275 lines
10 KiB
Bash
275 lines
10 KiB
Bash
#!/command/with-contenv bash
|
|
# shellcheck shell=bash
|
|
|
|
# Creating needed folders and files if they don't already exist
|
|
if [ ! -d /config/.secrets ]
|
|
then
|
|
mkdir /config/.secrets
|
|
fi
|
|
|
|
if [ ! -d /config/letsencrypt ]
|
|
then
|
|
mkdir /config/letsencrypt
|
|
fi
|
|
|
|
if [ ! -d /config/letsencrypt/keys ]
|
|
then
|
|
mkdir /config/letsencrypt/keys
|
|
fi
|
|
|
|
if [ ! -d /config/logs ]
|
|
then
|
|
mkdir /config/logs
|
|
fi
|
|
|
|
if [ ! -f /config/logs/renew.log ]
|
|
then
|
|
touch /config/logs/renew.log
|
|
fi
|
|
|
|
if [ ! -f /config/.crontab.txt ]
|
|
then
|
|
touch /config/.crontab.txt
|
|
fi
|
|
|
|
# Cleanup renew list and create it fresh, ready for commands to be run and added
|
|
echo "#!/command/with-contenv bash" > /config/.renew-list.sh
|
|
echo "" >> /config/.renew-list.sh
|
|
|
|
# Create original config file to track changes to environmental variables
|
|
if [ ! -f /config/.donoteditthisfile ]
|
|
then
|
|
echo -e "ORIGDOMAINS=\"${DOMAINS}\" ORIGEMAIL=\"${EMAIL}\" ORIGSTAGING=\"${STAGING}\" ORIGCUSTOM_CA=\"${CUSTOM_CA}\" ORIGCUSTOM_CA_SERVER=\"${CUSTOM_CA_SERVER}\" ORIGPLUGIN=\"${PLUGIN}\" ORIGPROPOGATION_TIME=\"${PROPOGATION_TIME}\"" > /config/.donoteditthisfile
|
|
echo "Created .donoteditthisfile"
|
|
fi
|
|
|
|
# Load original config file
|
|
. /config/.donoteditthisfile
|
|
|
|
# Checking for changes to config file, revoke certs if necessary
|
|
if [ ! "${DOMAINS}" = "${ORIGDOMAINS}" ] ||
|
|
[ ! "${EMAIL}" = "${ORIGEMAIL}" ] ||
|
|
[ ! "${STAGING}" = "${ORIGSTAGING}" ] ||
|
|
[ ! "${CUSTOM_CA}" = "${ORIGCUSTOM_CA}" ] ||
|
|
[ ! "${CUSTOM_CA_SERVER}" = "${ORIGCUSTOM_CA_SERVER}" ] ||
|
|
[ ! "${PLUGIN}" = "${ORIGPLUGIN}" ] ||
|
|
[ ! "${PROPOGATION_TIME}" = "${ORIGPROPOGATION_TIME}" ]
|
|
then
|
|
|
|
echo "Configuration has changed since the last certificate was issued. Revoking and regenerating certs"
|
|
FIRST_DOMAIN=$(echo $ORIGDOMAINS | cut -d \, -f1)
|
|
|
|
if [ ! -z $ORIGCUSTOM_CA ]
|
|
then
|
|
|
|
echo "A custom CA was used for issuing. Using it to revoke as well."
|
|
|
|
if [ ! -d /config/custom_ca ]
|
|
then
|
|
mkdir /config/custom_ca
|
|
echo "Please place the custom CA root file used to generate the current certificate into /config/custom_ca and restart the container"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$(ls -A /config/custom_ca)" ]
|
|
then
|
|
echo "A root certificate called ${ORIGCUSTOM_CA} was used to generate a certificate, but the /config/custom_ca dir is now empty. Please place this root certificate back this directory and restart the container so it can be safely revoked"
|
|
exit 1
|
|
fi
|
|
|
|
ORIGCUSTOM_CA_PATH=/config/custom_ca/$ORIGCUSTOM_CA
|
|
ORIGCUSTOM_CA_SERVER_OPT="--server $ORIGCUSTOM_CA_SERVER"
|
|
|
|
fi
|
|
|
|
if [ $ORIGSTAGING = "true" ]
|
|
then
|
|
|
|
# Reusing the CUSTOM_CA_SERVER_OPT variable to add staging option if that was selected
|
|
ORIGCUSTOM_CA_SERVER_OPT="--server https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
|
|
fi
|
|
|
|
if [ -f /config/letsencrypt/live/"${FIRST_DOMAIN}"/fullchain.pem ]
|
|
then
|
|
|
|
REQUESTS_CA_BUNDLE=$ORIGCUSTOM_CA_PATH certbot revoke --non-interactive --agree-tos --email $ORIGEMAIL --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --cert-path /config/letsencrypt/live/"${FIRST_DOMAIN}"/fullchain.pem $ORIGCUSTOM_CA_SERVER_OPT || true
|
|
|
|
rm -rf /config/letsencrypt/archive/"${FIRST_DOMAIN}"
|
|
rm -rf /config/letsencrypt/live/"${FIRST_DOMAIN}"
|
|
rm -rf /config/letsencrypt/renewal/"${FIRST_DOMAIN}".conf
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
# Update config file with new env vars
|
|
echo -e "ORIGDOMAINS=\"${DOMAINS}\" ORIGEMAIL=\"${EMAIL}\" ORIGSTAGING=\"${STAGING}\" ORIGCUSTOM_CA=\"${CUSTOM_CA}\" ORIGCUSTOM_CA_SERVER=\"${CUSTOM_CA_SERVER}\" ORIGPLUGIN=\"${PLUGIN}\" ORIGPROPOGATION_TIME=\"${PROPOGATION_TIME}\"" > /config/.donoteditthisfile
|
|
|
|
function single_domain {
|
|
|
|
if [ ! -z $CUSTOM_CA ]
|
|
then
|
|
|
|
echo "Using a custom CA for issuing certificates"
|
|
|
|
if [ ! -d /config/custom_ca ]
|
|
then
|
|
mkdir /config/custom_ca
|
|
echo "Please place your custom CA file into /config/custom_ca and restart the container"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$(ls -A /config/custom_ca)" ]
|
|
then
|
|
echo "The CUSTOM_CA option is populated, but the /config/custom_ca dir is empty. Please place your root certificate in this directory and restart the container"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z $CUSTOM_CA_SERVER ]
