starting changes to get automatic certificates working

Dockerfile

@@ -4,7 +4,9 @@ RUN apt-get update && apt-get install -y \
     libopenblas-dev \
     gfortran \
     libhdf5-dev \
-    libgeos-dev
+    libgeos-dev \
+    openssl \
+    wget
 
 RUN pip install numpy \
     cython

README.md

@@ -86,8 +86,6 @@ TURK = {
     'debug': 1
 }
 DOMAIN_NAME = "https://expfactory.org" # MUST BE HTTPS FOR MECHANICAL TURK
-AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY_ID_HERE"
-AWS_SECRET_ACCESS_KEY_ID="YOUR_SECRET_ACCESS_KEY_HERE"
 
 You should change the keys, the domain name and application URL, and set debug to 0. The Domain Name MUST be HTTPS.
 
@@ -129,14 +127,24 @@ Log into the production server, and you can run [scripts/prepare_instance.sh](sc
 Mechnical Turk relies on an AWS Secret Access Key and AWS Access Key. The interface can support multiple battery deployments, each of which might be associated with different credientials, and so this authentication information is not stored with the application, but in a (more) secure file on the server. Thus, use the template in "[auth](auth/dummy.cred)" to specify your credentials. Any files of this format that you add to this folder will be available for users to select from. You will also need to fill in the file called "bogus_secrets.py" and rename it to secrets.py for the variables `SECRET_KEY` and `app_url` and when you are ready for deployment, change the `debug` variable to 0.
 
 ### HTTPS
-The docker container is set up to have a secure connection with https (port 443). There is no easy, programmatic way to set this up on a server, so you must walk through the steps at [https://gethttpsforfree.com/](https://gethttpsforfree.com/). Note that when you run the python server to verify owning the domain, you may need to stop the local nginx (which is also using port 80):
+The docker container is set up to have a secure connection with https (port 443). You can set this up manually, or use a cron job to generate a new certificate (steps detailed below). 
+
+#### Manual Setup
+To do it manually, you must walk through the steps at [https://gethttpsforfree.com/](https://gethttpsforfree.com/), and note that this would need to be done every three months. Note that when you run the python server to verify owning the domain, you may need to stop the local nginx (which is also using port 80):
 
       sudo service nginx stop
 
 I installed this in [scripts/prepare_instance.sh](scripts/prepare_instance.sh) because it's nice to have a local nginx (outside of the docker container) if you ever want to debug with `python manage.py runserver 0.0.0.0:8000` outside of the container.
 
 Back to setting up HTTPS - it's basically an exercise in copy pasting, and you should follow the steps to a T to generate the certificates on the server. The docker image will take care of setting up the web server (the nginx.conf file).
 
+#### Setup via cron job
+
+Make the following directory:
+
+      /var/www/.well-known/acme-challenge/
+
+
 ### Encrypted database connection
 If your provider (eg aws) provides you with a certificate, you can add it to `/etc/ssl/certs` on the server, and this path is already mapped in the docker-compose for the nginx container. You then need to specify to use SSL in the database connection in your `settings.py` or `local_settings.py`:
 

docker-compose.yml

@@ -28,6 +28,7 @@ nginx:
     - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
     - ./uwsgi_params.par:/etc/nginx/uwsgi_params.par:ro
     - /etc/ssl/certs:/etc/ssl/certs:ro 
+    - /var/www/.well-known/acme-challenge:/var/www/.well-known/acme-challenge:ro
     - /etc/ssl/private:/etc/ssl/private:ro
   volumes_from:
     - uwsgi

expdj/apps/experiments/templates/surveys/serve_battery.html

@@ -12,8 +12,6 @@
 </head>
 <body>
 
-{% include "experiments/serve_battery_runjs.html" %}
-
 <script>
 $(document).ready(function(){
    $("#start_experiment_button").click();

nginx.conf

@@ -2,6 +2,10 @@ server {
   listen                *:80;
   server_name           expfactory.org;
 
+  location /.well-known/acme-challenge/ {
+      alias /var/www/.well-known/acme-challenge/;
+  }
+
   client_max_body_size 1024M;
 
   add_header X-Clacks-Overhead "GNU Terry Pratchett";

run_uwsgi.sh

@@ -5,5 +5,8 @@ python manage.py makemigrations main
 python manage.py migrate auth
 python manage.py migrate
 python manage.py collectstatic --noinput
+mkdir /var/www/.well-known               
+mkdir /var/www/.well-known/acme-challenge
 git clone https://github.com/expfactory/expfactory-explorer
+git clone https://github.com/diafygi/acme-tiny.git /opt/acme-tiny
 uwsgi uwsgi.ini

scripts/get_cert.sh

@@ -0,0 +1,32 @@
+#! /bin/bash
+# taken and slightly modified from https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/
+
+# Create a directory for the keys and cert
+DOMAIN=expfactory.org
+cd /etc/ssl/certs
+
+# backup old key and cert
+cp domain.key{,.bak.$(date +%s)}
+cp chained.pem{,.bak.$(date +%s)}
+
+# Generate a private key
+openssl genrsa 4096 > account.key
+
+# Generate a domain private key (if you haven't already)
+openssl genrsa 4096 > domain.key
+
+# Create a CSR for $DOMAIN
+openssl req -new -sha256 -key domain.key -subj "/CN=$DOMAIN" > domain.csr
+
+# Create the challenge folder in the webroot
+mkdir -p /var/www/.well-known/acme-challenge/
+
+# Get a signed certificate with acme-tiny
+python /opt/acme-tiny/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/.well-known/acme-challenge/ > ./signed.crt
+
+wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
+cat signed.crt intermediate.pem > chained.pem
+
+# Restart nginx container
+cd $HOME/expfactory-docker
+docker-compose restart nginx