Required Domains extracted at startup

The required domains are now extracted at startup of the container via the docker socket. A certificate that contains all domains as common or alternative name is generated and used.
2016-04-08 06:46:00 +02:00
parent 63994b2103
commit 973abaeb23
2 changed files with 40 additions and 16 deletions
--- a/start.py
+++ b/start.py
@@ -1,11 +1,15 @@
 #!/usr/bin/python3.4

 import os
+import sys
 import signal
 import logging
 import time
 import hashlib

+import list_domains
+from docker import Client
+
 cert_path='/data/haproxy'
 cert_file='/data/haproxy/cert.pem'
 pid_file='/haproxy.pid'
@@ -45,10 +49,12 @@ def kill_haproxy():
 def start_haproxy_ssl():
    logging.info('starting haproxy SSL')
    os.system('/usr/sbin/haproxy -f /haproxy_ssl.conf -p /haproxy.pid')
+    return is_haproxy_running()

 def start_haproxy():
    logging.info('starting haproxy NON SSL')
    os.system('/usr/sbin/haproxy -f /haproxy.conf -p /haproxy.pid')
+    return False

 def is_haproxy_running():
    try:
@@ -68,25 +74,43 @@ def ssl_possible():
    else:
        return True

+def create_haproxy_cert():
+    """Combines the freshly created fullchain.pem and privkey.pem into /data/haproxy/cert.pem"""
+    os.system('DIR=`ls -td /data/config/live/*/ | head -1`; cat ${DIR}/fullchain.pem ${DIR}/privkey.pem > /data/haproxy/cert.pem')
+
+def create_cert_data_standalone(domains):
+    domains = " -d ".join(domains)
+    os.system('/letsencrypt/letsencrypt-auto --config letencrypt.conf certonly -d ' + domains)
+
 if __name__ == '__main__':
    setup_logging()

    logging.info('starting')

-    cert_file_hash = ''
+    cert_file_hash = hash_cert_file()

-    if ssl_possible():
-        logging.info('try in SSL mode')
-        start_haproxy_ssl()
-        cert_file_hash = hash_cert_file()
-        if is_haproxy_running():
-            SSL_RUNNING=True
-        else:
-            logging.info('SSL mode failed')
-    if not is_haproxy_running() or not ssl_possible():
+    # try to start in SSL mode, no problem if that fails
+    logging.info('try in SSL mode')
+    SSL_RUNNING = start_haproxy_ssl()
+    if not SSL_RUNNING:
+        logging.info('SSL mode failed')
+
+    if not is_haproxy_running():
+        # tried to start haproxy and this failed, so we need to create a certificate and try again:
+        #  - start non ssl haproxy to be able to get a valid cert
        logging.info('try in NON SSL mode')
-        start_haproxy()
-        SSL_RUNNING=False
+        SSL_RUNNING = start_haproxy()
+        #  - get all domains
+        client = Client(base_url='unix://var/run/docker.sock', version='1.15')
+        resolved_domains = list_domains.get_resolving_domains_from_containers(client)
+        #  - create cert
+        create_cert_data_standalone(resolved_domains)
+        create_haproxy_cert()
+
+    # now we should have it up and running or something weird happened.
+    if not is_haproxy_running():
+        logging.error('could not start after generating cert. See output above.')
+        sys.exit(1)

    while True:
        time.sleep(10)