log
 chown 1000:1000 logs/icecast/access.log
 chown 1000:1000 logs/icecast/error.log
-
-echo "generating self signed certificates for haproxy bootstrap"
-cd data/certificates
-openssl genrsa -out default.key 2048
-openssl req -new -key default.key -out default.csr
-openssl x509 -req -days 3650 -in default.csr -signkey default.key -out default.crt
-cat default.key default.crt >> default.pem
-rm default.key
-rm default.csr
-rm default.crt
diff --git a/renew-certificates.sh b/renew-certificates.sh
deleted file mode 100755
index c8f8eb2..0000000
--- a/renew-certificates.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-parent_path=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P )
-cd $parent_path
-
-source variables.env
-
-CB=`docker ps | grep certbot | cut -d ' ' -f 1`
-
-#echo $BASE_URL
-#echo $EMAIL
-
-docker exec $CB certbot certonly --non-interactive --standalone --http-01-address 0.0.0.0 --email $EMAIL --agree-tos --keep --preferred-challenges http --cert-name $BASE_URL \
-	-d $BASE_URL -d api.$BASE_URL -d stream.$BASE_URL
-
-cat "./data/certbot/etc/live/$BASE_URL/privkey.pem" "./data/certbot/etc/live/$BASE_URL/fullchain.pem" > "./data/certificates/$BASE_URL.pem"
-docker kill -s USR2 television_haproxy_1