Loading deployment/salt/base/docker-compose.sls +1 −0 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ install-deps: - docker-compose - gnupg2 - pass - certbot - require: - upgrade-all Loading scripts/ssl-renew.sh +24 −40 Original line number Diff line number Diff line #!/usr/bin/env bash #!/bin/bash #set -e source /mnt/repo-base/scripts/base.sh if [ "$(whoami)" != "root" ] then exit 1 fi MAILHOST="mail.$DOMAIN" CONFIG=/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat OPENSSLBIN=/usr/bin/openssl CERTSTOREBASE=/mnt/repo-base/config-dynamic/letsencrypt/certstore CERTSTORE=$CERTSTOREBASE/live PUBIP=0.0.0.0 CERTBOT_IMAGE="certbot/certbot:v0.36.0" CONFIG_DIR=/mnt/repo-base/config-dynamic/letsencrypt/certstore LIVE_DIR=$CONFIG_DIR/live cat "$CONFIG" | while read DOMAIN; do echo "Checking $DOMAIN" # For the first run, we have to use standalone auth because Nginx won't start without the cert files present. if [ ! -f "$CERTSTORE/$DOMAIN/fullchain.pem" ] then docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt -v /mnt/repo-base/volumes/letsencrypt:/var/log/letsencrypt \ -p $PUBIP:80:80 -p $PUBIP:443:443 \ "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $ALT_EMAIL -d $DOMAIN \ --standalone if [ ! -L "$LIVE_DIR/$DOMAIN/fullchain.pem" ]; then certbot certonly -d "$DOMAIN" -m "$ALT_EMAIL" --standalone --agree-tos --non-interactive \ --config-dir="$CONFIG_DIR" else docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt -v /mnt/repo-base/volumes/letsencrypt:/var/log/letsencrypt \ -v /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge \ "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $ALT_EMAIL -d $DOMAIN \ --webroot -w /etc/letsencrypt/acme-challenge \ --post-hook "touch /etc/letsencrypt/live/$DOMAIN/cert-updated" CERT_UPDATED_FILE="$CERTSTORE/$DOMAIN/cert-updated" if [ -f "$CERT_UPDATED_FILE" ] then echo "Reloading SSL certificates" CERT_UPDATED_FILE="$LIVE_DIR/$DOMAIN/cert-updated" certbot certonly -d "$DOMAIN" --non-interactive --webroot \ --webroot-path='/mnt/repo-base/config-dynamic/letsencrypt/acme-challenge/' \ --config-dir="$CONFIG_DIR" \ --deploy-hook "touch $CERT_UPDATED_FILE" # add the following parameters to test renewal (will install invalid certificates) # --test-cert --force-renewal --break-my-certs if [ -f "$CERT_UPDATED_FILE" ]; then rm "$CERT_UPDATED_FILE" docker exec nginx nginx -s reload NVALIDTHRU=$($OPENSSLBIN x509 -enddate -noout -in $CERTSTORE/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') echo "Certificate for $DOMAIN renewed and is valid until: $NVALIDTHRU" if [ "$DOMAIN" = "$MAILHOST" ] then cd /mnt/repo-base/ VALID_UNTIL=$(openssl x509 -enddate -noout -in $LIVE_DIR/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') echo "Certificate for $DOMAIN renewed and is valid until: $VALID_UNTIL" docker-compose exec -T nginx nginx -s reload if [ "$DOMAIN" = "$MAILHOST" ]; then docker-compose restart eelomailserver fi fi Loading Loading
deployment/salt/base/docker-compose.sls +1 −0 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ install-deps: - docker-compose - gnupg2 - pass - certbot - require: - upgrade-all Loading
scripts/ssl-renew.sh +24 −40 Original line number Diff line number Diff line #!/usr/bin/env bash #!/bin/bash #set -e source /mnt/repo-base/scripts/base.sh if [ "$(whoami)" != "root" ] then exit 1 fi MAILHOST="mail.$DOMAIN" CONFIG=/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat OPENSSLBIN=/usr/bin/openssl CERTSTOREBASE=/mnt/repo-base/config-dynamic/letsencrypt/certstore CERTSTORE=$CERTSTOREBASE/live PUBIP=0.0.0.0 CERTBOT_IMAGE="certbot/certbot:v0.36.0" CONFIG_DIR=/mnt/repo-base/config-dynamic/letsencrypt/certstore LIVE_DIR=$CONFIG_DIR/live cat "$CONFIG" | while read DOMAIN; do echo "Checking $DOMAIN" # For the first run, we have to use standalone auth because Nginx won't start without the cert files present. if [ ! -f "$CERTSTORE/$DOMAIN/fullchain.pem" ] then docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt -v /mnt/repo-base/volumes/letsencrypt:/var/log/letsencrypt \ -p $PUBIP:80:80 -p $PUBIP:443:443 \ "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $ALT_EMAIL -d $DOMAIN \ --standalone if [ ! -L "$LIVE_DIR/$DOMAIN/fullchain.pem" ]; then certbot certonly -d "$DOMAIN" -m "$ALT_EMAIL" --standalone --agree-tos --non-interactive \ --config-dir="$CONFIG_DIR" else docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt -v /mnt/repo-base/volumes/letsencrypt:/var/log/letsencrypt \ -v /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge \ "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $ALT_EMAIL -d $DOMAIN \ --webroot -w /etc/letsencrypt/acme-challenge \ --post-hook "touch /etc/letsencrypt/live/$DOMAIN/cert-updated" CERT_UPDATED_FILE="$CERTSTORE/$DOMAIN/cert-updated" if [ -f "$CERT_UPDATED_FILE" ] then echo "Reloading SSL certificates" CERT_UPDATED_FILE="$LIVE_DIR/$DOMAIN/cert-updated" certbot certonly -d "$DOMAIN" --non-interactive --webroot \ --webroot-path='/mnt/repo-base/config-dynamic/letsencrypt/acme-challenge/' \ --config-dir="$CONFIG_DIR" \ --deploy-hook "touch $CERT_UPDATED_FILE" # add the following parameters to test renewal (will install invalid certificates) # --test-cert --force-renewal --break-my-certs if [ -f "$CERT_UPDATED_FILE" ]; then rm "$CERT_UPDATED_FILE" docker exec nginx nginx -s reload NVALIDTHRU=$($OPENSSLBIN x509 -enddate -noout -in $CERTSTORE/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') echo "Certificate for $DOMAIN renewed and is valid until: $NVALIDTHRU" if [ "$DOMAIN" = "$MAILHOST" ] then cd /mnt/repo-base/ VALID_UNTIL=$(openssl x509 -enddate -noout -in $LIVE_DIR/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') echo "Certificate for $DOMAIN renewed and is valid until: $VALID_UNTIL" docker-compose exec -T nginx nginx -s reload if [ "$DOMAIN" = "$MAILHOST" ]; then docker-compose restart eelomailserver fi fi Loading
