fossilfranv/nginx_docker-swag
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

it's aliiiiiive!!!

Browse Source
This commit is contained in:
ahgraber 2021-02-15 22:06:37 -05:00
parent a7da3be9ae
commit 2c412c0463
5 changed files with 48 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Dockerfile
View File

@ -51,9 +51,13 @@ RUN pip3 install \
/tmp/* \ /tmp/* \
/root/.cache /root/.cache
RUN mkdir -p \ # RUN mkdir -p \
/etc/letsencrypt/{accounts,live,renewal,renewal-hooks} \ # /etc/letsencrypt/accounts \
/etc/letsencrypt/renewal-hooks/{deploy,post,pre} # /etc/letsencrypt/live \
# /etc/letsencrypt/renewal \
# /etc/letsencrypt/renewal-hooks/deploy \
# /etc/letsencrypt/renewal-hooks/post \
# /etc/letsencrypt/renewal-hooks/pre
RUN mkdir -p \ RUN mkdir -p \
/app \ /app \

46
root/defaults/deploy/01_deploy-certs.sh
View File

@ -10,43 +10,59 @@
echo "Running deploy script ..." echo "Running deploy script ..."
KEYPATH="/letsencrypt" KEYPATH="/letsencrypt"
echo "KEYPATH is ${KEYPATH}"
echo "LINEAGE is ${RENEWED_LINEAGE}"
# clean current KEYPATH contents # Figure out cert path
. /config/.donoteditthisfile.conf
if [ "${ORIGONLY_SUBDOMAINS}" = "true" ] && [ ! "${ORIGSUBDOMAINS}" = "wildcard" ]; then
ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGTLD}"
LINEAGE="/etc/letsencrypt/live/${ORIGDOMAIN}"
else
ORIGDOMAIN="${ORIGTLD}"
LINEAGE="/etc/letsencrypt/live/${ORIGTLD}"
fi
RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE}
echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}"
# Clean current KEYPATH contents
echo "Clearing expired certs ..."
rm -f ${KEYPATH}/* rm -f ${KEYPATH}/*
# copy certs to keypath dest # Copy certs to keypath dest
echo "Copying current certs ..."
cp -L ${RENEWED_LINEAGE}/* ${KEYPATH} cp -L ${RENEWED_LINEAGE}/* ${KEYPATH}
# for CERTNAME in $(ls ${RENEWED_LINEAGE}); do # for CERTNAME in $(ls ${RENEWED_LINEAGE}); do
# cat crt >> ${KEYPATH}/${CERTNAME} # cat crt >> ${KEYPATH}/${CERTNAME}
# done # done
# convert pems to cert and key # Convert pems to cert and key
echo "Converting to tls.crt and tls.key ..." echo "Converting to tls.crt and tls.key ..."
openssl crl2pkcs7 -nocrl \ openssl crl2pkcs7 -nocrl \
-certfile "${KEYPATH}"/fullchain.pem | openssl pkcs7 -print_certs \ -certfile "${KEYPATH}"/fullchain.pem | openssl pkcs7 -print_certs \
-out "${KEYPATH}"/tls.crt -out "${KEYPATH}"/tls.crt
# openssl x509 -outform der -in fullchain.pem -out tls.crt # openssl x509 -outform der -in fullchain.pem -out tls.crt
# openssl pkey -outform der -in privkey.pem -out tls.key # openssl pkey -outform der -in privkey.pem -out tls.key
openssl rsa \ openssl rsa \
-in "${KEYPATH}"/privkey.pem \ -in "${KEYPATH}"/privkey.pem \
-out "${KEYPATH}"/tls.key -out "${KEYPATH}"/tls.key
# converting to pfx and priv-fullchain-bundle sleep 1
# Convert to pfx and priv-fullchain-bundle
echo "Converting to pfx and priv-fullchain-bundle.pem ..." echo "Converting to pfx and priv-fullchain-bundle.pem ..."
openssl pkcs12 -export \ openssl pkcs12 -export \
-certfile chain.pem \ -certfile "${KEYPATH}"/chain.pem \
-in "${KEYPATH}"/cert.pem -inkey "${KEYPATH}"/privkey.pem \ -in "${KEYPATH}"/cert.pem \
-out "${KEYPATH}"/privkey.pfx \ -inkey "${KEYPATH}"/privkey.pem \
-passout pass: -out "${KEYPATH}"/privkey.pfx \
-passout pass:
sleep 1 sleep 1
cat "${KEYPATH}"/{privkey,fullchain}.pem > "${KEYPATH}"/priv-fullchain-bundle.pem cat "${KEYPATH}"/{privkey,fullchain}.pem > "${KEYPATH}"/priv-fullchain-bundle.pem
sleep 1
# Allow read access to certs # Allow read access to certs
chmod 644 "${KEYPATH}"/*.pem chmod 644 "${KEYPATH}"/*.pem
chmod 644 "${KEYPATH}"/*.pfx chmod 644 "${KEYPATH}"/*.pfx
chmod 644 "${KEYPATH}"/tls.* chmod 644 "${KEYPATH}"/tls.*
echo "Success." echo "Success."

