Merge pull request #647 from hiqdev/feature/single_domain_cert

Implemented LETSENCRYPT_SINGLE_DOMAIN_CERTS environment variable

Author: buchdag

app/letsencrypt_service_data.tmpl

@@ -1,17 +1,44 @@
-LETSENCRYPT_CONTAINERS=({{ range $hosts, $containers := groupBy $ "Env.LETSENCRYPT_HOST" }}{{ if trim $hosts }}{{ range $container := $containers }} '{{ printf "%.12s" $container.ID }}' {{ end }}{{ end }}{{ end }})
+LETSENCRYPT_CONTAINERS=(
+    {{ range $hosts, $containers := groupBy $ "Env.LETSENCRYPT_HOST" }}
+        {{ if trim $hosts }}
+            {{ range $container := $containers }}
+                {{ if parseBool (coalesce $container.Env.LETSENCRYPT_SINGLE_DOMAIN_CERTS "false") }}
+                    {{ range $host := split $hosts "," }}
+                        {{ $host := trim $host }}
+                        '{{ printf "%.12s" $container.ID }}_{{ sha1 $host }}'
+                    {{ end }}
+                {{ else }}
+                    '{{ printf "%.12s" $container.ID }}'
+                {{ end }}
+            {{ end }}
+        {{ end }}
+    {{ end }}
+)
 
 {{ range $hosts, $containers := groupBy $ "Env.LETSENCRYPT_HOST" }}
-
-{{ $hosts := trimSuffix "," $hosts }}
-
-{{ range $container := $containers }}{{ $cid := printf "%.12s" $container.ID }}
-LETSENCRYPT_{{ $cid }}_HOST=( {{ range $host := split $hosts "," }}{{ $host := trim $host }}'{{ $host }}' {{ end }})
-LETSENCRYPT_{{ $cid }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
-LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
-LETSENCRYPT_{{ $cid }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
-LETSENCRYPT_{{ $cid }}_ACCOUNT_ALIAS="{{ $container.Env.LETSENCRYPT_ACCOUNT_ALIAS }}"
-LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
-LETSENCRYPT_{{ $cid }}_MIN_VALIDITY="{{ $container.Env.LETSENCRYPT_MIN_VALIDITY }}"
-{{ end }}
-
+    {{ $hosts := trimSuffix "," $hosts }}
+    {{ range $container := $containers }}
+        {{ $cid := printf "%.12s" $container.ID }}
+        {{ if parseBool (coalesce $container.Env.LETSENCRYPT_SINGLE_DOMAIN_CERTS "false") }}
+            {{ range $host := split $hosts "," }}
+                {{ $host := trim $host }}
+                {{ $hostHash := sha1 $host }}
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_HOST=('{{ $host }}')
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_ACCOUNT_ALIAS="{{ $container.Env.LETSENCRYPT_ACCOUNT_ALIAS }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_MIN_VALIDITY="{{ $container.Env.LETSENCRYPT_MIN_VALIDITY }}"
+            {{ end }}
+        {{ else }}
+            LETSENCRYPT_{{ $cid }}_HOST=( {{ range $host := split $hosts "," }}{{ $host := trim $host }}'{{ $host }}' {{ end }})
+            LETSENCRYPT_{{ $cid }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
+            LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
+            LETSENCRYPT_{{ $cid }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
+            LETSENCRYPT_{{ $cid }}_ACCOUNT_ALIAS="{{ $container.Env.LETSENCRYPT_ACCOUNT_ALIAS }}"
+            LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
+            LETSENCRYPT_{{ $cid }}_MIN_VALIDITY="{{ $container.Env.LETSENCRYPT_MIN_VALIDITY }}"
+        {{ end }}
+    {{ end }}
 {{ end }}

docs/Let's-Encrypt-and-ACME.md

@@ -26,6 +26,21 @@ $ docker run --detach \
 
 Let's Encrypt has a limit of [100 domains per certificate](https://letsencrypt.org/fr/docs/rate-limits/), while Buypass limit is [15 domains per certificate](https://www.buypass.com/ssl/products/go-ssl-campaign).
 
