diff --git a/README.md b/README.md index bac8bb8..52d2ea8 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ The recommended configurations create local folders `/config` and `/letsencrypt` ├ `crontabs` - contains root crontab └ `deploy/` - contains deploy scripts for actions following successful Let's Encrypt renewal. If you add scripts, they will be run automatically following successful renewal. -`letsencrypt/` is populated with Let's Encrypt certificates if the generation/renewal is successful. +`letsencrypt/certs` is populated with Let's Encrypt certificates if the generation/renewal is successful.   ## Application Setup @@ -102,9 +102,8 @@ The recommended configurations create local folders `/config` and `/letsencrypt` ### Using certs in other containers * This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc, and tls.crt and tls.key certs that are needed by apps like Keycloak. - * To use these certs in other containers, do either of the following: - 1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/` - 2. *(More secure)* Mount the cert folder `/letsencrypt` (ie. `-v /path/to/letsencrypt:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live//` (This is more secure because the first method shares the entire certbot config folder with other containers, including the www files, whereas the second method only shares the ssl certs) + * To use these certs in other containers: + 1. Mount the cert folder `/letsencrypt/certs` (ie. `-v /path/to/letsencrypt/certs:/container/cert/dir`) * These certs include: 1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps 2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password) diff --git a/root/defaults/deploy/01_deploy-certs.sh b/root/defaults/deploy/01_deploy-certs.sh index aa8f4bf..34a3e89 100644 --- a/root/defaults/deploy/01_deploy-certs.sh +++ b/root/defaults/deploy/01_deploy-certs.sh @@ -20,16 +20,19 @@ else fi RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE} -KEYPATH="/letsencrypt" +KEYPATH="/letsencrypt/certs" +mkdir -p $KEYPATH echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}" # Clean current KEYPATH contents echo "Clearing expired certs ..." -rm -f ${KEYPATH}/* +# echo "Ignore warnings for directories" +rm -f ${KEYPATH}/* 2> /dev/null # this will hide errors (like not deleting directories) # Copy certs to keypath dest echo "Copying current certs ..." cp -L ${RENEWED_LINEAGE}/* ${KEYPATH} +rm ${KEYPATH}/README # for CERTNAME in $(ls ${RENEWED_LINEAGE}); do # cat crt >> ${KEYPATH}/${CERTNAME} # done diff --git a/root/etc/cont-init.d/50_lets-encrypt.sh b/root/etc/cont-init.d/50_lets-encrypt.sh index 213a69a..c1bdbea 100644 --- a/root/etc/cont-init.d/50_lets-encrypt.sh +++ b/root/etc/cont-init.d/50_lets-encrypt.sh @@ -169,19 +169,21 @@ fi echo -e "ORIGTLD=\"${TLD}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGEMAIL=\"${EMAIL}\"" > /config/.donoteditthisfile.conf # generating certs if necessary -if [ ! -f "/letsencrypt/fullchain.pem" ]; then +if [ ! -f "/letsencrypt/certs/fullchain.pem" ]; then echo "Generating new certificate" # shellcheck disable=SC2086 certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL} # RENEWED_LINEAGE="${LINEAGE}" # export RENEWED_LINEAGE # echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}" + + # force deploy script on initial generation if [ -f /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh ]; then /usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh fi - if [ -f /letsencrypt/fullchain.pem ]; then - cd /letsencrypt || exit + if [ -f "/letsencrypt/certs/fullchain.pem" ]; then + cd /letsencrypt/certs || exit else echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/credentials/cloudflare.ini file." sleep infinity diff --git a/root/etc/cont-init.d/60_renewal-init.sh b/root/etc/cont-init.d/60_renewal-init.sh index a28d347..159d9a2 100644 --- a/root/etc/cont-init.d/60_renewal-init.sh +++ b/root/etc/cont-init.d/60_renewal-init.sh @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # Check if the cert is expired or expires within a day, if so, renew -if openssl x509 -in /letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then +if openssl x509 -in /letsencrypt/certs/fullchain.pem -noout -checkend 86400 >/dev/null; then echo "The cert does not expire within the next day." # if [ ! "${STAGING}" = "true" ]; then # echo "Testing renewal..." diff --git a/scripts/buildx.sh b/scripts/buildx.sh index ba1ca9e..21119cb 100755 --- a/scripts/buildx.sh +++ b/scripts/buildx.sh @@ -2,7 +2,7 @@ # To tag images, run with `sudo bash ./scripts/buildx.sh --tag {REGISTRY}/{IMAGE}:{TAG}` -REGISTRY="ahgraber" +# REGISTRY="ninerealmlabs" # TAG=${1:-"test"} # define build context