17
root/etc/cont-init.d/50_lets-encrypt.sh
View File

@ -59,7 +59,8 @@ ln -s /config/crontabs /etc/crontabs
chmod +x /config/deploy/* chmod +x /config/deploy/*
# Link /config/deploy # Link /config/deploy
echo "Linking /config/deploy -> /etc/letsencrypt/renewal-hooks/deploy ..." echo "Linking /config/deploy -> /etc/letsencrypt/renewal-hooks/deploy ..."
ln -s /config/deploy /etc/letsencrypt/renewal-hooks/deploy mkdir -p /etc/letsencrypt/renewal-hooks
ln -s /config/deploy /etc/letsencrypt/renewal-hooks
# chown -R abc:abc /config # chown -R abc:abc /config
# chown -R abc:abc /letsencrypt # chown -R abc:abc /letsencrypt
@ -134,10 +135,10 @@ echo "${VALIDATION:="DNS"} validation via ${DNSPLUGIN} plugin is selected"
# rm -rf /letsencrypt/keys # rm -rf /letsencrypt/keys
if [ "${ONLY_SUBDOMAINS}" = "true" ] && [ ! "${SUBDOMAINS}" = "wildcard" ] ; then if [ "${ONLY_SUBDOMAINS}" = "true" ] && [ ! "${SUBDOMAINS}" = "wildcard" ] ; then
DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${TLD}" DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${TLD}"
LINEAGE="../etc/letsencrypt/live/${DOMAIN}" LINEAGE="/etc/letsencrypt/live/${DOMAIN}"
# ln -s /letsencrypt/live/"${DOMAIN}" /letsencrypt/keys # ln -s /letsencrypt/live/"${DOMAIN}" /letsencrypt/keys
else else
LINEAGE="../etc/letsencrypt/live/${TLD}" LINEAGE="/etc/letsencrypt/live/${TLD}"
# ln -s /letsencrypt/live/"${TLD}" /letsencrypt/keys # ln -s /letsencrypt/live/"${TLD}" /letsencrypt/keys
fi fi
# # [[ ! -d "${LE_LOC}" ]] && \ # # [[ ! -d "${LE_LOC}" ]] && \
@ -171,10 +172,12 @@ if [ ! -f "/letsencrypt/fullchain.pem" ]; then
echo "Generating new certificate" echo "Generating new certificate"
# shellcheck disable=SC2086 # shellcheck disable=SC2086
certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL} certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL}
RENEWED_LINEAGE="/etc/letsencrypt/live/${LINEAGE}" # RENEWED_LINEAGE="${LINEAGE}"
echo $(printenv) # export RENEWED_LINEAGE
echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}" # echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}"
/usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01-deploy_certs.sh if [ -f /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh ]; then
/usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh
fi
if [ -f /letsencrypt/fullchain.pem ]; then if [ -f /letsencrypt/fullchain.pem ]; then
cd /letsencrypt || exit cd /letsencrypt || exit

30
scripts/backups/deploy-convert-certs.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
# convert to fullchain.pem and privkey.pem to tls.crt and tls.key
# Identify key path
. /config/.donoteditthisfile.conf
if [ "${ORIGONLY_SUBDOMAINS}" = "true" ] && [ ! "${ORIGSUBDOMAINS}" = "wildcard" ]; then
ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGTLD}"
ORIGKEYPATH="/etc/letsencrypt/live/"${ORIGDOMAIN}""
else
ORIGKEYPATH="/etc/letsencrypt/live/"${ORIGTLD}""
fi
# convert pems to cert and key
echo "Converting to tls.crt and tls.key ..."
if [ ! -f "${ORIGKEYPATH}/fullchain.pem" ] || [ ! -f "${ORIGKEYPATH}/privkey.pem" ]; then
echo "Error: fullchain.pem or privkey.pem not found in ${ORIGKEYPATH}"
sleep infinity
else
openssl crl2pkcs7 -nocrl \
-certfile "${ORIGKEYPATH}"/fullchain.pem | openssl pkcs7 -print_certs \
-out "${ORIGKEYPATH}"/tls.crt
# openssl x509 -outform der -in fullchain.pem -out tls.crt
# openssl pkey -outform der -in privkey.pem -out tls.key
openssl rsa \
-in "${ORIGKEYPATH}"/privkey.pem \
-out "${ORIGKEYPATH}"/tls.key
# allow read all for tls.crt and tls.key
chmod 644 "${ORIGKEYPATH}"/tls.*
fi

9
scripts/backups/root
View File

@ -1,9 +0,0 @@
# do daily/weekly/monthly maintenance
# min hour day month weekday command
*/15 * * * * run-parts /etc/periodic/15min
0 * * * * run-parts /etc/periodic/hourly
0 2 * * * run-parts /etc/periodic/daily
0 3 * * 6 run-parts /etc/periodic/weekly
0 5 1 * * run-parts /etc/periodic/monthly
# renew letsencrypt certs
8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1