208 lines
7.2 KiB
Bash
208 lines
7.2 KiB
Bash
#!/command/with-contenv bash
|
|
# shellcheck shell=bash
|
|
|
|
#Creating needed folders and files if they don't already exist
|
|
if [ ! -d /config/.secrets ]
|
|
then
|
|
mkdir /config/.secrets
|
|
fi
|
|
|
|
if [ ! -d /config/letsencrypt ]
|
|
then
|
|
mkdir /config/letsencrypt
|
|
fi
|
|
|
|
if [ ! -d /config/letsencrypt/keys ]
|
|
then
|
|
mkdir /config/letsencrypt/keys
|
|
fi
|
|
|
|
if [ ! -d /config/logs ]
|
|
then
|
|
mkdir /config/logs
|
|
fi
|
|
|
|
if [ ! -f /config/logs/renew.log ]
|
|
then
|
|
touch /config/logs/renew.log
|
|
fi
|
|
|
|
if [ ! -f /config/.crontab.txt ]
|
|
then
|
|
touch /config/.crontab.txt
|
|
fi
|
|
|
|
#Cleanup renew list and create it fresh, ready for commands to be run and added
|
|
echo "#!/command/with-contenv bash" > /config/renew-list.sh
|
|
echo "" >> /config/.renew-list.sh
|
|
|
|
function single_domain {
|
|
|
|
if [ ! -z $CUSTOM_CA ]
|
|
then
|
|
|
|
echo "Using a custom CA for issuing certificates"
|
|
|
|
if [ ! -d /config/custom_ca ]
|
|
then
|
|
mkdir /config/custom_ca
|
|
echo "Please place your custom CA file into /config/custom_ca and restart the container"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$(ls -A /config/custom_ca)" ]
|
|
then
|
|
echo "The CUSTOM_CA option is populated, but the /config/custom_ca dir is empty. Please place your root certificate in this directory and restart the container"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z $CUSTOM_CA_SERVER ]
|
|
then
|
|
echo "CUSTOM_CA_SERVER has not been defined. It is required for using a custom CA to issue a certificate"
|
|
exit 1
|
|
fi
|
|
|
|
#REQUESTS_CA_BUNDLE=/config/custom_ca/$CUSTOM_CA
|
|
|
|
CUSTOM_CA_PATH=/config/custom_ca/$CUSTOM_CA
|
|
CUSTOM_CA_SERVER_OPT="--server $CUSTOM_CA_SERVER"
|
|
|
|
if [ $STAGING ]
|
|
then
|
|
|
|
echo "Staging is not supported when using a custom CA, so overriding. To remove this alert, set staging to false."
|
|
|
|
STAGING=false
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
BASE_COMMAND=(certbot certonly --non-interactive --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --key-path /config/letsencrypt/keys --expand --agree-tos $CUSTOM_CA_SERVER_OPT --email $EMAIL -d $DOMAINS)
|
|
|
|
## Run with Cloudflare plugin
|
|
if [ $PLUGIN == "cloudflare" ]
|
|
then
|
|
|
|
echo "Using Cloudflare plugin"
|
|
|
|
if [ ! -f /config/.secrets/cloudflare.ini ]
|
|
then
|
|
touch /config/.secrets/cloudflare.ini
|
|
fi
|
|
|
|
if [ -n "$CLOUDFLARE_TOKEN" ]
|
|
then
|
|
echo "Cloudflare token is present"
|
|
|
|
echo "dns_cloudflare_api_token = $CLOUDFLARE_TOKEN" > /config/.secrets/cloudflare.ini
|
|
|
|
fi
|
|
|
|
if [ ! -s /config/.secrets/cloudflare.ini ]
|
|
then
|
|
echo "cloudflare.ini is empty - please add your Cloudflare credentials or API key before continuing. This can be done as an ENV var, or by editing the file directly"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
#Securing cloudflare.ini to supress warnings
|
|
chmod 600 /config/.secrets/cloudflare.ini
|
|
|
|
echo "Creating certificates, or attempting to renew if they already exist"
|
|
|
|
if [ $STAGING = true ]
|
|
then
|
|
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
|
|
${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
elif [ $STAGING = false ]
|
|
then
|
|
echo "Using production endpoint"
|
|
${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
else
|
|
echo "Unrecognised option for STAGING variable - check your configuration"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
## Run with Standalone plugin
|
|
elif [ $PLUGIN == "standalone" ]
|
|
then
|
|
|
|
echo "Using HTTP verification via built-in web-server - please ensure port 80 is exposed."
|
|
|
|
if [ $STAGING = true ]
|
|
then
|
|
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
|
|
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging" >> /config/renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
elif [ $STAGING = false ]
|
|
then
|
|
echo "Using production endpoint"
|
|
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone" >> /config/renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
else
|
|
echo "Unrecognised option for STAGING variable - check your configuration"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
## Run with webroot plugin
|
|
elif [ $PLUGIN == "webroot" ]
|
|
then
|
|
|
|
echo "Using HTTP verification via webroot - please ensure you have mounted a webroot at /config/webroot from a web-server reachable via the domain you are issuing a certificate for."
|
|
|
|
if [ $STAGING = true ]
|
|
then
|
|
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
|
|
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
elif [ $STAGING = false ]
|
|
then
|
|
echo "Using production endpoint"
|
|
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
else
|
|
echo "Unrecognised option for STAGING variable - check your configuration"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
else
|
|
|
|
echo "Unrecognised option for PLUGIN variable - check your configuration"
|
|
|
|
fi
|
|
|
|
if [ $GENERATE_DHPARAM = true ] && [ ! -s /config/letsencrypt/keys/ssl-dhparams.pem ]
|
|
then
|
|
echo "Generating Diffie-Hellman keys, saved to /config/letsencrypt/keys"
|
|
openssl dhparam -out /config/letsencrypt/keys/ssl-dhparams.pem 4096
|
|
fi
|
|
|
|
echo "$INTERVAL /certbot-renew.sh >> /config/logs/renew.log" > /config/.crontab.txt
|
|
|
|
echo "Starting automatic renewal job. Schedule is $INTERVAL"
|
|
crontab /config/.crontab.txt
|
|
|
|
}
|
|
|
|
if [ $CERT_COUNT == 1 ]
|
|
then
|
|
single_domain
|
|
fi |