|
|
then
|
|
echo "CUSTOM_CA_SERVER has not been defined. It is required for using a custom CA to issue a certificate"
|
|
exit 1
|
|
fi
|
|
|
|
CUSTOM_CA_PATH=/config/custom_ca/$CUSTOM_CA
|
|
CUSTOM_CA_SERVER_OPT="--server $CUSTOM_CA_SERVER"
|
|
|
|
if [ $STAGING = "true" ]
|
|
then
|
|
|
|
echo "Staging option is not supported when using a custom CA. To remove this alert, set staging to false. If your CA has a standing endpoint, use the CUSTOM_CA_SERVER option to point to it instead"
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
BASE_COMMAND=(certbot certonly --non-interactive --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --key-path /config/letsencrypt/keys --expand --agree-tos $CUSTOM_CA_SERVER_OPT --email $EMAIL -d $DOMAINS)
|
|
|
|
## Run with Cloudflare plugin
|
|
if [ $PLUGIN == "cloudflare" ]
|
|
then
|
|
|
|
echo "Using Cloudflare plugin"
|
|
|
|
if [ ! -f /config/.secrets/cloudflare.ini ]
|
|
then
|
|
touch /config/.secrets/cloudflare.ini
|
|
fi
|
|
|
|
if [ -n "$CLOUDFLARE_TOKEN" ]
|
|
then
|
|
echo "Cloudflare token is present"
|
|
|
|
echo "dns_cloudflare_api_token = $CLOUDFLARE_TOKEN" > /config/.secrets/cloudflare.ini
|
|
|
|
fi
|
|
|
|
if [ ! -s /config/.secrets/cloudflare.ini ]
|
|
then
|
|
echo "cloudflare.ini is empty - please add your Cloudflare credentials or API key before continuing. This can be done by setting CLOUDFLARE_TOKEN, or by editing /config/.secrets/cloudflare.ini directly"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
#Securing cloudflare.ini to supress warnings
|
|
chmod 600 /config/.secrets/cloudflare.ini
|
|
|
|
echo "Creating certificates, or attempting to renew if they already exist"
|
|
|
|
if [ $STAGING = true ]
|
|
then
|
|
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
|
|
${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/.renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
elif [ $STAGING = false ]
|
|
then
|
|
echo "Using production endpoint"
|
|
${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/.renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
else
|
|
echo "Unrecognised option for STAGING variable - check your configuration"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
## Run with Standalone plugin
|
|
elif [ $PLUGIN == "standalone" ]
|
|
then
|
|
|
|
echo "Using HTTP verification via built-in web-server - please ensure port 80 is exposed."
|
|
|
|
if [ $STAGING = true ]
|
|
then
|
|
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
|
|
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging" >> /config/.renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
elif [ $STAGING = false ]
|
|
then
|
|
echo "Using production endpoint"
|
|
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone" >> /config/.renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
else
|
|
echo "Unrecognised option for STAGING variable - check your configuration"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
## Run with webroot plugin
|
|
elif [ $PLUGIN == "webroot" ]
|
|
then
|
|
|
|
echo "Using HTTP verification via webroot - please ensure you have mounted a webroot at /config/webroot from a web-server reachable via the domain you are issuing a certificate for."
|
|
|
|
if [ $STAGING = true ]
|
|
then
|
|
echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
|
|
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/.renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
elif [ $STAGING = false ]
|
|
then
|
|
echo "Using production endpoint"
|
|
REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
|
|
# Add to renewal list
|
|
echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/.renew-list.sh
|
|
echo "Creation/renewal attempt complete"
|
|
else
|
|
echo "Unrecognised option for STAGING variable - check your configuration"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
else
|
|
|
|
echo "Unrecognised option for PLUGIN variable - check your configuration"
|
|
|
|
fi
|
|
|
|
if [ $GENERATE_DHPARAM = true ] && [ ! -s /config/letsencrypt/keys/ssl-dhparams.pem ]
|
|
then
|
|
echo "Generating Diffie-Hellman keys, saved to /config/letsencrypt/keys"
|
|
openssl dhparam -out /config/letsencrypt/keys/ssl-dhparams.pem 4096
|
|
fi
|
|
|
|
echo "$INTERVAL /certbot-renew.sh >> /config/logs/renew.log" > /config/.crontab.txt
|
|
|
|
echo "Starting automatic renewal job. Schedule is $INTERVAL"
|
|
crontab /config/.crontab.txt
|
|
|
|
}
|
|
|
|
if [ $CERT_COUNT == 1 ]
|
|
then
|
|
single_domain
|
|
fi |