Build and package the very latest certbot from pip

README.md

@@ -17,6 +17,20 @@
 
 This is a base image for use in other images. See Dockerfile for build steps.
 
+The following is compiled/installed:
+
+- OpenResty
+- Lua
+- Certbot
+- mkcert
+- dbmate
+- Python3 and pip
+
+The following architectures are supported:
+
+- amd64
+- arm/v7
+- arm64
 
 ### Usage:
 

docker/Dockerfile

@@ -1,8 +1,49 @@
+#############
+# Certbot Builder
+#############
+
+FROM debian:stable-slim as certbotbuilder
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update
+RUN apt-get install -y \
+	build-essential \
+	curl \
+	libaugeas0 \
+	python3 \
+	python3-dev \
+	libffi-dev \
+	libssl-dev \
+	python3-venv \
+	ca-certificates
+
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Yes, python compilation requires rust.
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ENV PATH="/root/.cargo/bin:$PATH"
+
+# It's all about pip now.
+RUN python3 -m venv /opt/certbot/
+ENV PATH="/opt/certbot/bin:$PATH"
+
+RUN curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3
+
+# Handle an extremely specific issue when building the cryptography package for
+# 32-bit architectures within QEMU running on a 64-bit host
+# Special thanks to https://github.com/JonasAlfredsson/docker-nginx-certbot
+RUN if [ "$(getconf LONG_BIT)" = "32" ]; then \
+	pip3 install --no-cache-dir -U cryptography==3.3.2; \
+	fi
+
+RUN pip install --no-cache-dir cffi certbot
+
 #############
 # Go Builder
 #############
 
-FROM golang:latest as go
+FROM golang:latest as gobuilder
 
 ENV MKCERT_VERSION=1.4.2
 RUN mkdir /workspace
@@ -17,14 +58,23 @@ RUN go build -ldflags "-X main.Version=v${MKCERT_VERSION}" -o /bin/mkcert
 # Nginx Builder
 #############
 
-FROM debian:stable-slim as builder
+FROM debian:stable-slim as nginxbuilder
 
 ARG OPENRESTY_VERSION
 ARG LUA_VERSION
 ARG LUAROCKS_VERSION
 
 RUN apt-get update \
-	&& apt-get install -y --no-install-recommends wget build-essential libreadline-dev openssl unzip libncurses-dev libpcre3-dev libssl-dev zlib1g-dev
+	&& apt-get install -y \
+	build-essential \
+	ca-certificates \
+	libncurses-dev \
+	libpcre3-dev \
+	libreadline-dev \
+	libssl-dev \
+	openssl unzip \
+	wget \
+	zlib1g-dev
 
 # Lua build
 COPY ./scripts/build-lua /tmp/build-lua
@@ -52,31 +102,62 @@ RUN echo "Base: debian:stable-slim, ${TARGETPLATFORM:-linux/amd64}" > /built-for
 
 # OpenResty uses LuaJIT which has a dependency on GCC
 RUN apt-get update \
-	&& apt-get install -y --no-install-recommends curl figlet openssl libpcre3 zlib1g apache2-utils tzdata perl libreadline7 unzip libncurses6 make gcc \
+	&& apt-get install -y --no-install-recommends \
+	apache2-utils \
+	ca-certificates \
+	curl \
+	figlet \
+	libncurses6 \
+	libpcre3 \
+	libreadline7 \
+	openssl \
+	perl \
+	python3 \
+	python3-distutils \
+	python3-venv \
+	tzdata \
+	unzip \
+	zlib1g \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
-ADD ./files/.bashrc /root/.bashrc
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+COPY ./files/.bashrc /root/.bashrc
 
 # Copy lua and luarocks builds from first image
-COPY --from=builder /tmp/lua /tmp/lua
-COPY --from=builder /tmp/luarocks /tmp/luarocks
+COPY --from=nginxbuilder /tmp/lua /tmp/lua
+COPY --from=nginxbuilder /tmp/luarocks /tmp/luarocks
 COPY ./scripts/install-lua /tmp/install-lua
 
 # Copy openresty build from first image
-COPY --from=builder /tmp/openresty /tmp/openresty
+COPY --from=nginxbuilder /tmp/openresty /tmp/openresty
 COPY ./scripts/install-openresty /tmp/install-openresty
 
 # Copy golang built packages
-COPY --from=go /bin/mkcert /bin/mkcert
-COPY --from=go /go/bin/dbmate /bin/dbmate
+COPY --from=gobuilder /bin/mkcert /bin/mkcert
+COPY --from=gobuilder /go/bin/dbmate /bin/dbmate
 
-RUN /tmp/install-lua \
+# Copy certbot
+COPY --from=certbotbuilder /opt/certbot /opt/certbot
+RUN curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3 \
+	&& python3 -m venv /opt/certbot/ \
+	&& ln -s /opt/certbot/bin/certbot /usr/bin/certbot
+ENV PATH="/opt/certbot/bin:$PATH"
+
+# Install openresty, lua
+RUN apt-get update \
+	&& apt-get install -y \
+	gcc \
+	make \
+	&& /tmp/install-lua \
 	&& /tmp/install-openresty \
 	&& rm -f /tmp/install-lua \
 	&& rm -f /tmp/install-openresty \
 	&& apt-get remove -y make gcc \
-	&& apt-get autoremove -y
+	&& apt-get autoremove -y \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
 
 LABEL org.label-schema.schema-version="1.0" \
 	org.label-schema.license="MIT" \

files/.bashrc

@@ -12,10 +12,11 @@ alias rm='rm -i'
 alias mv='mv -i'
 alias h='cd ~;clear;'
 
+. /etc/os-release
+
 echo -e -n '\E[1;34m'
 figlet -w 120 "nginx-full"
-echo -e "\E[1;36mOpenResty \E[1;32m${OPENRESTY_VERSION:-unknown}\E[1;36m, Kernel \E[1;32m$(uname -r)\E[0m"
+echo -e "\E[1;36mOpenResty \E[1;32m${OPENRESTY_VERSION:-unknown}\E[1;36m, ${ID:-debian} \E[1;32m${VERSION:-unknown}\E[1;36m, Certbot \E[1;32m$(certbot --version)\E[0m"
 echo -e -n '\E[1;34m'
 cat /built-for-arch
-echo -e -n '\E[0m'
-echo
+echo -e '\E[0m'