【素人の備考録】Docker-ComposeでSSL可(自己証明書)を自動化してみた


1. はじめに

Docker-composeを用い自動的にSSL 可(自己証明書)の検証をしました。
WordPress 2セット、phpMyAdminを構築しました。
作業機器:Raspberry Pi 4 Model B OS:CentOS 8

2. 検証環境(フォルダ、ファイル)

2.1 フォルダ構成

 |---------- .env →環境ファイル
 |---------- certs
 |             server.crt、server.key →自己証明書ファイル
 |---------- docker-compose.yml
 |---------- php
 |              php.ini →wordpress設定ファイル
 |---------- ssl
 |              default-ssl.conf →SSL設定ファイル
 |---------- tmp
 |              Dockerfile-pm →phpmyadmin用
 |              Dockerfile-wp →Wordpress用

2.2 各々のファイル

.env
DBUSER=root
DBPASS=root-pass
DATABASE1=wp1-db
DATABASE2=wp2-db
DBHOST=db:3306
docker-compose.yml
version: '3.3'

services:
  db:
    image: mariadb:latest
    volumes:
      - db_data:/var/lib/mysql
    restart: always
    container_name: mariadb
    environment:
      TZ: Asia/Tokyo
      MYSQL_ROOT_PASSWORD: ${DBPASS}

  phpmyadmin:
    depends_on:
      - db
    build:
      context: ./tmp/
      dockerfile: Dockerfile-pm
    volumes:
      - ./certs:/etc/ssl/private
      - ./ssl/default-ssl.conf:/etc/apache2/sites-available/default-ssl.conf
    ports:
      - 8243:443
    restart: always
    container_name: phpmyadmin
    environment:
      PMA_HOST: db
      TZ: Asia/Tokyo

  wordpress1:
    depends_on:
      - db
    build:
      context: ./tmp/
      dockerfile: Dockerfile-wp
    volumes:
      - ./wp1:/var/www/html
      - ./certs:/etc/ssl/private
      - ./php/php.ini:/usr/local/etc/php/conf.d/php.ini
      - ./ssl/default-ssl.conf:/etc/apache2/sites-available/default-ssl.conf
      - ./tmp:/tmp
    ports:
      - "8043:443"
    restart: always
    container_name: wordpress1
    environment:
      TZ: Asia/Tokyo
      WORDPRESS_DB_HOST: ${DBHOST}
      WORDPRESS_DB_USER: ${DBUSER}
      WORDPRESS_DB_PASSWORD: ${DBPASS}
      WORDPRESS_DB_NAME: ${DATABASE1}

  wordpress2:
    depends_on:
      - db
    build:
      context: ./tmp/
      dockerfile: Dockerfile-wp
    volumes:
      - ./wp2:/var/www/html
      - ./certs:/etc/ssl/private
      - ./php/php.ini:/usr/local/etc/php/conf.d/php.ini
      - ./ssl/default-ssl.conf:/etc/apache2/sites-available/default-ssl.conf
      - ./tmp:/tmp
    ports:
      - "8143:443"
    restart: always
    container_name: wordpress2
    environment:
      TZ: Asia/Tokyo
      WORDPRESS_DB_HOST: ${DBHOST}
      WORDPRESS_DB_USER: ${DBUSER}
      WORDPRESS_DB_PASSWORD: ${DBPASS}
      WORDPRESS_DB_NAME: ${DATABASE2}

volumes:
    db_data: {}
php.ini
post_max_size = 20M
upload_max_filesize = 20M

備考:アップロード用ファイルサイズを指定します。

default-ssl.conf
:※省略
32行 SSLCertificateFile  /etc/ssl/private/server.crt
33行 SSLCertificateKeyFile /etc/ssl/private/server.key
:※省略

