fossilfranv/nginx_docker-swag
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update for cert location

Browse Source
This commit is contained in:
ahgraber 2021-03-13 21:50:59 -05:00
parent 8d1bf4f3e6
commit 05b068873c
5 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -84,7 +84,7 @@ The recommended configurations create local folders `/config` and `/letsencrypt`
`crontabs` - contains root crontab `crontabs` - contains root crontab
`deploy/` - contains deploy scripts for actions following successful Let's Encrypt renewal. If you add scripts, they will be run automatically following successful renewal. `deploy/` - contains deploy scripts for actions following successful Let's Encrypt renewal. If you add scripts, they will be run automatically following successful renewal.
`letsencrypt/` is populated with Let's Encrypt certificates if the generation/renewal is successful. `letsencrypt/certs` is populated with Let's Encrypt certificates if the generation/renewal is successful.
   
## Application Setup ## Application Setup
@ -102,9 +102,8 @@ The recommended configurations create local folders `/config` and `/letsencrypt`
### Using certs in other containers ### Using certs in other containers
* This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc, and tls.crt and tls.key certs that are needed by apps like Keycloak. * This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc, and tls.crt and tls.key certs that are needed by apps like Keycloak.
* To use these certs in other containers, do either of the following: * To use these certs in other containers:
1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/` 1. Mount the cert folder `/letsencrypt/certs` (ie. `-v /path/to/letsencrypt/certs:/container/cert/dir`)
2. *(More secure)* Mount the cert folder `/letsencrypt` (ie. `-v /path/to/letsencrypt:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live/<your.domain.url>/` (This is more secure because the first method shares the entire certbot config folder with other containers, including the www files, whereas the second method only shares the ssl certs)
* These certs include: * These certs include:
1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps 1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps
2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password) 2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)

7
root/defaults/deploy/01_deploy-certs.sh
View File

@ -20,16 +20,19 @@ else
fi fi
RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE} RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE}
KEYPATH="/letsencrypt" KEYPATH="/letsencrypt/certs"
mkdir -p $KEYPATH
echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}" echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}"
# Clean current KEYPATH contents # Clean current KEYPATH contents
echo "Clearing expired certs ..." echo "Clearing expired certs ..."
rm -f ${KEYPATH}/* # echo "Ignore warnings for directories"
rm -f ${KEYPATH}/* 2> /dev/null # this will hide errors (like not deleting directories)
# Copy certs to keypath dest # Copy certs to keypath dest
echo "Copying current certs ..." echo "Copying current certs ..."
cp -L ${RENEWED_LINEAGE}/* ${KEYPATH} cp -L ${RENEWED_LINEAGE}/* ${KEYPATH}
rm ${KEYPATH}/README
# for CERTNAME in $(ls ${RENEWED_LINEAGE}); do # for CERTNAME in $(ls ${RENEWED_LINEAGE}); do
# cat crt >> ${KEYPATH}/${CERTNAME} # cat crt >> ${KEYPATH}/${CERTNAME}
# done # done

8
root/etc/cont-init.d/50_lets-encrypt.sh
View File

@ -169,19 +169,21 @@ fi
echo -e "ORIGTLD=\"${TLD}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGEMAIL=\"${EMAIL}\"" > /config/.donoteditthisfile.conf echo -e "ORIGTLD=\"${TLD}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGEMAIL=\"${EMAIL}\"" > /config/.donoteditthisfile.conf
# generating certs if necessary # generating certs if necessary
if [ ! -f "/letsencrypt/fullchain.pem" ]; then if [ ! -f "/letsencrypt/certs/fullchain.pem" ]; then
echo "Generating new certificate" echo "Generating new certificate"
# shellcheck disable=SC2086 # shellcheck disable=SC2086
certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL} certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL}
# RENEWED_LINEAGE="${LINEAGE}" # RENEWED_LINEAGE="${LINEAGE}"
# export RENEWED_LINEAGE # export RENEWED_LINEAGE
# echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}" # echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}"
# force deploy script on initial generation
if [ -f /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh ]; then if [ -f /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh ]; then
/usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh /usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh
fi fi
if [ -f /letsencrypt/fullchain.pem ]; then if [ -f "/letsencrypt/certs/fullchain.pem" ]; then
cd /letsencrypt || exit cd /letsencrypt/certs || exit
else else
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/credentials/cloudflare.ini file." echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/credentials/cloudflare.ini file."
sleep infinity sleep infinity

2
root/etc/cont-init.d/60_renewal-init.sh
View File

@ -1,7 +1,7 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# Check if the cert is expired or expires within a day, if so, renew # Check if the cert is expired or expires within a day, if so, renew
if openssl x509 -in /letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then if openssl x509 -in /letsencrypt/certs/fullchain.pem -noout -checkend 86400 >/dev/null; then
echo "The cert does not expire within the next day." echo "The cert does not expire within the next day."
# if [ ! "${STAGING}" = "true" ]; then # if [ ! "${STAGING}" = "true" ]; then
# echo "Testing renewal..." # echo "Testing renewal..."

2
scripts/buildx.sh
View File

@ -2,7 +2,7 @@
# To tag images, run with `sudo bash ./scripts/buildx.sh --tag {REGISTRY}/{IMAGE}:{TAG}` # To tag images, run with `sudo bash ./scripts/buildx.sh --tag {REGISTRY}/{IMAGE}:{TAG}`
REGISTRY="ahgraber" # REGISTRY="ninerealmlabs"
# TAG=${1:-"test"} # TAG=${1:-"test"}
# define build context # define build context