+#### Separate certificate for each domain
+
+The example above will issue a single [SAN](https://www.digicert.com/subject-alternative-name.htm) certificate for all the listed in `LETSENCRYPT_HOST` domains. If you need to have a separate certificate for each of the domains, you can add the `LETSENCRYPT_SINGLE_DOMAIN_CERTS=true` environment variable.
+
+Example:
+
+```shell
+$ docker run --detach \
+    --name your-proxyed-app \
+    --env "VIRTUAL_HOST=yourdomain.tld,www.yourdomain.tld,anotherdomain.tld" \
+    --env "LETSENCRYPT_HOST=yourdomain.tld,www.yourdomain.tld,anotherdomain.tld" \
+    --env "LETSENCRYPT_SINGLE_DOMAIN_CERTS=true" \
+    nginx
+```
+
 #### Automatic certificate renewal
 Every hour (3600 seconds) the certificates are checked and per default every certificate that will expire in the next [30 days](https://github.com/zenhack/simp_le/blob/a8a8013c097910f8f3cce046f1077b41b745673b/simp_le.py#L73) (90 days / 3) is renewed.
 

test/config.sh

@@ -12,6 +12,7 @@ imageTests+=(
 	default_cert
 	certs_single
 	certs_san
+	certs_single_domain
 	force_renew
 	certs_validity
 	container_restart

test/tests/certs_single_domain/expected-std-out.txt

@@ -0,0 +1,67 @@
+Started letsencrypt container for test certs_single_domain
+Started test web server for le1.wtf,le2.wtf,le3.wtf
+Symlink to le1.wtf certificate has been generated.
+The link is pointing to the file ./le1.wtf/fullchain.pem
+le1.wtf is on certificate.
+le2.wtf did not appear on certificate for le1.wtf.
+le3.wtf did not appear on certificate for le1.wtf.
+Connection to le1.wtf using https was successful.
+The correct certificate for le1.wtf was served by Nginx.
+Symlink to le2.wtf certificate has been generated.
+The link is pointing to the file ./le2.wtf/fullchain.pem
+le2.wtf is on certificate.
+le1.wtf did not appear on certificate for le2.wtf.
+le3.wtf did not appear on certificate for le2.wtf.
+Connection to le2.wtf using https was successful.
+The correct certificate for le2.wtf was served by Nginx.
+Symlink to le3.wtf certificate has been generated.
+The link is pointing to the file ./le3.wtf/fullchain.pem
+le3.wtf is on certificate.
+le1.wtf did not appear on certificate for le3.wtf.
+le2.wtf did not appear on certificate for le3.wtf.
+Connection to le3.wtf using https was successful.
+The correct certificate for le3.wtf was served by Nginx.
+Started test web server for le2.wtf, le3.wtf, le1.wtf
+Symlink to le1.wtf certificate has been generated.
+The link is pointing to the file ./le1.wtf/fullchain.pem
+le1.wtf is on certificate.
+le2.wtf did not appear on certificate for le1.wtf.
+le3.wtf did not appear on certificate for le1.wtf.
+Connection to le1.wtf using https was successful.
+The correct certificate for le1.wtf was served by Nginx.
+Symlink to le2.wtf certificate has been generated.
+The link is pointing to the file ./le2.wtf/fullchain.pem
+le2.wtf is on certificate.
+le1.wtf did not appear on certificate for le2.wtf.
+le3.wtf did not appear on certificate for le2.wtf.
+Connection to le2.wtf using https was successful.
+The correct certificate for le2.wtf was served by Nginx.
+Symlink to le3.wtf certificate has been generated.
+The link is pointing to the file ./le3.wtf/fullchain.pem
+le3.wtf is on certificate.
+le1.wtf did not appear on certificate for le3.wtf.
+le2.wtf did not appear on certificate for le3.wtf.
+Connection to le3.wtf using https was successful.
+The correct certificate for le3.wtf was served by Nginx.
+Started test web server for le3.wtf, le1.wtf, le2.wtf,
+Symlink to le1.wtf certificate has been generated.
+The link is pointing to the file ./le1.wtf/fullchain.pem
+le1.wtf is on certificate.
+le2.wtf did not appear on certificate for le1.wtf.
+le3.wtf did not appear on certificate for le1.wtf.
+Connection to le1.wtf using https was successful.
+The correct certificate for le1.wtf was served by Nginx.
+Symlink to le2.wtf certificate has been generated.
+The link is pointing to the file ./le2.wtf/fullchain.pem
+le2.wtf is on certificate.
+le1.wtf did not appear on certificate for le2.wtf.
+le3.wtf did not appear on certificate for le2.wtf.
+Connection to le2.wtf using https was successful.
+The correct certificate for le2.wtf was served by Nginx.
+Symlink to le3.wtf certificate has been generated.
+The link is pointing to the file ./le3.wtf/fullchain.pem
+le3.wtf is on certificate.
+le1.wtf did not appear on certificate for le3.wtf.
+le2.wtf did not appear on certificate for le3.wtf.
+Connection to le3.wtf using https was successful.
+The correct certificate for le3.wtf was served by Nginx.

