From 752687a6a6fb82e9613ccd761100126dfa4b4d31 Mon Sep 17 00:00:00 2001
From: David Parrish <daveparrish@tutanota.com>
Date: Wed, 18 Nov 2015 15:42:21 -0500
Subject: [PATCH] Add letsencrypt service and configuration to access
 .well-known directory

---
 Dockerfile          | 11 ++++++++---
 Procfile            |  1 +
 letsencrypt_service | 31 +++++++++++++++++++++++++++++++
 nginx.tmpl          | 20 ++++++++++++++++++++
 4 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100755 letsencrypt_service

diff --git a/Dockerfile b/Dockerfile
index 7d4aaebdd..29e4cec8d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,10 +10,14 @@ RUN apt-get update \
  && apt-get clean \
  && rm -r /var/lib/apt/lists/*
 
-# Get Let's Encrypt client
+# Get Let's Encrypt client source
 RUN git -C /opt clone https://github.com/letsencrypt/letsencrypt
-#RUN cd /opt/letsencrypt && ./letsencrypt-auto
-COPY letsencrypt.ini /etc/letsencrypt/cli.ini
+# Install letsencrypt
+RUN cd /opt/letsencrypt && ./letsencrypt-auto --help
+
+# Testing directory
+RUN mkdir -p /usr/share/nginx/html/.well-known \
+ && touch /usr/share/nginx/html/.well-known/testing
 
 # Configure Nginx and apply fix for very long server names
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
@@ -35,6 +39,7 @@ WORKDIR /app/
 ENV DOCKER_HOST unix:///tmp/docker.sock
 
 VOLUME ["/etc/nginx/certs"]
+VOLUME ["/etc/letsencrypt"]
 
 ENTRYPOINT ["/app/docker-entrypoint.sh"]
 CMD ["forego", "start", "-r"]
diff --git a/Procfile b/Procfile
index 854715661..24198b0be 100644
--- a/Procfile
+++ b/Procfile
@@ -1,2 +1,3 @@
 nginx: nginx
 dockergen: docker-gen -watch -only-exposed -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
+letsencrypt: /app/letsencrypt_service
diff --git a/letsencrypt_service b/letsencrypt_service
new file mode 100755
index 000000000..5ea66a75e
--- /dev/null
+++ b/letsencrypt_service
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+echo 'Waiting'
+sleep 10
+
+# Wait some amount of time
+seconds_to_wait=100;
+while true; do
+  # for each configuration file,
+  for f in "/etc/letsencrypt/*.ini"; do 
+    [[ -f "$f" ]] || continue 
+    echo "letsencrypt ${f%.ini}"
+    domain="${f%.ini}"
+    # Wait until the threshold is reached for renewing certificate
+    # cat /etc/nginx/certs/ftl3.local.crt | openssl x509 -noout -dates
+
+    # Or if the certificate doesn't exist
+
+    /opt/letsencrypt/letsencrypt-auto certonly --authenticator webroot \
+      --webroot-path /usr/share/nginx/html -d $domain
+  done
+  date
+  sleep $seconds_to_wait
+done
+
+# Date difference in days
+datediff() {
+  d1=$(date -d "$1" +%s)
+  d2=$(date -d "$2" +%s)
+  echo $(( (d1 - d2) / 86400 ))
+}
diff --git a/nginx.tmpl b/nginx.tmpl
index 255cc35a4..a08ed3681 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -143,7 +143,17 @@ server {
 	include /etc/nginx/vhost.d/default;
 	{{ end }}
 
+	location /.well-known/ {
+		root /usr/share/nginx/html;
+		try_files $uri @proxy_pass;
+	}
+
+	# Redirect hack. See: http://stackoverflow.com/a/20694873/350221
 	location / {
+		error_page 418 = @proxy_pass; return 418;
+	}
+
+	location @proxy_pass {
 		proxy_pass {{ trim $proto }}://{{ trim $host }};
 		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
 		auth_basic	"Restricted {{ $host }}";
@@ -169,7 +179,17 @@ server {
 	include /etc/nginx/vhost.d/default;
 	{{ end }}
 
+	location /.well-known/ {
+		root /usr/share/nginx/html;
+		try_files $uri @proxy_pass;
+	}
+
+	# Redirect hack. See: http://stackoverflow.com/a/20694873/350221
 	location / {
+		error_page 418 = @proxy_pass; return 418;
+	}
+
+	location @proxy_pass {
 		proxy_pass {{ trim $proto }}://{{ trim $host }};
 		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
 		auth_basic	"Restricted {{ $host }}";