Replace certbot with acme.sh container
This commit is contained in:
parent
9427a9b157
commit
b3125d02b3
5 changed files with 37 additions and 57 deletions
25
README.md
25
README.md
|
|
@ -3,9 +3,28 @@ Multi channel stream setup with Flask REST API for scheduling channels.
|
|||
|
||||
### Install
|
||||
1. `cp variables.env.dist variables.env` and set the required variables
|
||||
2. run `./init.sh` to prepare data directories and generate self signed certs to bootstrap the load balancer
|
||||
3. run the docker-compose stack using `docker-compose up -d --build --remove-orphans`
|
||||
4. run `./renew-certificates.sh` periodically to generate/update the certificates
|
||||
|
||||
2. Start the acme-sh service:
|
||||
`docker-compose up -d acme-sh`
|
||||
|
||||
3. Register acme account:
|
||||
`source variables.env; docker exec acme.sh --register-account -m $EMAIL`
|
||||
|
||||
4. Set the `ACCOUNT_THUMBPRINT` variable
|
||||
|
||||
5. Run the stack using `docker-compose up -d --build --remove-orphans`
|
||||
|
||||
6. Issue a certificate:
|
||||
`source variables.env; docker exec acme.sh --issue -d $BASE_URL -d $SCHEDULER_API_HOSTNAME -d $CORE_API_HOSTNAME --stateless`
|
||||
|
||||
7. Install the certificate:
|
||||
`source variables.env; docker exec acme.sh --install-cert -d $BASE_URL --reloadcmd "cat \$CERT_KEY_PATH \$CERT_FULLCHAIN_PATH > /certificates/$BASE_URL.pem"
|
||||
|
||||
8. Reastart haproxy container:
|
||||
`docker kill -s USR2 haproxy`
|
||||
|
||||
9. Set crontab:
|
||||
`0 0 1 * * docker exec acme.sh --cron && docker kill -s USR2 haproxy`
|
||||
|
||||
### Usage
|
||||
1. Access the admin panel at `https://stream.example.com/ui`
|
||||
|
|
|
|||
|
|
@ -36,17 +36,11 @@ defaults
|
|||
#stats refresh 5s
|
||||
|
||||
# PUBLIC
|
||||
frontend http
|
||||
frontend web
|
||||
bind :80
|
||||
option http-server-close
|
||||
redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
|
||||
default_backend certbot
|
||||
bind :443 ssl crt /certificates strict-sni
|
||||
|
||||
backend certbot
|
||||
server c1 certbot:80
|
||||
|
||||
frontend https
|
||||
bind :443 ssl crt /certificates alpn http/1.1
|
||||
http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
|
||||
|
||||
http-request set-header X-Forwarded-Protocol https
|
||||
http-request set-header X-Forwarded-Proto https
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ networks:
|
|||
services:
|
||||
haproxy:
|
||||
image: haproxy:lts
|
||||
container_name: haproxy
|
||||
env_file:
|
||||
- "variables.env"
|
||||
ports:
|
||||
|
|
@ -16,7 +17,6 @@ services:
|
|||
- "./data/certificates:/certificates"
|
||||
- "./config/haproxy:/usr/local/etc/haproxy"
|
||||
depends_on:
|
||||
- "certbot"
|
||||
- "restreamer"
|
||||
- "api"
|
||||
restart: unless-stopped
|
||||
|
|
@ -25,20 +25,17 @@ services:
|
|||
labels:
|
||||
- meta.role=haproxy
|
||||
|
||||
certbot:
|
||||
image: "certbot/certbot"
|
||||
hostname: certbot
|
||||
acme-sh:
|
||||
image: neilpang/acme.sh
|
||||
container_name: acme.sh
|
||||
volumes:
|
||||
- "./data/acme:/acme.sh"
|
||||
- "./data/certificates:/certificates"
|
||||
- "./data/certbot/etc:/etc/letsencrypt"
|
||||
- "./data/certbot/var:/var/lib/letsencrypt"
|
||||
- "./logs/certbot:/var/log/letsencrypt"
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- net
|
||||
labels:
|
||||
- meta.role=certbot
|
||||
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 15d & wait $${!}; done;'"
|
||||
network_mode: host
|
||||
command: daemon
|
||||
stdin_open: true
|
||||
tty: true
|
||||
restart: "no"
|
||||
|
||||
restreamer:
|
||||
image: datarhei/restreamer:2.11.0
|
||||
|
|
|
|||
17
init.sh
17
init.sh
|
|
@ -2,11 +2,8 @@
|
|||
|
||||
echo "creating data dir structure"
|
||||
|
||||
# certbot
|
||||
mkdir -v -p data/certbot/etc
|
||||
mkdir -v -p data/certbot/var
|
||||
mkdir -v -p logs/certbot
|
||||
|
||||
# acme.sh
|
||||
mkdir -v -p data/acme
|
||||
mkdir -v -p data/certificates
|
||||
|
||||
# restreamer
|
||||
|
|
@ -24,13 +21,3 @@ touch logs/icecast/access.log
|
|||
touch logs/icecast/error.log
|
||||
chown 1000:1000 logs/icecast/access.log
|
||||
chown 1000:1000 logs/icecast/error.log
|
||||
|
||||
echo "generating self signed certificates for haproxy bootstrap"
|
||||
cd data/certificates
|
||||
openssl genrsa -out default.key 2048
|
||||
openssl req -new -key default.key -out default.csr
|
||||
openssl x509 -req -days 3650 -in default.csr -signkey default.key -out default.crt
|
||||
cat default.key default.crt >> default.pem
|
||||
rm default.key
|
||||
rm default.csr
|
||||
rm default.crt
|
||||
|
|
|
|||
|
|
@ -1,17 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
parent_path=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P )
|
||||
cd $parent_path
|
||||
|
||||
source variables.env
|
||||
|
||||
CB=`docker ps | grep certbot | cut -d ' ' -f 1`
|
||||
|
||||
#echo $BASE_URL
|
||||
#echo $EMAIL
|
||||
|
||||
docker exec $CB certbot certonly --non-interactive --standalone --http-01-address 0.0.0.0 --email $EMAIL --agree-tos --keep --preferred-challenges http --cert-name $BASE_URL \
|
||||
-d $BASE_URL -d api.$BASE_URL -d stream.$BASE_URL
|
||||
|
||||
cat "./data/certbot/etc/live/$BASE_URL/privkey.pem" "./data/certbot/etc/live/$BASE_URL/fullchain.pem" > "./data/certificates/$BASE_URL.pem"
|
||||
docker kill -s USR2 television_haproxy_1
|
||||
Loading…
Add table
Reference in a new issue