From e04e25e8255e5007c43cb8313bc8058bc8e5d95b Mon Sep 17 00:00:00 2001
From: cyril <jarod022@gmail.com>
Date: Thu, 21 Jul 2016 15:11:08 +0200
Subject: [PATCH] adding documentation to configure letsencrpyt SSL with docker

---
 docker/README.md                   | 70 ++++++++++++++++++++++++++++--
 docker/docker-compose.yml          |  1 +
 docker/nginx_with_ssl.conf.example | 31 ++++++++++---
 docker/webroot.ini.example         | 10 +++++
 4 files changed, 104 insertions(+), 8 deletions(-)
 create mode 100644 docker/webroot.ini.example

diff --git a/docker/README.md b/docker/README.md
index f95543420..a0ec59721 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -85,13 +85,62 @@ exit
 mkdir -p /home/core/fabmanager/config
 ```
 
-Copy the previously customized `env` file as `/home/core/fabmanager/config/env`.
+Copy the previously customized `env.example` file as `/home/core/fabmanager/config/env`
 
 ```bash
 mkdir -p /home/core/fabmanager/config/nginx
 ```
 
-Copy the previously customized `nginx.conf` as `/home/core/fabmanager/config/nginx/fabmanager.conf`.
+Copy the previously customized `nginx_with_ssl.conf.example` as `/home/core/fabmanager/config/nginx/fabmanager.conf`
+OR
+Copy the previously customized `nginx.conf.example` as `/home/core/fabmanager/config/nginx/fabmanager.conf` if you do not want ssl support (not recommended !).
+
+
+### If you want to add an SSL certificate with Letsencrypt (free)
+Let's Encrypt is a new Certificate Authority that is free, automated, and open.
+Let’s Encrypt certificates expire after 90 days, so automation of renewing your certificates is important.
+Here is the setup for a systemd timer and service to renew the certificates and reboot the app Docker container
+
+```bash
+mkdir -p /home/core/fabmanager/config/nginx/ssl
+```
+Run `openssl dhparam -out dhparam.pem 4096` in the folder /home/core/fabmanager/config/nginx/ssl (generate dhparam.pem file)
+```bash
+mkdir -p /home/core/fabmanager/letsencrypt/config/
+```
+Copy the previously customized `webroot.ini.example` as `/home/core/fabmanager/letsencrypt/config/webroot.ini`
+```bash
+mkdir -p /home/core/fabmanager/letsencrypt/etc/webrootauth
+```
+
+Run `docker pull quay.io/letsencrypt/letsencrypt:latest`
+
+Create file (with sudo) /etc/systemd/system/letsencrypt.service with
+
+```bash
+[Unit]
+Description=letsencrypt cert update oneshot
+Requires=docker.service
+
+[Service]
+Type=oneshot  
+ExecStart=/usr/bin/docker run --rm --name letsencrypt -v "/home/core/fabmanager/log:/var/log/letsencrypt" -v "/home/core/fabmanager/letsencrypt/etc:/etc/letsencrypt" -v "/home/core/fabmanager/letsencrypt/config:/letsencrypt-config" quay.io/letsencrypt/letsencrypt:latest -c "/letsencrypt-config/webroot.ini" certonly
+ExecStartPost=-/usr/bin/docker restart fabmanager  
+```
+
+Create file (with sudo) /etc/systemd/system/letsencrypt.timer with
+```bash
+[Unit]
+Description=letsencrypt oneshot timer  
+Requires=docker.service
+
+[Timer]
+OnCalendar=*-*-1 06:00:00
+Persistent=true
+Unit=letsencrypt.service
+```
+
+Then deploy your app and read the "Generate SSL certificate by Letsencrypt" section to complete the installation of the letsencrypt certificate.
 
 
 ### Deploy dockers containers on host
@@ -196,10 +245,25 @@ docker run --restart=always -d --name=fabmanager \
              -v /home/core/fabmanager/public/uploads:/usr/src/app/public/uploads \
              -v /home/core/fabmanager/invoices:/usr/src/app/invoices \
              -v /home/core/fabmanager/log:/var/log/supervisor \
+             -v /home/core/fabmanager/letsencrypt/etc:/etc/letsencrypt \
              sleede/fab-manager
 ```
 
