Merge pull request #1 from reload/next-version

Next version

Author: arnested

Dockerfile

@@ -3,11 +3,12 @@ MAINTAINER Arne Jørgensen
 
 RUN set -x && \
     apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install -y -q golang-go git php-cli php-curl ruby && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y -q golang-go git php-cli php-curl ruby python-pip && \
     GOPATH=/usr/local go get -u github.com/xenolf/lego && \
     curl -sS https://platform.sh/cli/installer | php && \
-    curl -sS -o /opt/yamledit.rb https://raw.githubusercontent.com/dbrandenburg/yamledit/master/yamledit.rb && \
-    DEBIAN_FRONTEND=noninteractive apt-get purge -y -q golang-go && \
+    curl -sS -o /opt/yamledit.rb https://raw.githubusercontent.com/dbrandenburg/yamledit/e277715d71ed5bac17e97267577dd612fcc7ee2c/yamledit.rb && \
+    pip install shyaml && \
+    DEBIAN_FRONTEND=noninteractive apt-get purge -y -q golang-go python-pip && \
     apt-get clean -y -q && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 

README.md

@@ -1,18 +1,19 @@
-# Let's Encrypt with DNS challenge on platform.sh
+# ACME (Let's Encrypt) with DNS challenge on platform.sh
 
 [Platform.sh](https://platform.sh) currently doesn't support using
-Let's Encrypt certificates (at least not with domain verification and
-automatic renewal).
+ACME/Let's Encrypt certificates (at least not with domain verification
+and automatic renewal).
 
-This image uses [lego](https://github.com/xenolf/lego) to obtain a
-certificate via Let's Encrypts DNS challenge and uploads the
-certificate to platform.sh using their commmand line client.
+This Docker image provides scripting for obtaining certificates via
+ACME/Let's Encrypt and uploading them to Platform.sh using their API.
 
-Experimental. YMMV.
+This Docker image is based on [lego](https://github.com/xenolf/lego)
+to obtain a certificate via ACME DNS challenge and uploads the
+certificate to platform.sh using their commmand line client.
 
 Necessary configuration via environment variables, .i.e.:
 
- * `EMAIL=me@example.com` (used for registering with Let's Encrypt)
+ * `ACME_EMAIL=me@example.com` (used for registering with Let's Encrypt)
  * `DOMAINS="example.com www.example.com"` (space separated list --
    must already be added to the project at Platform.sh)
  * `DNS_PROVIDER=dnsimple` (your DNS provider, see below for supported
@@ -39,8 +40,10 @@ You also need to provide environment variables required by the DNS provider chal
 
 Optional configuration via environment variables:
 
-```
-SERVER=https://acme-staging.api.letsencrypt.org/directory
+* `ACME_SERVER=https://acme-staging.api.letsencrypt.org/directory`
+(optional ACME server -- defaults to Let's Encrypts production server)
+* `ACME_DAYS=30` (the number of days left on a certificate to renew
+it. Defaults to 30)
 ```
 
 The container will store the certificates in `/data` so you should

etc/my_init.d/100-platformsh-setup-token

@@ -2,4 +2,8 @@
 
 TOKEN_FILE=$(mktemp -p /opt)
 echo "${PLATFORMSH_API_TOKEN}" > "${TOKEN_FILE}"
+
+# Empty platform cache so a new token will be used.
+rm -rf /root/.platformsh/cache
+
 /usr/bin/ruby /opt/yamledit.rb -f /root/.platformsh/config.yaml -n -k api,token_file -v "${TOKEN_FILE}" --force

usr/local/bin/lego-platform.sh

@@ -15,18 +15,19 @@ trap cleanup EXIT
 IFS=' ' read -r -a domains <<< "${DOMAINS}"
 LEGOPATH=/data
 export HOME=/root
-SERVER=${SERVER:-https://acme-v01.api.letsencrypt.org/directory}
+ACME_SERVER=${ACME_SERVER:-https://acme-v01.api.letsencrypt.org/directory}
+ACME_DAYS=${ACME_DAYS:-30}
 
 verify_preconditions () {
-    [ ! -z "${SERVER}" ] && [ ! -z "${EMAIL}" ] && [ ! -z "${DNS_PROVIDER}" ] && verify_domains_in_platformsh
+    [ ! -z "${ACME_SERVER}" ] && [ ! -z "${ACME_EMAIL}" ] && [ ! -z "${DNS_PROVIDER}" ] && verify_domains_in_platformsh
 }
 
 verify_domains_in_platformsh () {
     local status=0
 
     for i in "${!domains[@]}"
     do
-        platform domain:get --yes --project="${PLATFORMSH_PROJECT_ID}" "${domains[i]}"
+        platform domain:get --no --project="${PLATFORMSH_PROJECT_ID}" "${domains[i]}"
         local err=$?
         status=$((${err}|${status}))
     done
@@ -53,12 +54,12 @@ domain_exists () {
 
 create_domain () {
     local domain=$1
-    lego --domains=${domain} --server=${SERVER} --email=${EMAIL} --accept-tos --path=${LEGOPATH} --dns=${DNS_PROVIDER} run
+    lego --domains=${domain} --server=${ACME_SERVER} --email=${ACME_EMAIL} --accept-tos --path=${LEGOPATH} --dns=${DNS_PROVIDER} run
 }
 
 renew_domain () {
     local domain=$1
-    lego --domains=${domain} --server=${SERVER} --email=${EMAIL} --accept-tos --path=${LEGOPATH} --dns=${DNS_PROVIDER} renew --days=60
+    lego --domains=${domain} --server=${ACME_SERVER} --email=${ACME_EMAIL} --accept-tos --path=${LEGOPATH} --dns=${DNS_PROVIDER} renew --days=${ACME_DAYS}
 }
 
 upload_certificates () {
@@ -76,7 +77,19 @@ upload_certificate () {
     local cert=${TMPDIR}/cert-01
     local key=${LEGOPATH}/certificates/${domain}.key
     local chain=${TMPDIR}/cert-02
-    platform domain:update --yes --cert=${cert} --key=${key} --chain=${chain} --project="${PLATFORMSH_PROJECT_ID}" "${domain}"
+    local current=${TMPDIR}/current
+
+    # Compare certificate to current certificate at platform.sh. Only upload if they are different.
+
+    # We allow the following commands to fail because there might not be a current certificate.
+    set -x
+    platform domain:get --no --project="${PLATFORMSH_PROJECT_ID}" --property=ssl "${domain}" |  shyaml get-value certificate > "${current}"
+
+    if [ "$(openssl x509 -in "${cert}"  -noout -fingerprint)" != "$(openssl x509 -in "${current}"  -noout -fingerprint)" ]; then
+       platform domain:update --no --cert=${cert} --key=${key} --chain=${chain} --project="${PLATFORMSH_PROJECT_ID}" "${domain}"
+    fi
+
+    set +x
 }
 
 verify_preconditions && create_or_renew_domains && upload_certificates