From 6c2f943032f9b0e3a4409e61d024acecfaba3bd0 Mon Sep 17 00:00:00 2001 From: Krisztian Szegi Date: Fri, 29 Oct 2021 08:42:52 +0200 Subject: [PATCH 1/4] Remove unneeded '/' escape in nginx's location regexes There ISN'T ANY delimiter in nginx's location regex, as there is no replace! Therefore escaping '/' just makes these locations harder to read! --- templates/nginx/sites-enabled/nextcloud.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf index 0f40745..ebc8da0 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/templates/nginx/sites-enabled/nextcloud.conf @@ -73,8 +73,8 @@ server { deny all; } - location ~ ^/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; @@ -88,7 +88,7 @@ server { fastcgi_request_buffering off; } - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) { try_files $uri/ =404; index index.php; } -- GitLab From 3737a61fbd5661c131f75b5c301fb6d37efa8cb0 Mon Sep 17 00:00:00 2001 From: Krisztian Szegi Date: Fri, 29 Oct 2021 16:43:25 +0200 Subject: [PATCH 2/4] Fix premature ssl-renew script termination - script no longer exits on first renewed (sub)domain! - nginx doesn't restart for every renewed (sub)domain! - can handle multi-domain lines in ssl-domains.dat e.g: "example.cloud www.example.cloud" --- scripts/ssl-renew.sh | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/scripts/ssl-renew.sh b/scripts/ssl-renew.sh index 2fd4cab..3e138b7 100755 --- a/scripts/ssl-renew.sh +++ b/scripts/ssl-renew.sh @@ -7,28 +7,41 @@ CONFIG=/mnt/repo-base/config/letsencrypt/autorenew/ssl-domains.dat CONFIG_DIR=/mnt/repo-base/config/letsencrypt/certstore LIVE_DIR=$CONFIG_DIR/live -cat "$CONFIG" | while read DOMAIN; do +NEED_NGINX_RESTART=false + +while read -ra DOMAIN_ARGS +do + DOMAIN="${DOMAIN_ARGS[0]}" echo "Checking $DOMAIN" + i=0 + for domain in "${DOMAIN_ARGS[@]}"; do DOMAIN_ARGS[$i]="-d $domain"; ((++i)); done # For the first run, we have to use standalone auth because Nginx won't start without the cert files present. if [ ! -L "$LIVE_DIR/$DOMAIN/fullchain.pem" ]; then - certbot certonly -d "$DOMAIN" -m "$ALT_EMAIL" --standalone --agree-tos --non-interactive \ + certbot certonly "${DOMAIN_ARGS[@]}" -m "$ALT_EMAIL" --standalone --agree-tos --non-interactive --expand \ --config-dir="$CONFIG_DIR" else CERT_UPDATED_FILE="$LIVE_DIR/$DOMAIN/cert-updated" - certbot certonly -d "$DOMAIN" --non-interactive -m "$ALT_EMAIL" --agree-tos \ - --webroot --webroot-path='/mnt/repo-base/config/letsencrypt/acme-challenge/' \ + certbot certonly "${DOMAIN_ARGS[@]}" --non-interactive -m "$ALT_EMAIL" --agree-tos --expand \ + --webroot --webroot-path='/mnt/repo-base/config-dynamic/letsencrypt/acme-challenge/' \ --config-dir="$CONFIG_DIR" \ --deploy-hook "touch $CERT_UPDATED_FILE" # add the following parameters to test renewal (will install invalid certificates) # --test-cert --force-renewal --break-my-certs if [ -f "$CERT_UPDATED_FILE" ]; then + NEED_NGINX_RESTART="true" rm "$CERT_UPDATED_FILE" VALID_UNTIL=$(openssl x509 -enddate -noout -in $LIVE_DIR/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') echo "Certificate for $DOMAIN renewed and is valid until: $VALID_UNTIL" - docker-compose exec -T nginx nginx -s reload if [ "$DOMAIN" = "$MAILHOST" ]; then - docker-compose restart mailserver + docker-compose restart eelomailserver fi fi fi -:;done +done <<< "$(cat $CONFIG)" + +if [ "$NEED_NGINX_RESTART" = true ]; then + docker-compose exec -T nginx nginx -s reload + echo "Nginx restarted, as at least one certificate has been renewed." +else + echo "No certificate renewed, no need to restart Nginx." +fi -- GitLab From 88da718751eedd35f99a58a20b60ef7e6fc72ad6 Mon Sep 17 00:00:00 2001 From: Krisztian Szegi Date: Fri, 29 Oct 2021 16:51:04 +0200 Subject: [PATCH 3/4] Fix unwanted name reverting of "mailserver" container --- scripts/ssl-renew.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ssl-renew.sh b/scripts/ssl-renew.sh index 3e138b7..e8f17e4 100755 --- a/scripts/ssl-renew.sh +++ b/scripts/ssl-renew.sh @@ -33,7 +33,7 @@ do VALID_UNTIL=$(openssl x509 -enddate -noout -in $LIVE_DIR/$DOMAIN/fullchain.pem | awk -F= '{ print $NF }') echo "Certificate for $DOMAIN renewed and is valid until: $VALID_UNTIL" if [ "$DOMAIN" = "$MAILHOST" ]; then - docker-compose restart eelomailserver + docker-compose restart mailserver fi fi fi -- GitLab From f3f2cae00c87c988e223e43aa8a333d5156c84bd Mon Sep 17 00:00:00 2001 From: Krisztian Szegi Date: Tue, 2 Nov 2021 10:43:49 +0100 Subject: [PATCH 4/4] Cleanup path variables and certbot args --- scripts/ssl-renew.sh | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/scripts/ssl-renew.sh b/scripts/ssl-renew.sh index e8f17e4..4d71c91 100755 --- a/scripts/ssl-renew.sh +++ b/scripts/ssl-renew.sh @@ -3,9 +3,11 @@ source /mnt/repo-base/scripts/base.sh -CONFIG=/mnt/repo-base/config/letsencrypt/autorenew/ssl-domains.dat -CONFIG_DIR=/mnt/repo-base/config/letsencrypt/certstore -LIVE_DIR=$CONFIG_DIR/live +CONFIG_DIR_ROOT=/mnt/repo-base/config/letsencrypt +CERTS_DIR=$CONFIG_DIR_ROOT/certstore +CHALLENGE_DIR=$CONFIG_DIR_ROOT/acme-challenge +LIVE_DIR=$CERTS_DIR/live +CONFIG=$CONFIG_DIR_ROOT/autorenew/ssl-domains.dat NEED_NGINX_RESTART=false @@ -17,14 +19,14 @@ do for domain in "${DOMAIN_ARGS[@]}"; do DOMAIN_ARGS[$i]="-d $domain"; ((++i)); done # For the first run, we have to use standalone auth because Nginx won't start without the cert files present. if [ ! -L "$LIVE_DIR/$DOMAIN/fullchain.pem" ]; then - certbot certonly "${DOMAIN_ARGS[@]}" -m "$ALT_EMAIL" --standalone --agree-tos --non-interactive --expand \ - --config-dir="$CONFIG_DIR" + certbot certonly "${DOMAIN_ARGS[@]}" -m "$ALT_EMAIL" --agree-tos --non-interactive --standalone \ + --config-dir="$CERTS_DIR" else CERT_UPDATED_FILE="$LIVE_DIR/$DOMAIN/cert-updated" - certbot certonly "${DOMAIN_ARGS[@]}" --non-interactive -m "$ALT_EMAIL" --agree-tos --expand \ - --webroot --webroot-path='/mnt/repo-base/config-dynamic/letsencrypt/acme-challenge/' \ - --config-dir="$CONFIG_DIR" \ - --deploy-hook "touch $CERT_UPDATED_FILE" + certbot certonly "${DOMAIN_ARGS[@]}" -m "$ALT_EMAIL" --agree-tos --non-interactive --expand \ + --config-dir="$CERTS_DIR" \ + --deploy-hook "touch $CERT_UPDATED_FILE" \ + --webroot --webroot-path="$CHALLENGE_DIR" # add the following parameters to test renewal (will install invalid certificates) # --test-cert --force-renewal --break-my-certs if [ -f "$CERT_UPDATED_FILE" ]; then -- GitLab