From 5846f1b343a05b9fe72bf72c0090cd6fca5ed4ce Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Tue, 20 Aug 2019 16:18:54 +0200 Subject: [PATCH] Use certbot from Ubuntu repo (ref #45) --- deployment/salt/base/docker-compose.sls | 1 + scripts/ssl-renew.sh | 64 ++++++++++--------------- 2 files changed, 25 insertions(+), 40 deletions(-) diff --git a/deployment/salt/base/docker-compose.sls b/deployment/salt/base/docker-compose.sls index e755999..fa98b50 100644 --- a/deployment/salt/base/docker-compose.sls +++ b/deployment/salt/base/docker-compose.sls @@ -18,6 +18,7 @@ install-deps: - docker-compose - gnupg2 - pass + - certbot - require: - upgrade-all diff --git a/scripts/ssl-renew.sh b/scripts/ssl-renew.sh index f1eef14..8cfe49f 100755 --- a/scripts/ssl-renew.sh +++ b/scripts/ssl-renew.sh @@ -1,48 +1,32 @@ -#!/usr/bin/env bash +#!/bin/bash #set -e -source /mnt/repo-base/scripts/base.sh - -if [ "$(whoami)" != "root" ] -then - exit 1 -fi - -MAILHOST="mail.$DOMAIN" CONFIG=/mnt/repo-base/config-dynamic/letsencrypt/autorenew/ssl-domains.dat -OPENSSLBIN=/usr/bin/openssl -CERTSTOREBASE=/mnt/repo-base/config-dynamic/letsencrypt/certstore -CERTSTORE=$CERTSTOREBASE/live -PUBIP=0.0.0.0 -CERTBOT_IMAGE="certbot/certbot:v0.36.0" +CONFIG_DIR=/mnt/repo-base/config-dynamic/letsencrypt/certstore +LIVE_DIR=$CONFIG_DIR/live cat "$CONFIG" | while read DOMAIN; do - # For the first run, we have to use standalone auth because Nginx won't start without the cert files present. - if [ ! -f "$CERTSTORE/$DOMAIN/fullchain.pem" ] - then - docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt -v /mnt/repo-base/volumes/letsencrypt:/var/log/letsencrypt \ - -p $PUBIP:80:80 -p $PUBIP:443:443 \ - "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $ALT_EMAIL -d $DOMAIN \ - --standalone - else - docker run -t --rm -v $CERTSTOREBASE:/etc/letsencrypt -v /mnt/repo-base/volumes/letsencrypt:/var/log/letsencrypt \ - -v /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge \ - "$CERTBOT_IMAGE" certonly --non-interactive --agree-tos -m $ALT_EMAIL -d $DOMAIN \ - --webroot -w /etc/letsencrypt/acme-challenge \ - --post-hook "touch /etc/letsencrypt/live/$DOMAIN/cert-updated" - CERT_UPDATED_FILE="$CERTSTORE/$DOMAIN/cert-updated" - if [ -f "$CERT_UPDATED_FILE" ] - then - echo "Reloading SSL certificates" - rm "$CERT_UPDATED_FILE" - docker exec nginx nginx -s reload - NVALIDTHRU=$($OPENSSLBIN x509 -enddate -noout -in $CERTSTORE/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') - echo "Certificate for $DOMAIN renewed and is valid until: $NVALIDTHRU" - if [ "$DOMAIN" = "$MAILHOST" ] - then - cd /mnt/repo-base/ - docker-compose restart eelomailserver - fi + echo "Checking $DOMAIN" + # For the first run, we have to use standalone auth because Nginx won't start without the cert files present. + if [ ! -L "$LIVE_DIR/$DOMAIN/fullchain.pem" ]; then + certbot certonly -d "$DOMAIN" -m "$ALT_EMAIL" --standalone --agree-tos --non-interactive \ + --config-dir="$CONFIG_DIR" + else + CERT_UPDATED_FILE="$LIVE_DIR/$DOMAIN/cert-updated" + certbot certonly -d "$DOMAIN" --non-interactive --webroot \ + --webroot-path='/mnt/repo-base/config-dynamic/letsencrypt/acme-challenge/' \ + --config-dir="$CONFIG_DIR" \ + --deploy-hook "touch $CERT_UPDATED_FILE" + # add the following parameters to test renewal (will install invalid certificates) + # --test-cert --force-renewal --break-my-certs + if [ -f "$CERT_UPDATED_FILE" ]; then + rm "$CERT_UPDATED_FILE" + VALID_UNTIL=$(openssl x509 -enddate -noout -in $LIVE_DIR/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') + echo "Certificate for $DOMAIN renewed and is valid until: $VALID_UNTIL" + docker-compose exec -T nginx nginx -s reload + if [ "$DOMAIN" = "$MAILHOST" ]; then + docker-compose restart eelomailserver fi fi + fi :;done -- GitLab