#!/command/with-contenv bash # shellcheck shell=bash # Creating needed folders and files if they don't already exist if [ ! -d /config/.secrets ] then mkdir /config/.secrets fi if [ ! -d /config/letsencrypt ] then mkdir /config/letsencrypt fi if [ ! -d /config/letsencrypt/keys ] then mkdir /config/letsencrypt/keys fi if [ ! -d /config/logs ] then mkdir /config/logs fi if [ ! -f /config/logs/renew.log ] then touch /config/logs/renew.log fi if [ ! -f /config/.crontab.txt ] then touch /config/.crontab.txt fi # Cleanup renew list and create it fresh, ready for commands to be run and added echo "#!/command/with-contenv bash" > /config/.renew-list.sh echo "" >> /config/.renew-list.sh # Create original config file to track changes to environmental variables if [ ! -f /config/.donoteditthisfile ] then echo -e "ORIGDOMAINS=\"${DOMAINS}\" ORIGEMAIL=\"${EMAIL}\" ORIGSTAGING=\"${STAGING}\" ORIGCUSTOM_CA=\"${CUSTOM_CA}\" ORIGCUSTOM_CA_SERVER=\"${CUSTOM_CA_SERVER}\" ORIGPLUGIN=\"${PLUGIN}\" ORIGPROPOGATION_TIME=\"${PROPOGATION_TIME}\"" > /config/.donoteditthisfile echo "Created .donoteditthisfile" fi # Load original config file . /config/.donoteditthisfile # Checking for changes to config file, revoke certs if necessary if [ ! "${DOMAINS}" = "${ORIGDOMAINS}" ] || [ ! "${EMAIL}" = "${ORIGEMAIL}" ] || [ ! "${STAGING}" = "${ORIGSTAGING}" ] || [ ! "${CUSTOM_CA}" = "${ORIGCUSTOM_CA}" ] || [ ! "${CUSTOM_CA_SERVER}" = "${ORIGCUSTOM_CA_SERVER}" ] || [ ! "${PLUGIN}" = "${ORIGPLUGIN}" ] || [ ! "${PROPOGATION_TIME}" = "${ORIGPROPOGATION_TIME}" ] then echo "Configuration has changed since the last certificate was issued. Revoking and regenerating certs" FIRST_DOMAIN=$(echo $ORIGDOMAINS | cut -d \, -f1) if [ ! -z $ORIGCUSTOM_CA ] then echo "A custom CA was used for issuing. Using it to revoke as well." if [ ! -d /config/custom_ca ] then mkdir /config/custom_ca echo "Please place the custom CA root file used to generate the current certificate into /config/custom_ca and restart the container" exit 1 fi if [ -z "$(ls -A /config/custom_ca)" ] then echo "A root certificate called ${ORIGCUSTOM_CA} was used to generate a certificate, but the /config/custom_ca dir is now empty. Please place this root certificate back this directory and restart the container so it can be safely revoked" exit 1 fi ORIGCUSTOM_CA_PATH=/config/custom_ca/$ORIGCUSTOM_CA ORIGCUSTOM_CA_SERVER_OPT="--server $ORIGCUSTOM_CA_SERVER" fi if [ $ORIGSTAGING = "true" ] then # Reusing the CUSTOM_CA_SERVER_OPT variable to add staging option if that was selected ORIGCUSTOM_CA_SERVER_OPT="--server https://acme-staging-v02.api.letsencrypt.org/directory" fi if [ -f /config/letsencrypt/live/"${FIRST_DOMAIN}"/fullchain.pem ] then REQUESTS_CA_BUNDLE=$ORIGCUSTOM_CA_PATH certbot revoke --non-interactive --agree-tos --email $ORIGEMAIL --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --cert-path /config/letsencrypt/live/"${FIRST_DOMAIN}"/fullchain.pem $ORIGCUSTOM_CA_SERVER_OPT || true rm -rf /config/letsencrypt/archive/"${FIRST_DOMAIN}" rm -rf /config/letsencrypt/live/"${FIRST_DOMAIN}" rm -rf /config/letsencrypt/renewal/"${FIRST_DOMAIN}".conf fi fi # Update config file with new env vars echo -e "ORIGDOMAINS=\"${DOMAINS}\" ORIGEMAIL=\"${EMAIL}\" ORIGSTAGING=\"${STAGING}\" ORIGCUSTOM_CA=\"${CUSTOM_CA}\" ORIGCUSTOM_CA_SERVER=\"${CUSTOM_CA_SERVER}\" ORIGPLUGIN=\"${PLUGIN}\" ORIGPROPOGATION_TIME=\"${PROPOGATION_TIME}\"" > /config/.donoteditthisfile function single_domain { if [ ! -z $CUSTOM_CA ] then echo "Using a custom CA for issuing certificates" if [ ! -d /config/custom_ca ] then mkdir /config/custom_ca echo "Please place your custom CA file into /config/custom_ca and restart the container" exit 1 fi if [ -z "$(ls -A /config/custom_ca)" ] then echo "The CUSTOM_CA option is populated, but the /config/custom_ca dir is empty. Please place your root certificate in this directory and restart the container" exit 1 fi if [ -z $CUSTOM_CA_SERVER ] then echo "CUSTOM_CA_SERVER has not been defined. It is required for using a custom CA to issue a certificate" exit 1 fi