Merge pull request #1005 from opengisch/fix_letsencrypt_cert_2

Letsencrypt certificate autorenewal follow-up adjustments and fixes

.env.example

@@ -17,18 +17,16 @@ SECRET_KEY=change_me
 # Certificates
 
 # TLS certificate filename from within the `nginx` container.
-# When empty, the default self-signed certificate is used.
 # For usage with Let's Encrypt certificate, use as:
 # QFIELDCLOUD_TLS_CERT="/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/fullchain.pem"
-# DEFAULT: ""
-QFIELDCLOUD_TLS_CERT=""
+# DEFAULT: "/etc/nginx/certs/${QFIELDCLOUD_HOST}.pem"
+QFIELDCLOUD_TLS_CERT="/etc/nginx/certs/${QFIELDCLOUD_HOST}.pem"
 
 # TLS private key filename from within the `nginx` container.
-# When empty, the default self-signed certificate is used.
 # For usage with Let's Encrypt certificate, use as:
 # QFIELDCLOUD_TLS_KEY="/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/privkey.pem"
-# DEFAULT: ""
-QFIELDCLOUD_TLS_KEY=""
+# DEFAULT: "/etc/nginx/certs/${QFIELDCLOUD_HOST}-key.pem"
+QFIELDCLOUD_TLS_KEY="/etc/nginx/certs/${QFIELDCLOUD_HOST}-key.pem"
 
 # TLS DF parameters filename from within the `nginx` container.
 # When empty, no DF parameters are used.

.gitignore

@@ -8,9 +8,11 @@ __pycache__/
 .env
 docker-compose.override.yml
 client/projects
-docker-nginx/certs/*
-docker-nginx/dhparams/*.pem
+conf/mkcert/*
 conf/certbot/*
+conf/nginx/certs/*.pem
+conf/nginx/config.d/*.conf
+conf/nginx/dhparams/*.pem
 Pipfile*
 **/site-packages
 docker-qgis/libqfieldsync

README.md

@@ -220,11 +220,13 @@ Note if you run tests using the `docker-compose.test.yml` configuration, the `ap
 
 ## Add root certificate
 
-QFieldCloud will automatically generate a certificate and it's root certificate in `./docker-nginx/certs`. However, you need to trust the root certificate first, so other programs (e.g. curl) can create secure connection to the local QFieldCloud instance.
+QFieldCloud will automatically generate a certificate and its root certificate in `./conf/nginx/certs`.
+However, you need to trust the root certificate first,
+so other programs (e.g. curl) can create secure connection to the local QFieldCloud instance.
 
 On Debian/Ubuntu, copy the root certificate to the directory with trusted certificates. Note the extension has been changed to `.crt`:
 
-    sudo cp ./docker-nginx/certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
+    sudo cp ./conf/nginx/certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
 
 Trust the newly added certificate:
 
@@ -305,14 +307,13 @@ To use this Let's Encrypt certificate within QFieldCloud you just need to uncomm
 
     QFIELDCLOUD_TLS_CERT=/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/fullchain.pem
     QFIELDCLOUD_TLS_KEY=/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/privkey.pem
-    QFIELDCLOUD_TLS_DHPARAMS=/etc/nginx/dhparams/dhparams4096.pem
 
-You can also use your own certificates by placing them in `conf/nginx/certs/` ànd changing `QFIELDCLOUD_TLS_CERT` and `QFIELDCLOUD_TLS_KEY` accordingly.
+You can also use your own certificates by placing them in `conf/nginx/certs/` and changing `QFIELDCLOUD_TLS_CERT` and `QFIELDCLOUD_TLS_KEY` accordingly.
 Don't forget to create your Diffie-Hellman parameters.
 
 ### Additional NGINX config
 
-You can add additional config to nginx placing files in `conf/nginx/config` ending with `.conf`. They will be included in the main `nginx.conf`.
+You can add additional config to nginx placing files in `conf/nginx/config.d/` ending with `.conf`. They will be included in the main `nginx.conf`.
 
 ## Infrastructure
 

conf/nginx/certs/README.md

@@ -0,0 +1,6 @@
+This directory will contain the self-signed certificates automatically created by `mkcert`.
+
+You can also place your custom certificates.
+
+To make use of the any of the certificates in this directory, make sure you adjust the values of `QFIELDCLOUD_TLS_CERT` and `QFIELDCLOUD_TLS_KEY` environment variables.
+This directory is accessible in the `nginx` container at `/etc/nginx/certs/`.

docker-compose.yml

@@ -92,10 +92,10 @@ services:
       context: ./docker-nginx
     restart: unless-stopped
     volumes:
-      - ./docker-nginx/certs/:/etc/nginx/certs/:ro
-      - ./docker-nginx/dhparams:/etc/nginx/dhparams/:ro
       - ./conf/certbot/conf:/etc/letsencrypt:ro
-      - ./conf/nginx/config:/etc/nginx/config/:ro
+      - ./conf/nginx/certs/:/etc/nginx/certs/:ro
+      - ./conf/nginx/config.d:/etc/nginx/config.d/:ro
+      - ./conf/nginx/dhparams:/etc/nginx/dhparams/:ro
       - certbot_www:/var/www/certbot
     ports:
       - ${WEB_HTTP_PORT}:80
@@ -117,12 +117,13 @@ services:
         max-file: "10"
         tag: "{{.ImageName}}|{{.Name}}|{{.ImageFullID}}|{{.FullID}}"
 
+  # Automatically create self-signed certificates for local development and test deployments
   mkcert:
     image: vishnunair/docker-mkcert
     environment:
       domain: ${QFIELDCLOUD_HOST}
     volumes:
-      - ./docker-nginx/certs/:/root/.local/share/mkcert/
+      - ./conf/nginx/certs/:/root/.local/share/mkcert/
     command: /bin/sh -c 'mkcert -install && for i in $$(echo $$domain | sed "s/,/ /g"); do [ ! -f /root/.local/share/mkcert/$$i.pem ] && mkcert $$i; done && tail -f -n0 /etc/hosts'
 
   certbot:

docker-nginx/Dockerfile

@@ -4,4 +4,5 @@ COPY pages /var/www/html/pages/
 COPY templates/ /etc/nginx/templates/
 COPY options-ssl-nginx.conf /etc/nginx/options-ssl-nginx.conf
 COPY 99-autoreload.sh /docker-entrypoint.d/99-autoreload.sh
-CMD chmod +x /docker-entrypoint.d/99-autoreload.sh
+
+RUN chmod 755 /docker-entrypoint.d/99-autoreload.sh

docker-nginx/templates/default.conf.template

@@ -80,8 +80,8 @@ server {
     return 444;
   }
 
-  # included additional config
-  include config/*.conf;
+  # include additional config from the current QFieldCloud instance. This is different from the default `conf.d` directory.
+  include config.d/*.conf;
 
   # deny annoying bot
   deny 34.215.13.216;