MrMeeb/certbot-cron-docker
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

Add support for alerting on success or failure of renewal

Browse Source 
Installs apprise and allows config of alerting for successful or failed renewals. Currently only supports renewals, not inital issuing. Not necessarily a problem as I'd hope you'd be watching the logs on first run.
I don't love how I create /config/.renew-list.sh. I should readdress this somehow
This commit is contained in:
MrMeeb 2024-05-12 20:18:34 +00:00 committed by MrMeeb
parent 1dce5880f3
commit ff11414fa0
5 changed files with 73 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@ -18,6 +18,9 @@ ENV TZ=UTC
ENV GENERATE_DHPARAM=true
ENV INTERVAL="0 */6 * * *"
ENV ONE_SHOT=false
ENV APPRISE_URL=
ENV NOTIFY_ON_FAILURE=false
ENV NOTIFY_ON_SUCCESS=false
# Single domain
ENV DOMAINS=
@ -63,13 +66,13 @@ RUN apk add --no-cache --virtual .deps gcc python3-dev libc-dev libffi-dev && \
/app/certbot/bin/pip install "Cython<3.0" pyyaml --no-build-isolation && \
/app/certbot/bin/pip install -r /app/certbot/requirements.txt && \
ln -s /app/certbot/bin/certbot /usr/bin/certbot && \
ln -s /app/certbot/bin/apprise /usr/bin/apprise && \
apk del .deps
COPY root /
RUN chmod +x /container-init.sh && \
chmod +x /certbot-prepare.sh && \
chmod +x /certbot-renew.sh && \
chmod +x /check-one-shot.sh && \
chown -R ${PUID}:${PGID} /app /config

3
requirements.txt
View File

@ -1,4 +1,5 @@
# For pinning Certbot packages to then be parsed by Renovate
# For pinning Python packages to then be parsed by Renovate
certbot ==2.10.0
certbot-dns-cloudflare ==2.10.0
apprise ==1.8.0