test/tests/certs_single_domain/run.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+## Test for standalone certificates by NGINX container env variables
+
+if [[ -z $TRAVIS_CI ]]; then
+  le_container_name="$(basename ${0%/*})_$(date "+%Y-%m-%d_%H.%M.%S")"
+else
+  le_container_name="$(basename ${0%/*})"
+fi
+run_le_container ${1:?} "$le_container_name"
+
+# Create the $domains array from comma separated domains in TEST_DOMAINS.
+IFS=',' read -r -a domains <<< "$TEST_DOMAINS"
+
+# Cleanup function with EXIT trap
+function cleanup {
+  # Remove any remaining Nginx container(s) silently.
+  i=1
+  for hosts in "${letsencrypt_hosts[@]}"; do
+    docker rm --force "test$i" > /dev/null 2>&1
+    i=$(( $i + 1 ))
+  done
+  # Cleanup the files created by this run of the test to avoid foiling following test(s).
+  docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*'
+  # Stop the LE container
+  docker stop "$le_container_name" > /dev/null
+}
+trap cleanup EXIT
+
+# Create three different comma separated list from the first three domains in $domains.
+# testing for regression on spaced lists https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/issues/288
+# and with trailing comma https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/issues/254
+letsencrypt_hosts=( \
+  [0]="${domains[0]},${domains[1]},${domains[2]}" \     #straight comma separated list
+  [1]="${domains[1]}, ${domains[2]}, ${domains[0]}" \   #comma separated list with spaces
+  [2]="${domains[2]}, ${domains[0]}, ${domains[1]}," )  #comma separated list with spaces and a trailing comma
+
+i=1
+
+for hosts in "${letsencrypt_hosts[@]}"; do
+
+  # Get the base domain (first domain of the list).
+  base_domain="$(get_base_domain "$hosts")"
+  container="test$i"
+
+  # Run an Nginx container passing one of the comma separated list as LETSENCRYPT_HOST env var.
+  docker run --rm -d \
+    --name "$container" \
+    -e "VIRTUAL_HOST=${TEST_DOMAINS}" \
+    -e "LETSENCRYPT_HOST=${hosts}" \
+    -e "LETSENCRYPT_SINGLE_DOMAIN_CERTS=true" \
+    --network boulder_bluenet \
+    nginx:alpine > /dev/null && echo "Started test web server for $hosts"
+
+  for domain in "${domains[@]}"; do
+      ## For all the domains in the $domains array ...
+      wait_for_symlink "${domain}" "$le_container_name"
+      created_cert="$(docker exec "$le_container_name" \
+        openssl x509 -in /etc/nginx/certs/${domain}/cert.pem -text -noout)"
+      # ... as well as the certificate fingerprint.
+      created_cert_fingerprint="$(docker exec "$le_container_name" \
+        sh -c "openssl x509 -in "/etc/nginx/certs/${domain}/cert.pem" -fingerprint -noout")"
+
+    # Check if the domain is on the certificate.
+    if grep -q "$domain" <<< "$created_cert"; then
+      echo "$domain is on certificate."
+      for otherdomain in "${domains[@]}"; do
+        if [ "$domain" != "$otherdomain" ]; then
+          if grep -q "$otherdomain" <<< "$created_cert"; then
+            echo "$otherdomain is on certificate for $domain, but it must not!"
+          else
+            echo "$otherdomain did not appear on certificate for $domain."
+          fi
+        fi
+      done
+    else
+      echo "$domain did not appear on certificate."
+    fi
+
+    # Wait for a connection to https://domain then grab the served certificate in text form.
+    wait_for_conn --domain "$domain"
+    served_cert_fingerprint="$(echo \
+      | openssl s_client -showcerts -servername $domain -connect $domain:443 2>/dev/null \
+      | openssl x509 -fingerprint -noout)"
+
+
+    # Compare the cert on file and what we got from the https connection.
+    # If not identical, display a full diff.
+    if [ "$created_cert_fingerprint" != "$served_cert_fingerprint" ]; then
+      echo "Nginx served an incorrect certificate for $domain."
+      served_cert="$(echo \
+        | openssl s_client -showcerts -servername "$domain" -connect "$domain:443" 2>/dev/null \
+        | openssl x509 -text -noout \
+        | sed 's/ = /=/g' )"
+      diff -u <(echo "$created_cert" | sed 's/ = /=/g') <(echo "$served_cert")
+    else
+      echo "The correct certificate for $domain was served by Nginx."
+    fi
+  done
+
+  docker stop "$container" > /dev/null 2>&1
+  docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*'
+  i=$(( $i + 1 ))
+
+done