Allow to use a pre-existing SSL certificate

2023-11-05 04:40:26 +01:00 · 2018-11-27 01:23:38 +01:00 · 2018-11-27 01:23:38 +01:00 · 011a825b85
commit 011a825b85
parent 73c821944f
4 changed files with 21 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,10 @@

 ## Unreleased

+## [4.3.0-1] - 26/11/2018
+### Added
+* Allow to use a pre-existing `server.pem` file mounted into the container to serve the BackupPC UI over https
+
 ## [4.3.0] - 26/11/2018
 ### Changed
 * Update BackupPC to 4.2.0
--- a/README.md
+++ b/README.md
@ -160,6 +160,8 @@ docker run \

 Then you can access the UI through the secured URL https://YOUR_SERVER_IP/. Of course, as the SSL certificate is self-signed, your browser will alert you about this unsecured certificate.

+_NB: You can also use your own SSL certificate: merge together the private key and the certificate into a `server.pem` file (eg. `cat server.key server.crt > server.pem`), and mount `certificate.pem` on the container path `/etc/lighttpd/server.pem` (eg. `--volume /you/path/to/certificate.pem:/etc/lighttpd/server.pem`)._
+
 ### Advanced SSL use

 Instead of providing a very advanced SSL configuration in this Docker, and reinvent the wheel, it is advised to run your backuppc instance without SSL and without exposing the 8080 port, and launch a second container with a secured SSL reverse-proxy pointing to the BackupPC instance.
--- a/2
+++ b/2
@ -1 +1 @@
-4.3.0
+4.3.0-1
--- a/files/entrypoint.sh
+++ b/files/entrypoint.sh
@ -68,17 +68,20 @@ if [ -f /firstrun ]; then

 	# Prepare lighttpd
 	if [ "$USE_SSL" = true ]; then
-		# Generate certificate file as needed
-		cd /etc/lighttpd
-		openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
-		openssl rsa -passin pass:x -in server.pass.key -out server.key
-		openssl req -new -key server.key -out server.csr \
-			-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
-		openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
-		cat server.key server.crt > server.pem
-		chown "$BACKUPPC_USERNAME":"$BACKUPPC_GROUPNAME" server.pem
-		chmod 0600 server.pem
-		rm -f server.pass.key server.key server.csr server.crt
+		# Do not generate a certificate if user already mapped the file with docker --volume
+		if [ ! -e /etc/lighttpd/server.pem ]; then
+			# Generate certificate file as needed
+			cd /etc/lighttpd
+			openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
+			openssl rsa -passin pass:x -in server.pass.key -out server.key
+			openssl req -new -key server.key -out server.csr \
+				-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
+			openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+			cat server.key server.crt > server.pem
+			chown "$BACKUPPC_USERNAME":"$BACKUPPC_GROUPNAME" server.pem
+			chmod 0600 server.pem
+			rm -f server.pass.key server.key server.csr server.crt
+		fi
 		# Reconfigure lighttpd to use ssl
 		echo "ssl.engine = \"enable\"" >> /etc/lighttpd/lighttpd.conf
 		echo "ssl.pemfile = \"/etc/lighttpd/server.pem\"" >> /etc/lighttpd/lighttpd.conf
 @ -1 +1 @@
 .3.0
 .3.0-1