Initial version

Author: arnested

Dockerfile

@@ -0,0 +1,18 @@
+FROM phusion/baseimage:0.9.19
+MAINTAINER Arne Jørgensen
+
+RUN set -x && \
+    apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y -q golang-go git php-cli php-curl ruby && \
+    GOPATH=/usr/local go get -u github.com/xenolf/lego && \
+    curl -sS https://platform.sh/cli/installer | php && \
+    curl -sS -o /opt/yamledit.rb https://raw.githubusercontent.com/dbrandenburg/yamledit/master/yamledit.rb && \
+    DEBIAN_FRONTEND=noninteractive apt-get purge -y -q golang-go && \
+    apt-get clean -y -q && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+ENV PATH=/root/.platformsh/bin/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+COPY etc/ /etc/
+COPY usr/ /usr/
+VOLUME [ "/data" ]

README.md

@@ -0,0 +1,44 @@
+# Let's Encrypt with DNS challenge on platform.sh
+
+[Platform.sh](https://platform.sh) currently doesn't support using
+Let's Encrypt certificates (at least not with domain verification and
+automatic renewal).
+
+This image uses [lego](https://github.com/xenolf/lego) to obtain a
+certificate via Let's Encrypts DNS challenge and uploads the
+certificate to platform.sh using their commmand line client.
+
+Experimental. YMMV.
+
+Necessary configuration via environment variables, .i.e.:
+
+ * `[email protected]` (used for registering with Let's Encrypt)
+ * `DOMAINS="example.com www.example.com"` (space separated list --
+   must already be added to the project at Platform.sh)
+ * `DNS_PROVIDER=dnsimple` (your DNS provider, see below for supported
+   providers and additional needed configuration)
+ * `PLATFORMSH_API_TOKEN=mytoken` (an APIv1 token)
+ * `PLATFORMSH_PROJECT_ID=myprojectid`
+
+
+You also need to provide environment variables required by the DNS provider challenge chosen:
+
+ * cloudflare: `CLOUDFLARE_EMAIL`, `CLOUDFLARE_API_KEY`
+ * digitalocean: `DO_AUTH_TOKEN`
+ * dnsimple: `DNSIMPLE_EMAIL`, `DNSIMPLE_API_KEY`
+ * dnsmadeeasy:	`DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`
+ * gandi: `GANDI_API_KEY`
+ * gcloud: `GCE_PROJECT`
+ * namecheap: `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`
+ * rfc2136:	`RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`
+ * route53:	`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`
+ * dyn: `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`
+ * vultr: `VULTR_API_KEY`
+ * ovh: `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`
+ * pdns: `PDNS_API_KEY`, `PDNS_API_URL`
+
+Optional configuration via environment variables:
+
+```
+SERVER=https://acme-staging.api.letsencrypt.org/directory
+```

etc/cron.daily/100-lego-platform

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /usr/local/bin/lego-platform.sh

etc/my_init.d/100-platformsh-setup-token

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+TOKEN_FILE=$(mktemp -p /opt)
+echo "${PLATFORMSH_API_TOKEN}" > "${TOKEN_FILE}"
+/usr/bin/ruby /opt/yamledit.rb -f /root/.platformsh/config.yaml -n -k api,token_file -v "${TOKEN_FILE}" --force

etc/my_init.d/200-lego-platform

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /usr/local/bin/lego-platform.sh

usr/local/bin/lego-platform.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+set +x
+
+. /etc/container_environment.sh
+
+IFS=' ' read -r -a domains <<< "${DOMAINS}"
+LEGOPATH=/data
+export HOME=/root
+SERVER=${SERVER:-https://acme-v01.api.letsencrypt.org/directory}
+
+verify_preconditions () {
+    [ ! -z "${SERVER}" ] && [ ! -z "${EMAIL}" ] && [ ! -z "${DNS_PROVIDER}" ] && verify_domains_in_platformsh
+}
+
+verify_domains_in_platformsh () {
+    local status=0
+
+    for i in "${!domains[@]}"
+    do
+        platform domain:get --yes --project="${PLATFORMSH_PROJECT_ID}" "${domains[i]}"
+        local err=$?
+        status=$((${err}|${status}))
+    done
+
+    return ${status}
+}
+
+create_or_renew_domains () {
+    for i in "${!domains[@]}"
+    do
+        if $(domain_exists "${domains[i]}")
+        then
+            renew_domain "${domains[i]}"
+        else
+            create_domain "${domains[i]}"
+        fi
+    done
+}
+
+domain_exists () {
+    local domain=$1
+    [ -e "${LEGOPATH}/certificates/${domain}.crt" ]
+}
+
+create_domain () {
+    local domain=$1
+    lego --domains=${domain} --server=${SERVER} --email=${EMAIL} --accept-tos --path=${LEGOPATH} --dns=${DNS_PROVIDER} run
+}
+
+renew_domain () {
+    local domain=$1
+    lego --domains=${domain} --server=${SERVER} --email=${EMAIL} --accept-tos --path=${LEGOPATH} --dns=${DNS_PROVIDER} renew --days=60
+}
+
+upload_certificates () {
+    for i in "${!domains[@]}"
+    do
+        upload_certificate "${domains[i]}"
+    done
+}
+
+upload_certificate () {
+    local domain=$1
+    local cert=${LEGOPATH}/certificates/${domain}.crt
+    local key=${LEGOPATH}/certificates/${domain}.key
+    local chain=${LEGOPATH}/certificates/${domain}.crt
+    platform domain:update --yes --cert=${cert} --key=${key} --chain=${chain} --project="${PLATFORMSH_PROJECT_ID}" "${domain}"
+}
+
+verify_preconditions && create_or_renew_domains && upload_certificates