 
+### Generate SSL certificate by Letsencrypt (app must be run before start letsencrypt)
+Start letsencrypt service :
+```bash
+sudo systemctl start letsencrypt.service
+```
+If the certificate was successfully generated then update the nginx configuration file and activate the ssl port and certificate.
+Edit `/home/core/fabmanager/config/nginx/fabmanager.conf`
+Remove your app and Run your app to apply changes
+
+Finally, if everything is ok, start letsencrypt timer to update the certificate every 1st of the month :
+```bash
+sudo systemctl start letsencrypt.timer
+```
+
 
 ### Dockers utils
 
@@ -218,7 +282,7 @@ docker run --restart=always -d --name=fabmanager \
 
 
 
-### Docker Compose
+### If you want deploy with Docker Compose
 
 #### download docker compose https://github.com/docker/compose/releases
 
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 14c86b5ed..002acf26d 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -16,6 +16,7 @@ services:
       - /home/core/fabmanager/public/uploads:/usr/src/app/public/uploads
       - /home/core/fabmanager/invoices:/usr/src/app/invoices
       - /home/core/fabmanager/log:/var/log/supervisor
+      - /home/core/fabmanager/letsencrypt/etc:/etc/letsencrypt
     depends_on:
       - fabmanager-postgres
       - fabmanager-redis
diff --git a/docker/nginx_with_ssl.conf.example b/docker/nginx_with_ssl.conf.example
index 105f0fcd1..407c0ac4a 100644
--- a/docker/nginx_with_ssl.conf.example
+++ b/docker/nginx_with_ssl.conf.example
@@ -7,12 +7,26 @@ server {
   server_name MAIN_DOMAIN;
   root /usr/src/app/public;
   ssl on;
-  ssl_certificate /etc/nginx/conf.d/ssl/MAIN_DOMAIN.crt;
-  ssl_certificate_key /etc/nginx/conf.d/ssl/MAIN_DOMAIN.deprotected.key;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+  ## with your ssl certificate
+  #ssl_certificate /etc/nginx/conf.d/ssl/MAIN_DOMAIN.crt;
+  #ssl_certificate_key /etc/nginx/conf.d/ssl/MAIN_DOMAIN.deprotected.key;
+  ##
+  ## with letsencrypt certificate (free)
+  ssl_certificate_key /etc/letsencrypt/live/MAIN_DOMAIN/privkey.pem;
+  ssl_certificate /etc/letsencrypt/live/MAIN_DOMAIN/fullchain.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/MAIN_DOMAIN/chain.pem;
+  ##
+  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
   ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:10m;
+  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+  ssl_session_timeout 1d;
+  ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
+  add_header Strict-Transport-Security max-age=15768000;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
 
   location ^~ /assets/ {
     gzip_static on;
@@ -20,6 +34,13 @@ server {
     add_header Cache-Control public;
   }
 
+  ## required by letsencrypt to generate the certificat
+  location /.well-known/acme-challenge {
+    root /etc/letsencrypt/webrootauth;
+    default_type "text/plain";
+  }
+  ##
+
   try_files $uri/index.html $uri @puma;
   location @puma {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/docker/webroot.ini.example b/docker/webroot.ini.example
new file mode 100644
index 000000000..890917738
--- /dev/null
+++ b/docker/webroot.ini.example
@@ -0,0 +1,10 @@
+rsa-key-size = 4096
+server = https://acme-v01.api.letsencrypt.org/directory
+email = REPLACE_WITH_YOUR@EMAIL.COM
+text = True
+agree-tos = True
+agree-dev-preview = True
+renew-by-default = True
+authenticator = webroot
+domains = MAIN_DOMAIN, ANOTHER_DOMAIN_1, ANOTHER_DOMAIN_2
+webroot-path = /etc/letsencrypt/webrootauth
\ No newline at end of file