2 - Fetch cert files from Internet and check validity

[mrsarm]

Added a script as entry point in the Docker container that downloads the cert files for the first time if they were not previously downloaded, and checks whether they are expired, if so the script downloads the certs again from source.

Issue: #2

So now the certs are downloaded from Internet only the first time, and cached in the container until they expire.

Note: I changed the Nginx docker image flavor alpine by the standard one because the script uses the openssl command to check the certificate, and curl to download, and both commands are not available in the alpine flavor.

[mrjones-plip]

@mrsarm - Nice work on this! I need to do some more testing, but I have confirmed it works, so the image and bash script look be working. As well, I see some language changes in the readme I'll suggest. I'll grab this later today!

For migrating users over, how does docker normally handle upgrades like this? That is, right now you'll continue to use the old docker image (note that the new entrypoint.sh isn't called):

➜  nginx-local-ip git:(main) ✗ gco 2-fetch-cert-files
Switched to branch '2-fetch-cert-files'
Your branch is up to date with 'origin/2-fetch-cert-files'.
➜  nginx-local-ip git:(2-fetch-cert-files) ✗ APP_URL=https://192.168.68.17 docker-compose --env-file=my.env up 
Starting 40bb1fb8ba89_nginx-local-ip_app_1 ... done
Attaching to 40bb1fb8ba89_nginx-local-ip_app_1
40bb1fb8ba89_nginx-local-ip_app_1 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
40bb1fb8ba89_nginx-local-ip_app_1 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
40bb1fb8ba89_nginx-local-ip_app_1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
40bb1fb8ba89_nginx-local-ip_app_1 | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
40bb1fb8ba89_nginx-local-ip_app_1 | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
40bb1fb8ba89_nginx-local-ip_app_1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
40bb1fb8ba89_nginx-local-ip_app_1 | 20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
40bb1fb8ba89_nginx-local-ip_app_1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
40bb1fb8ba89_nginx-local-ip_app_1 | /docker-entrypoint.sh: Configuration complete; ready for start up

Until you call something like --build in your docker-compose call like so:

➜  nginx-local-ip git:(2-fetch-cert-files) ✗ APP_URL=https://192.168.68.17 docker-compose --env-file=my.env up --build
Building app
Step 1/5 : FROM nginx:1.19
 ---> 6084105296a9
Step 2/5 : EXPOSE 80 443
 ---> Using cache
 ---> 00f4228ac42f
Step 3/5 : COPY entrypoint.sh /
 ---> Using cache
 ---> 3f5f3989c753
Step 4/5 : ENTRYPOINT ["/entrypoint.sh"]
 ---> Using cache
 ---> 5337be0f8655
Step 5/5 : CMD ["nginx", "-g", "daemon off;"]
 ---> Using cache
 ---> c2c8cbf4991f
Successfully built c2c8cbf4991f
Successfully tagged nginx-local-ip_app:latest
Recreating 40bb1fb8ba89_nginx-local-ip_app_1 ... done
Attaching to nginx-local-ip_app_1
app_1  | /entrypoint.sh: SSL certificate files /etc/nginx/server.* not found. Installing ...
app_1  | /entrypoint.sh: Downloading 'http://local-ip.co/cert/server.pem' ...
app_1  | /entrypoint.sh: Downloading 'http://local-ip.co/cert/server.key' ...
app_1  | /entrypoint.sh: Downloading 'http://local-ip.co/cert/chain.pem' ...
app_1  | /entrypoint.sh: Creating chained cert file '/etc/nginx/server.chained.pem' ...
app_1  | /entrypoint.sh: SSL certificate OK. Expire after: Apr 26 15:57:59 2021 GMT
app_1  | /entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
app_1  | /entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
app_1  | /entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
app_1  | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
app_1  | 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
app_1  | /entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
app_1  | 20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
app_1  | /entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
app_1  | /entrypoint.sh: Configuration complete; ready for start up

[mrsarm]

For migrating users over, how does docker normally handle upgrades like this? That is, right now you'll continue to use the old docker image (note that the new entrypoint.sh isn't called):

Yes @mrjones-plip , because we are syncing the project through git, there is no other way than rebuild the image each time we pull changes unless we know the changes don't affect the images, eg. the Nginx config is mounted in the docker container so changes there don't need to recreate the container.

If we decide later to publish an official image at https://hub.docker.com/u/medicmobile, it would make easier the update process, the user would only need to change the docker image version in the docker-compose file or the script where it launches the container with the docker run command.

[mrjones-plip]

Gotcha - thanks!

Given we're migrating away from alpine to a more full featured container, do we want to mount entrypoint.sh as well so that if we make changes in the future, we won't have to remind folks to run --build?

[mrsarm]

... do we want to mount entrypoint.sh as well so that if we make changes in the future, we won't have to remind folks to run --build?

@mrjones-plip I moved the entrypoint as a mounted file as you suggest.

Just note that if we publish an image later in the Docker Hub, it will require first to move both the Nginx config and the entrypoint.sh files to the image, because won't be available when the user pull the image.

For now lets keep users to pull this git repository and make their own images, and in this case yes it's better to keep the files outside the image to avoid unnecessary rebuilds.

[mrjones-plip]

@mrsarm - really good stuff here! no functional changes, just readme changes.

Otherwise, at a later date we may consider running a cron job to check for expired certificates. I can imagine a scenario where desktop users like me and @dianabarsan may have this container just up and running for daaaaaaaays, thus not checking for an expired cert.

[mrjones-plip]

Not specific to this PR - but maybe consider making this section generic? That is, it is the default for most any web server to listen on port 80 or 443, not just medic-os container. So while we're Medic and there's lots of medic-os users, generic might be a better way to frame this.

Also, I would imagine that instead of running yet another container, folks who are already running medic-os should likely just install the cert in the existing container, as this is already supported per our self hosted docs. I think we should add a link this and a little information that you can do both (either add the cert to existing container or run this container and remap ports)

[mrsarm]

Yes agree, feel free to create another PR to reframe this section, and the name of the .env file.

[mrjones-plip]

I moved the entrypoint as a mounted file as you suggest.

Awesome - nice work!

Just note that if we publish an image later in the Docker Hub, it will require first to move both the Nginx config and the entrypoint.sh files to the image, because won't be available when the user pull the image.

For now lets keep users to pull this git repository and make their own images, and in this case yes it's better to keep the files outside the image to avoid unnecessary rebuilds.

Yup yup - sounds good!

[mrjones-plip]

lgtm! I'll file some more tickets ;)