備考:32行、33行のみを修正したファイルです。

Dockerfile-pm
FROM phpmyadmin:latest

RUN service apache2 start

RUN a2ensite default-ssl

RUN a2enmod ssl
Dockerfile-wp
FROM wordpress:latest

RUN service apache2 start

RUN a2ensite default-ssl

RUN a2enmod ssl

RUN chmod 777 /tmp

備考:ファイルアップロード時にtmpフォルダにアクセス権を付与している。

3. 実行します。

# docker-compose up -d
Creating network "docker_wp_default" with the default driver
Creating volume "docker_wp_db_data" with default driver
Pulling db (mariadb:latest)...
latest: Pulling from library/mariadb
a970164f39c1: Pull complete
e9c66f1fb5a2: Pull complete
94362ba2c285: Pull complete
6bcca3b8e9ae: Pull complete
4574fdafdba3: Pull complete
880d0554f10d: Pull complete
42f3039f6a26: Pull complete
84249a7eb6ff: Pull complete
d0c034fd6c1f: Pull complete
2b6de021f14a: Pull complete
0d8fa68dc283: Pull complete
675456d7859d: Pull complete
Digest: sha256:cdc553f0515a8d41264f0855120874e86761f7c69407b5cfbe49283dc195bea8
Status: Downloaded newer image for mariadb:latest
Building phpmyadmin
Step 1/4 : FROM phpmyadmin:latest
 ---> 9bd7e29f6e60
Step 2/4 : RUN service apache2 start
 ---> Running in 1053de9c2f76
Starting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
.
Removing intermediate container 1053de9c2f76
 ---> 68db5fb82369
Step 3/4 : RUN a2ensite default-ssl
 ---> Running in 8ddc3b6f9ecb
Enabling site default-ssl.
To activate the new configuration, you need to run:
  service apache2 reload
Removing intermediate container 8ddc3b6f9ecb
 ---> a20eb2b906ec
Step 4/4 : RUN a2enmod ssl
 ---> Running in 80cd71dbcf92
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart
Removing intermediate container 80cd71dbcf92
 ---> 2e6c3e41fd0e

Successfully built 2e6c3e41fd0e
Successfully tagged docker_wp_phpmyadmin:latest
WARNING: Image for service phpmyadmin was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building wordpress1
Step 1/5 : FROM wordpress:latest
 ---> aa391b024db5
Step 2/5 : RUN service apache2 start
 ---> Running in 9f1feb98ad8b
Starting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
.
Removing intermediate container 9f1feb98ad8b
 ---> 519ebf0e67ca
Step 3/5 : RUN a2ensite default-ssl
 ---> Running in 6f10096df3eb
Enabling site default-ssl.
To activate the new configuration, you need to run:
  service apache2 reload
Removing intermediate container 6f10096df3eb
 ---> c0070ac57d4a
Step 4/5 : RUN a2enmod ssl
 ---> Running in 406f2cbef4cf
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart
Removing intermediate container 406f2cbef4cf
 ---> bbe8093cf658
Step 5/5 : RUN chmod 777 /tmp
 ---> Running in 0d2e6a1bf658
Removing intermediate container 0d2e6a1bf658
 ---> f80f64964118

Successfully built f80f64964118
Successfully tagged docker_wp_wordpress1:latest
WARNING: Image for service wordpress1 was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building wordpress2
Step 1/5 : FROM wordpress:latest
 ---> aa391b024db5
Step 2/5 : RUN service apache2 start
 ---> Using cache
 ---> 519ebf0e67ca
Step 3/5 : RUN a2ensite default-ssl
 ---> Using cache
 ---> c0070ac57d4a
Step 4/5 : RUN a2enmod ssl
 ---> Using cache
 ---> bbe8093cf658
Step 5/5 : RUN chmod 777 /tmp
 ---> Using cache
 ---> f80f64964118

Successfully built f80f64964118
Successfully tagged docker_wp_wordpress2:latest
WARNING: Image for service wordpress2 was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Creating mariadb ... done
Creating wordpress2 ... done
Creating phpmyadmin ... done
Creating wordpress1 ... done

3.1 Dockerを確認します。

# docker-compose ps
   Name                 Command               State               Ports            
-----------------------------------------------------------------------------------
mariadb      docker-entrypoint.sh mysqld      Up      3306/tcp                     
phpmyadmin   /docker-entrypoint.sh apac ...   Up      0.0.0.0:8243->443/tcp, 80/tcp
wordpress1   docker-entrypoint.sh apach ...   Up      0.0.0.0:8043->443/tcp, 80/tcp
wordpress2   docker-entrypoint.sh apach ...   Up      0.0.0.0:8143->443/tcp, 80/tcp

3.2 Dockerイメージを確認します。

# docker images
REPOSITORY             TAG                     IMAGE ID       CREATED              SIZE
docker_wp_wordpress1   latest                  f80f64964118   About a minute ago   494MB
docker_wp_wordpress2   latest                  f80f64964118   About a minute ago   494MB
docker_wp_phpmyadmin   latest                  2e6c3e41fd0e   About a minute ago   430MB

備考:実行中のWARNING: Image for service wordpress2 was built because it did not already exist. に関係していると思われるが?

後書き

Docker-composeとDockerを組み合わせて検証した。SSL可はDockerにインストールされているApacheに対してであった。この方法はあくまで自己検証です!