Add support for managing LetsEncrypt certificates

Add support for managing LetsEncrypt certificates. The webgateway_getssl service uses supervisor to run 3 processes: Apache HTTP Server, cron, and busybox syslogd to aid in logging for cron. It also includes getssl for requesting and renewing certificates. The renewal is run once a day using cron. The updated Traefik configuration allows the certificates to be read from the mounted volume and it watches for changes so the certificates can be updated on the fly.
cilogon · Feb 9, 2020 · 342d5d1 · 342d5d1
1 parent 090488e
commit 342d5d1
Show file tree

Hide file tree

Showing 7 changed files with 662 additions and 1 deletion.
diff --git a/comanage-registry-getssl/Dockerfile b/comanage-registry-getssl/Dockerfile
@@ -0,0 +1,36 @@
+FROM httpd:2.4.41
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        busybox-syslogd \
+        ca-certificates \
+        coreutils \
+        cron  \
+        curl \
+        dnsutils \
+        gawk \
+        grep \
+        openssl \
+        sed \
+        ssl-cert \
+        supervisor \
+    && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /usr/local/apache2/conf/server.crt \
+    && cp /etc/ssl/private/ssl-cert-snakeoil.key /usr/local/apache2/conf/server.key
+
+COPY httpd.conf /usr/local/apache2/conf/httpd.conf
+
+ENV GETSSL_SRC_URL=https://raw.githubusercontent.com/srvrco/getssl/master/getssl
+ENV GETSSL_EXEC=/usr/local/bin/getssl
+ENV GETSSL_WORKDIR=/opt/getssl
+
+RUN curl --silent ${GETSSL_SRC_URL} > ${GETSSL_EXEC} \
+    && chmod 700 ${GETSSL_EXEC} \
+    && mkdir -p ${GETSSL_WORKDIR} \
+    && mkdir -p /usr/local/apache2/htdocs/.well-known/acme-challenge
+
+COPY --chown=root:root root-crontab /etc/crontab
+
+RUN touch /etc/default/locale
+
+COPY supervisord.conf /usr/local/etc/supervisord.conf
+
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"]