73
root/certbot-prepare.sh
View File

@ -46,9 +46,48 @@ function better_exit {
}
# Check APPRISE_URL is set if either NOTIFY_ON_SUCCESS or NOTIFY_ON_FAILURE are set
if [ ! -z "${NOTIFY_ON_SUCCESS}" ] || [ ! -z "${NOTIFY_ON_FAILURE}" ] && [ -z "${APPRISE_URL}" ]; then
echo "You have notifications enabled but have not set APPRISE_URL. Please set APPRISE_URL and restart the container."
better_exit
fi
# Cleanup renew list and create it fresh, ready for commands to be run and added
echo "#!/command/with-contenv bash" > /config/.renew-list.sh
echo "" >> /config/.renew-list.sh
echo "#!/command/with-contenv bash
date
echo \"Attempting to renew certificates\"
function renew() {
#Variables:
#\$1 = Certbot command
RENEWAL_DOMAINS=\$(echo \$1 | sed -r 's/.*\s-d\s(\S*).*/\1/')
CUSTOM_CA_PATH=\$(echo \$1 | sed -r 's/REQUESTS_CA_BUNDLE=(\S*)\s(.*)/\1/')
CERTBOT_COMMAND=\$(echo \$1 | sed -r 's/REQUESTS_CA_BUNDLE=(\S*)\s(.*)/\2/')
echo \"Renewing certificate for \${RENEWAL_DOMAINS}\"
echo \"REQUESTS_CA_BUNDLE=\${CUSTOM_CA_PATH} \${CERTBOT_COMMAND}\" | bash
if [ \$? = 0 ]; then
echo \"Renewal attempt of certificate for \${RENEWAL_DOMAINS} succeeded\"
if [ \"\${NOTIFY_ON_SUCCESS}\" = \"true\" ]; then
apprise -b \"Renewal of certificate for \${RENEWAL_DOMAINS} succeeded\" \${APPRISE_URL}
fi
else
echo \"Renewal attempt of certificate for \${RENEWAL_DOMAINS} failed\"
if [ \"\${NOTIFY_ON_FAILURE}\" = \"true\" ]; then
apprise -b \"Renewal of certificate for \${RENEWAL_DOMAINS} failed\" \${APPRISE_URL}
fi
fi
}
" > /config/.renew-list.sh
chmod +x /config/.renew-list.sh
# Create original config file to track changes to environmental variables
if [ ! -f /config/.donoteditthisfile ]
@ -306,14 +345,14 @@ function single_domain {
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
# Add to renewal list
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging\"" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
elif [ $STAGING = false ]
then
echo "Using production endpoint"
${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
# Add to renewal list
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini\"" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
else
echo "Unrecognised option for STAGING variable - check your configuration"
@ -332,14 +371,14 @@ function single_domain {
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging
# Add to renewal list
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging\"" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
elif [ $STAGING = false ]
then
echo "Using production endpoint"
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone
# Add to renewal list
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone\"" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
else
echo "Unrecognised option for STAGING variable - check your configuration"
@ -358,14 +397,14 @@ function single_domain {
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
# Add to renewal list
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging\"" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
elif [ $STAGING = false ]
then
echo "Using production endpoint"
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
# Add to renewal list
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot\"" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
else
echo "Unrecognised option for STAGING variable - check your configuration"
@ -631,7 +670,7 @@ echo \
${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
# Add to renewal list
echo "## Certificate ${x}" >> /config/.renew-list.sh
echo "${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
echo "renew \"${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging\"" >> /config/.renew-list.sh
echo "" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
elif [ ${STAGING_MULTI} = false ]
@ -640,7 +679,7 @@ echo \
${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
# Add to renewal list
echo "## Certificate ${x}" >> /config/.renew-list.sh
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds ${PROPOGATION_TIME_MULTI} --dns-cloudflare-credentials /config/.secrets/cloudflare.ini\"" >> /config/.renew-list.sh
echo "" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
else
@ -661,7 +700,7 @@ echo \
REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging
# Add to renewal list
echo "## Certificate ${x}" >> /config/.renew-list.sh
echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone --staging\"" >> /config/.renew-list.sh
echo "" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
elif [ ${STAGING_MULTI} = false ]
@ -670,7 +709,7 @@ echo \
REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone
# Add to renewal list
echo "## Certificate ${x}" >> /config/.renew-list.sh
echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --standalone\"" >> /config/.renew-list.sh
echo "" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
else
@ -691,7 +730,7 @@ echo \
REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
# Add to renewal list
echo "## Certificate ${x}" >> /config/.renew-list.sh
echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging\"" >> /config/.renew-list.sh
echo "" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
elif [ ${STAGING_MULTI} = false ]
@ -700,7 +739,7 @@ echo \
REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
# Add to renewal list
echo "## Certificate ${x}" >> /config/.renew-list.sh
echo "REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
echo "renew \"REQUESTS_CA_BUNDLE=${CUSTOM_CA_PATH_MULTI} ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot\"" >> /config/.renew-list.sh
echo "" >> /config/.renew-list.sh
echo "Creation/renewal attempt complete"
else
@ -754,6 +793,10 @@ else
echo "CERT_COUNT varaible not recognised. It needs to be a value of 1 or greater."
fi
# Finish /config/.renew-list.sh now all certs have been added
echo "
echo \"Renewal attempts complete\"" >> /config/.renew-list.sh
if [ $GENERATE_DHPARAM = true ] && [ ! -s /config/letsencrypt/keys/ssl-dhparams.pem ]
then
echo ""
@ -769,7 +812,7 @@ if [ $ONE_SHOT == "true" ]; then
elif [ $ONE_SHOT == "false" ]; then
echo "$INTERVAL /certbot-renew.sh >> /config/logs/renew.log" > /config/.crontab.txt
echo "$INTERVAL /config/.renew-list.sh >> /config/logs/renew.log" > /config/.crontab.txt
echo ""

6
root/certbot-renew.sh
View File

@ -1,6 +0,0 @@
#!/command/with-contenv bash
# shellcheck shell=bash
echo ''
date
echo "Attempting to renew certificates"
bash /config/.renew-list.sh

8
root/container-init.sh
View File

@ -31,7 +31,13 @@ TZ=${TZ}
ONE_SHOT=${ONE_SHOT}
INTERVAL=${INTERVAL}
GENERATE_DHPARAM=${GENERATE_DHPARAM}
CERT_COUNT=${CERT_COUNT}"
CERT_COUNT=${CERT_COUNT}
NOTIFY_ON_SUCCESS=${NOTIFY_ON_SUCCESS}
NOTIFY_ON_FAILURE=${NOTIFY_ON_FAILURE}"
if [ ! -z ${APPRISE_URL} ]; then
echo \
"APPRISE_URL=[hidden]"
fi
## Send extra detail to logs if single certificate config
if [ ${CERT_COUNT} == 1 ]; then
echo \