CUSTOM_CA_PATH=/config/custom_ca/$CUSTOM_CA CUSTOM_CA_SERVER_OPT="--server $CUSTOM_CA_SERVER" if [ $STAGING = "true" ] then echo "Staging option is not supported when using a custom CA. To remove this alert, set staging to false. If your CA has a standing endpoint, use the CUSTOM_CA_SERVER option to point to it instead" exit 1 fi fi BASE_COMMAND=(certbot certonly --non-interactive --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --key-path /config/letsencrypt/keys --expand --agree-tos $CUSTOM_CA_SERVER_OPT --email $EMAIL -d $DOMAINS) ## Run with Cloudflare plugin if [ $PLUGIN == "cloudflare" ] then echo "Using Cloudflare plugin" if [ ! -f /config/.secrets/cloudflare.ini ] then touch /config/.secrets/cloudflare.ini fi if [ -n "$CLOUDFLARE_TOKEN" ] then echo "Cloudflare token is present" echo "dns_cloudflare_api_token = $CLOUDFLARE_TOKEN" > /config/.secrets/cloudflare.ini fi if [ ! -s /config/.secrets/cloudflare.ini ] then echo "cloudflare.ini is empty - please add your Cloudflare credentials or API key before continuing. This can be done by setting CLOUDFLARE_TOKEN, or by editing /config/.secrets/cloudflare.ini directly" exit 1 fi #Securing cloudflare.ini to supress warnings chmod 600 /config/.secrets/cloudflare.ini echo "Creating certificates, or attempting to renew if they already exist" if [ $STAGING = true ] then echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY" ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging # Add to renewal list echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh echo "Creation/renewal attempt complete" elif [ $STAGING = false ] then echo "Using production endpoint" ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini # Add to renewal list echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh echo "Creation/renewal attempt complete" else echo "Unrecognised option for STAGING variable - check your configuration" exit 1 fi ## Run with Standalone plugin elif [ $PLUGIN == "standalone" ] then echo "Using HTTP verification via built-in web-server - please ensure port 80 is exposed." if [ $STAGING = true ] then echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY" REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging # Add to renewal list echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh echo "Creation/renewal attempt complete" elif [ $STAGING = false ] then echo "Using production endpoint" REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone # Add to renewal list echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh echo "Creation/renewal attempt complete" else echo "Unrecognised option for STAGING variable - check your configuration" exit 1 fi ## Run with webroot plugin elif [ $PLUGIN == "webroot" ] then echo "Using HTTP verification via webroot - please ensure you have mounted a webroot at /config/webroot from a web-server reachable via the domain you are issuing a certificate for." if [ $STAGING = true ] then echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY" REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging # Add to renewal list echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh echo "Creation/renewal attempt complete" elif [ $STAGING = false ] then echo "Using production endpoint" REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot # Add to renewal list echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh echo "Creation/renewal attempt complete" else echo "Unrecognised option for STAGING variable - check your configuration" exit 1 fi else echo "Unrecognised option for PLUGIN variable - check your configuration" fi if [ $GENERATE_DHPARAM = true ] && [ ! -s /config/letsencrypt/keys/ssl-dhparams.pem ] then echo "Generating Diffie-Hellman keys, saved to /config/letsencrypt/keys" openssl dhparam -out /config/letsencrypt/keys/ssl-dhparams.pem 4096 fi echo "$INTERVAL /certbot-renew.sh >> /config/logs/renew.log" > /config/.crontab.txt echo "Starting automatic renewal job. Schedule is $INTERVAL" crontab /config/.crontab.txt } if [ $CERT_COUNT == 1 ] then single_domain fi