feature(generate-cert): allow create self-signed cert

- self-signed cert with a group-readable key and customizable hostname

build/Dockerfile

@@ -55,8 +55,10 @@ LABEL org.opencontainers.image.vendor="NGINX"
 LABEL org.opencontainers.image.title="ab-nginx"
 LABEL org.opencontainers.image.description="NGINX-mainline-alpine with more logical file location layout and automatic SSL set up if certificates are provided."
 
-# copy configuration files
-COPY entrypoint.sh /entrypoint.sh
+# copy configuration files and utility scripts
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY generate-cert.sh /usr/local/bin/generate-cert
+COPY selfsigned.cnf /etc/selfsigned.cnf
 COPY config /etc/nginx/
 COPY sites /etc/nginx/sites/
 COPY webroot /usr/share/nginx/html/
@@ -72,7 +74,9 @@ RUN chown -R www-docker:www-docker /usr/share/nginx \
     && find /etc/nginx -type d -exec chmod 750 {} \; \
     && find /etc/nginx -type f -exec chmod 640 {} \; \
     && chown www-docker:www-docker /var/cache/nginx \
-    && chown www-docker:www-docker /var/log/nginx
+    && chown www-docker:www-docker /var/log/nginx \
+    && chmod 644 /etc/selfsigned.cnf \
+    && chmod 755 /usr/local/bin/generate-cert /usr/local/bin/entrypoint.sh
 USER www-docker
 WORKDIR /usr/share/nginx/html
 
@@ -86,7 +90,7 @@ ENV HSTS=FALSE
 ENV TLS13_ONLY=FALSE
 
 # entrypoint script
-ENTRYPOINT [ "/entrypoint.sh" ]
+ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
 
 # run NGINX by default
 STOPSIGNAL SIGQUIT

build/generate-cert.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+#
+# generate a self-signed certificate
+#
+
+# check for null hostname
+if [ -z "$1" ]; then
+    printf "\nPlease supply a hostname for the generated certificate as a parameter to this script. Exiting.\n\n"
+    exit 1
+fi
+
+# update openssl configuration file
+sed -e "s/{CERT_HOSTNAME}/$1/" /etc/selfsigned.cnf > /tmp/selfsigned.cnf
+
+printf "\nGenerating self-signed certificate for '%s':\n" "$1"
+
+# create placeholder files to set permissions
+if ! touch /certs/fullchain.pem && chmod 644 /certs/fullchain.pem; then
+    printf "\nUnable to write to '/certs', is it mounted writable by this container?\n\n"
+    exit 2
+fi
+touch /certs/privkey.pem && chmod 640 /certs/privkey.pem
+
+# generate certificate
+if ! openssl req -new -x509 -days 365 -nodes -out /certs/fullchain.pem -keyout /certs/privkey.pem -config /tmp/selfsigned.cnf; then
+    printf "\nUnable to generate certificate. Is the '/certs' directory writable by this container?\n\n"
+    exit 3
+fi
+\cp /certs/fullchain.pem /certs/chain.pem
+
+# print user notification
+printf "\n\nA self-signed certificate has been generated and saved in the location mounted to '/certs' in this container.\n"
+printf "The certificate and private key are PEM formatted with names 'fullchain.pem' and 'privkey.pem', respectively.\n"
+printf "Remember to import 'fullchain.pem' to the trusted store on any client machines or you will get warnings.\n\n"
+
+# exit gracefully
+exit 0
+
+
+#
+# exit codes
+# 0:    normal exit, no errors
+# 1:    invalid or missing parameters
+# 2:    unable to write to certs directory
+# 3:    unable to generate certificate
+
+#EOF

build/selfsigned.cnf

@@ -0,0 +1,16 @@
+default_bits = 4096
+default_md = sha256
+distinguished_name = dn
+req_extensions = san
+x509_extensions = san
+prompt = no
+
+[dn]
+organizationName = AB-NGINX Webserver
+CN = {CERT_HOSTNAME}
+
+[san]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = {CERT_HOSTNAME}