update for cert location
This commit is contained in:
ahgraber
parent
8d1bf4f3e6
commit
05b068873c
@ -84,7 +84,7 @@ The recommended configurations create local folders `/config` and `/letsencrypt`
|
||||
├ `crontabs` - contains root crontab
|
||||
└ `deploy/` - contains deploy scripts for actions following successful Let's Encrypt renewal. If you add scripts, they will be run automatically following successful renewal.
|
||||
|
||||
`letsencrypt/` is populated with Let's Encrypt certificates if the generation/renewal is successful.
|
||||
`letsencrypt/certs` is populated with Let's Encrypt certificates if the generation/renewal is successful.
|
||||
|
||||
|
||||
## Application Setup
|
||||
@ -102,9 +102,8 @@ The recommended configurations create local folders `/config` and `/letsencrypt`
|
||||
|
||||
### Using certs in other containers
|
||||
* This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc, and tls.crt and tls.key certs that are needed by apps like Keycloak.
|
||||
* To use these certs in other containers, do either of the following:
|
||||
1. *(Easier)* Mount the container's config folder in other containers (ie. `-v /path-to-le-config:/le-ssl`) and in the other containers, use the cert location `/le-ssl/keys/letsencrypt/`
|
||||
2. *(More secure)* Mount the cert folder `/letsencrypt` (ie. `-v /path/to/letsencrypt:/le-ssl`) and in the other containers, use the cert location `/le-ssl/letsencrypt/live/<your.domain.url>/` (This is more secure because the first method shares the entire certbot config folder with other containers, including the www files, whereas the second method only shares the ssl certs)
|
||||
* To use these certs in other containers:
|
||||
1. Mount the cert folder `/letsencrypt/certs` (ie. `-v /path/to/letsencrypt/certs:/container/cert/dir`)
|
||||
* These certs include:
|
||||
1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps
|
||||
2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)
|
||||
|
||||
@ -20,16 +20,19 @@ else
|
||||
fi
|
||||
|
||||
RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE}
|
||||
KEYPATH="/letsencrypt"
|
||||
KEYPATH="/letsencrypt/certs"
|
||||
mkdir -p $KEYPATH
|
||||
echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}"
|
||||
|
||||
# Clean current KEYPATH contents
|
||||
echo "Clearing expired certs ..."
|
||||
rm -f ${KEYPATH}/*
|
||||
# echo "Ignore warnings for directories"
|
||||
rm -f ${KEYPATH}/* 2> /dev/null # this will hide errors (like not deleting directories)
|
||||
|
||||
# Copy certs to keypath dest
|
||||
echo "Copying current certs ..."
|
||||
cp -L ${RENEWED_LINEAGE}/* ${KEYPATH}
|
||||
rm ${KEYPATH}/README
|
||||
# for CERTNAME in $(ls ${RENEWED_LINEAGE}); do
|
||||
# cat crt >> ${KEYPATH}/${CERTNAME}
|
||||
# done
|
||||
|
||||
@ -169,19 +169,21 @@ fi
|
||||
echo -e "ORIGTLD=\"${TLD}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGEMAIL=\"${EMAIL}\"" > /config/.donoteditthisfile.conf
|
||||
|
||||
# generating certs if necessary
|
||||
if [ ! -f "/letsencrypt/fullchain.pem" ]; then
|
||||
if [ ! -f "/letsencrypt/certs/fullchain.pem" ]; then
|
||||
echo "Generating new certificate"
|
||||
# shellcheck disable=SC2086
|
||||
certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL}
|
||||
# RENEWED_LINEAGE="${LINEAGE}"
|
||||
# export RENEWED_LINEAGE
|
||||
# echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}"
|
||||
|
||||
# force deploy script on initial generation
|
||||
if [ -f /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh ]; then
|
||||
/usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh
|
||||
fi
|
||||
|
||||
if [ -f /letsencrypt/fullchain.pem ]; then
|
||||
cd /letsencrypt || exit
|
||||
if [ -f "/letsencrypt/certs/fullchain.pem" ]; then
|
||||
cd /letsencrypt/certs || exit
|
||||
else
|
||||
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/credentials/cloudflare.ini file."
|
||||
sleep infinity
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#!/usr/bin/with-contenv bash
|
||||
|
||||
# Check if the cert is expired or expires within a day, if so, renew
|
||||
if openssl x509 -in /letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then
|
||||
if openssl x509 -in /letsencrypt/certs/fullchain.pem -noout -checkend 86400 >/dev/null; then
|
||||
echo "The cert does not expire within the next day."
|
||||
# if [ ! "${STAGING}" = "true" ]; then
|
||||
# echo "Testing renewal..."
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
# To tag images, run with `sudo bash ./scripts/buildx.sh --tag {REGISTRY}/{IMAGE}:{TAG}`
|
||||
|
||||
REGISTRY="ahgraber"
|
||||
# REGISTRY="ninerealmlabs"
|
||||
# TAG=${1:-"test"}
|
||||
|
||||
# define build context
|
||||
|
||||
Loading…
Reference in New Issue
Block a user