Docker Hub

[kuba]

@JensErat asked in https://github.com/JensErat/docker-lets-encrypt-preview/issues/2#issuecomment-111083470 if we could upload Docker images not only to Quay, but also to Docker Hub.

[JensErat]

Maybe I'm overlooking something, but I don't think this involves any further but giving the "official" Docker Hub permissions to install an on-commit trigger.

In the end, the official Docker Hub will be what the vast majority of Docker users is using, and most of them will strongly dislike uploaded images and prefer automated builds.

[DoubleMalt]

I agree. It is dead easy to set up an automated build and it inspires more confidence as it is built directly from the published code.

[erinzm]

@kuba: it's very easy to set up, here are instructions. I think it would help a lot with testing.

[ludovicc]

Quay.io uses an old, insecure registry and it prevents Ansible docker to execute the letsencrypt image

TASK: [letencrypt-nginx | Run Letencrypt in Docker] *** failed: ... => {"changes": ["{\"status\":\"Pulling repository quay.io/letsencrypt/letsencrypt\"}\r\n", ... "{\"status\":\"Status: Image is up to date for quay.io/letsencrypt/letsencrypt:latest\"}\r\n", "{\"status\":\"quay.io/letsencrypt/letsencrypt: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker.\"}\r\n"], "failed": true, "item": {"auto_dir": "/tmp/letencrypt-auto", "domain": "hbps1.chuv.ch"}, "status": "quay.io/letsencrypt/letsencrypt: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker."} msg: Unrecognized status from pull.

[czerasz]

:+1:

This would be great to have an official Let's Encrypt Docker Image in the Docker Hub.

Now I have to build it manually (Ansible):

- name: Build the Let's Encrypt Docker image
  docker_image:
    path: "github.com/letsencrypt/letsencrypt.git"
    name: "my-user/letsencrypt"
    state: present

There is no easy update/version control over it :-(.

[programmerq]

I'd love to see a letsencrypt official image. docker run letsencrypt ...

https://github.com/docker-library/official-images#contributing-to-the-standard-library

[pataquets]

Definitely +1 to automated builds on Hub. For this kind of software, trustable and verifiable packaging is a must.

[dan-turner]

Surely this is coming? Can the maintainers comment on this? For security focused software I'm surprised this isn't the way it was done from the beginning? In fact the reason I stumbled across this issue is because I've been hunting all morning for an official reference to see if https://quay.io/repository/letsencrypt/letsencrypt?tag=latest&tab=tags is in fact genuinely maintained by you guys. I can't seem to find any link from Quay to what repository it's building from let alone what git SHA was built, nor the contents of the Dockerfile used.

[bmw]

Yes, I would like to start uploading Certbot to Docker Hub as well. The reason we haven't been pushing many people towards using Docker with Certbot is that many of Certbot's features such as automatically configuring your webserver do not work from inside Docker (without a complicated setup that is).

https://quay.io/repository/letsencrypt/letsencrypt is maintained by us and instructions for using it in our in our official documentation here. All of the tags correspond directly to the branches/issues on this repo, with latest being the current master. The Dockerfile in the root of our repo is used for these images.

While many of the issues you have expressed here go beyond the scope of this issue, I agree with you at that our Docker setup can be improved and I personally plan on improving it as well as uploading the image to Docker Hub in the future.

[programmerq]

@bmw let me know if you'd be interested in the introductions needed to get an official docker image so people can use an image called letsencrypt.

[RangerMauve]

Has there been any progress on this?

[cowlicks]

I'm concerned that if there is an official docker image, people will default to using that instead of certbot-auto. Then they'll run into a whole new set of problems because they have to install the certificate themselves.

If there is an official image, there should be a big warning that users still need to install the certificate manually.

[RangerMauve]

@cowlicks How is the image that's up on quay.io different from the one that would be on dockerhub?

[xenoterracide]

@cowlicks I was wanting a docker container that ran cerbot-auto against volume or something... much like I can do with an ssh key... basically it would be an install of certbot-auto rather than me having to do that myself. It could also suggest that it ran against a certain type of data directory.

[cowlicks]

@RangerMauve I'm guessing an official image would look the same as the image on quay.io. But the current image on quay.io doesn't install the certificate, it just gets it.

If people just want a docker image that gets a certificate for them, that is easy. But auto enabling https on your server from inside a docker container is hard.

[cowlicks]

@xenoterracide if all you need to do to turn on https is put a certificate somewhere, then that is great. But it is usually a bit more complicated than that.

[xenoterracide]

@cowlicks sure, but I figured I'd have my production container configured for everything but the cert... for obvious? reasons, don't want to bundle a cert into my ephemeral container. To be fair due to lack of this feature, I'm just using Amazon/Cloudfront... and no tls on my container.

[RangerMauve]

@cowlicks I'm not sure what installing the certificate or not has to do with have the image up on Dockerhub. As I understand this issue is more about the cases where people want to use the same image as whats on Quay. With regards to whether the image is good enough for automatic installs, that would probably be a separate issue.

[bmw]

The biggest reason we haven't uploaded a Certbot Docker image on Docker Hub is the current Certbot Dockerfile needs to be largely rewritten. We started uploading to quay.io roughly 6 months before Let's Encrypt entered beta and it was a convenient way to test the project on different systems.

While the image on quay has worked for people since Let's Encrypt launched, we would like to improve the image before bringing more attention to it. I have created a post on Let's Encrypt's community forums asking people to explain their use case for a Certbot Docker image. This allows us to see what people want from Certbot in Docker so we can focus our development efforts accordingly.

If people in this thread have the time to respond to the post, we'd greatly appreciate hearing your use case.

cc @cowlicks, @joohoi

[jamesmoriarty]

Just FYI currently trying to work around this with something like:

# docker-compose.yml
renew-cert:
  image: alpine:3.4
  command: sh -c 'apk update && apk add certbot && certbot renew --dry-run'
  volumes:
    - './etc/letsencrypt:/etc/letsencrypt'

[joohoi]

@jamesmoriarty you could also use certbot from debian jessie backports (installs cron job automatically), cron from stable, use ["cron", "-f"] as entrypoint. It would then serve as a self contained renew-bot.

[bmw]

This has been fixed. I'm sorry for the long delay here, but you can now download our official Docker image from the certbot/certbot repository on Docker Hub.

[programmerq]

@bmw would you be willing to entertain getting an official image on the Docker hub? official image meaning you could run it via docker run ... certbot ... instead of docker run ... certbot/certbot ....

[bmw]

We'd want to learn more about it because at least I am not super familiar with the process, but we're definitely interested and open to the idea.

[xenoterracide]

I prefer certbot/certbot personally. official images ... follow rules that make them less secure imho. They are designed for extension over direct use. 2 cents, and worth every penny.