Deploying Containerised FreeCertiffy

Photo by Todd Cravens on Unsplash

FreeCertiffy is a free SSL Certificate Manager program I have been working on. It’s a Flask Python App deployed in a container with a second container – a Mongo Database back-end in support.

This little project is fairly simple and I’m not a professional programmer so I may benefit from your input if you are python flask expert. It has:

  • code to look at certificates, create Certificate Signing Requests
  • code that uses Qualys API to grade certificates
  • Create, Read, Update, Delete routines
  • uses flask blueprints
  • simple bootstrap5 and jinja2
  • the flask app runs in gunicorn
  • some basic session cookie code to work with user management
  • emails users, both SMPT and SMTPS
  • uses mongo database in a container and the data in a container volume
  • has a scheduled job to recalculate the countdown to expiry

Deploying A Multi-container Application.

Well I have a file docker-compose-dist.yaml which defines the services, networks and volumes and how they will work together.

services:
  mongo:
      container_name: freecertiffy-mongo
      image: mongo
      #restart: always
      env_file:
          - myenv-dist.env
      ports:
        - 27017:27017
      stdin_open: true
      tty: true
      volumes:
        - mongo:/data/db
  flaskapp:
      container_name: freecertiffy-flaskapp
      image: bradymd/flaskapp
      #restart: always
      env_file:
        - myenv-dist.env
      #build: flaskapp
      ports:
        - 30002:8000
      stdin_open: true
      tty: true
  initialise-user:
    container_name: freecertiffy-runonce
    image: bradymd/flaskapp
    env_file:
      - myenv-dist.env
    command: '/bin/bash -c "sleep 5; ./insert_user_record_to_freecertiffy.py"'
    depends_on:
      - mongo
    profiles:
      - runonce
    # needed for kompose
    expose:
      - "8000"
networks:
  default:
    name: freecertiffylan
volumes:
  mongo:
    name: freecertiffy-mongo

You can see how flaskapp will present to port 30002 from a backend port 8000 on a private lan. The Mongo database will present to 27017 which is the default port for mongo. That is going to allow you to connect to it from your docker host also.

I’ve named the objects and have one container initialise-user with a profile called runonce.

The file “myenv-dist.env” allows you to secure the mongo admin password from the default and do a little tailoring.

ENVIRONMENT="PRODUCTION"
FLASK_DEBUG=0
LEVEL=WARN
SECRET_KEY="blahburb"
MONGO_INITDB_ROOT_USERNAME="admin"
MONGO_INITDB_ROOT_PASSWORD="bonky"
CONNECTSTRING_PRODUCTION="mongodb://user-leave-this:password-leave-this@mongo:27017/?retryWrites=true&w=majority"
# Mail appears from this user
DEFAULT_CONTACT="you@youreamail.com"
# Which host it claims to be from
DEFAULT_HOST="freecertiffy@"
# Which host it claims to be from
SENDING_HOST="freecertiffy@herts.ac.uk"
# Where to route mail when you have an SMPT host in your company
SMTP_SENDER="freecertiffy@herts.ac.uk"
############################## for SMPTS mail ##############
# Example when sending via GMAIL
SMTP_HOST="smtp.gmail.com"
# If you set SMPT_PORT and SMPT_PASSWORD it will use authenticated SMTP
SMTP_PORT="587"
# Gmail lets you do this for apps, it's not your login password
# This should be in a environment variable because ppl like to steal these things from git
SMTP_PASSWORD="****"

So here we go, lets pull the images and then run them up, including the profile runonce.

docker-compose -f docker-compose-dist.yaml  pull
docker-compose --profile runonce -f docker-compose-dist.yaml  up -d
<em>Pulling mongo    ... done
Pulling flaskapp ... done
Creating network "freecertiffylan" with the default driver
Creating volume "freecertiffy-mongo" with default driver
Creating freecertiffy_mongo    ... done
Creating freecertiffyflaskapp ... done
Creating freecertiffy_runonce  ... done</em>

And list the containers:

docker container ps --format 'table{{.Names}}\t{{.ID}}\t{{.Ports}}\t{{.Image}}'
NAMES                   CONTAINER ID   PORTS                                           IMAGE
freecertiffy-mongo      0c2458a1b5da   0.0.0.0:27017->27017/tcp, :::27017->27017/tcp   mongo
freecertiffy-flaskapp   b70b9505204e   0.0.0.0:30002->8000/tcp, :::30002->8000/tcp     bradymd/flaskapp
freecertiffy-redis      966759209eab   6379/tcp                                        redis

That’s it. Now login on port 30002 with an admin/admin login and change the password.

http://localhost:30002

So change the passwords, add some certificates, check your mail is working, grade the external facing ones. A periodic job will recalculate the day-to-go before it expires but it doesn’t automatically mail people.

In future you would start the containers without the oneoff profile:

docker-compose -f docker-compose-dist.yaml  up -d
Now understand your data is in the freecertiffy_mongo volume so take care of that volume.