From 50b88fb0b4a06606d686bea6a2d5f08b214cd702 Mon Sep 17 00:00:00 2001 From: ahgraber Date: Sun, 14 Mar 2021 13:25:20 -0400 Subject: [PATCH] simplify/clarify nfs mounting --- Dockerfile | 5 +++-- README.md | 12 ++++++------ root/defaults/deploy/01_deploy-certs.sh | 6 ++++-- root/etc/cont-init.d/50_lets-encrypt.sh | 14 ++++++++------ root/etc/cont-init.d/60_renewal-init.sh | 2 +- 5 files changed, 22 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index b64ceca..968dc97 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,6 +21,7 @@ RUN apt-get update \ gcc \ libssl-dev \ libffi-dev \ + nano \ openssl \ python3 \ python3-pip \ @@ -60,8 +61,8 @@ RUN mkdir -p \ /defaults \ /letsencrypt -VOLUME /config -VOLUME /letsencrypt +# VOLUME /config +# VOLUME /letsencrypt # # create initial user # RUN groupmod -g 1000 users && \ diff --git a/README.md b/README.md index 52d2ea8..f3547fe 100644 --- a/README.md +++ b/README.md @@ -79,12 +79,12 @@ Will set the environment variable `PASSWORD` based on the contents of the `/run/ ## Volumes The recommended configurations create local folders `/config` and `/letsencrypt`. -`config/` - ├ `credentials/` - contains `cloudflare.ini`. Edit with your own credentials. - ├ `crontabs` - contains root crontab - └ `deploy/` - contains deploy scripts for actions following successful Let's Encrypt renewal. If you add scripts, they will be run automatically following successful renewal. +`/config/` + ├ `../credentials/` - contains `cloudflare.ini`. Edit with your own credentials. + ├ `../crontabs/` - contains root crontab + └ `../deploy/` - contains deploy scripts for actions following successful Let's Encrypt renewal. If you add scripts, they will be run automatically following successful renewal. -`letsencrypt/certs` is populated with Let's Encrypt certificates if the generation/renewal is successful. +`/letsencrypt/` is populated with Let's Encrypt certificates if the generation/renewal is successful.   ## Application Setup @@ -103,7 +103,7 @@ The recommended configurations create local folders `/config` and `/letsencrypt` ### Using certs in other containers * This container includes auto-generated pfx and private-fullchain-bundle pem certs that are needed by other apps like Emby and Znc, and tls.crt and tls.key certs that are needed by apps like Keycloak. * To use these certs in other containers: - 1. Mount the cert folder `/letsencrypt/certs` (ie. `-v /path/to/letsencrypt/certs:/container/cert/dir`) + 1. Mount the cert folder `/letsencrypt` (ie. `-v /path/to/letsencrypt:/container/cert/dir`) * These certs include: 1. `cert.pem`, `chain.pem`, `fullchain.pem` and `privkey.pem`, which are generated by Certbot and used by nginx and various other apps 2. `privkey.pfx`, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password) diff --git a/root/defaults/deploy/01_deploy-certs.sh b/root/defaults/deploy/01_deploy-certs.sh index 34a3e89..0d92aa8 100644 --- a/root/defaults/deploy/01_deploy-certs.sh +++ b/root/defaults/deploy/01_deploy-certs.sh @@ -20,14 +20,16 @@ else fi RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE} -KEYPATH="/letsencrypt/certs" +KEYPATH="/letsencrypt" mkdir -p $KEYPATH echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}" # Clean current KEYPATH contents echo "Clearing expired certs ..." # echo "Ignore warnings for directories" -rm -f ${KEYPATH}/* 2> /dev/null # this will hide errors (like not deleting directories) +rm -f ${KEYPATH}/*.pem +rm -f ${KEYPATH}/*.pfx +rm -f ${KEYPATH}/tls.* # Copy certs to keypath dest echo "Copying current certs ..." diff --git a/root/etc/cont-init.d/50_lets-encrypt.sh b/root/etc/cont-init.d/50_lets-encrypt.sh index c1bdbea..599846d 100644 --- a/root/etc/cont-init.d/50_lets-encrypt.sh +++ b/root/etc/cont-init.d/50_lets-encrypt.sh @@ -54,7 +54,7 @@ ln -s /config/crontabs /etc/crontabs # Copy deploy hook defaults if needed # [[ -z "$(ls -A /letsencrypt/renewal-hooks/deploy)" ]] && \ [[ ! -f /config/deploy/01_deploy-certs.sh ]] && \ - echo "Copying deploy hooks..." && \ + echo "Copying default deploy hooks..." && \ cp -n /defaults/deploy/01_deploy-certs.sh /config/deploy/ chmod +x /config/deploy/* # Link /config/deploy @@ -162,14 +162,16 @@ if [ "${ORIGSTAGING}" = "true" ]; then # [[ -f /etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} [[ -f "${LINEAGE}"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path "${LINEAGE}"/fullchain.pem --server ${REV_ACMESERVER} rm -rf /etc/letsencrypt - mkdir -p /etc/letsencrypt + # mkdir -p /etc/letsencrypt # redundant + mkdir -p /etc/letsencrypt/renewal-hooks + ln -s /config/deploy /etc/letsencrypt/renewal-hooks fi # Save new variables echo -e "ORIGTLD=\"${TLD}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGEMAIL=\"${EMAIL}\"" > /config/.donoteditthisfile.conf # generating certs if necessary -if [ ! -f "/letsencrypt/certs/fullchain.pem" ]; then +if [ ! -f "/letsencrypt/fullchain.pem" ]; then echo "Generating new certificate" # shellcheck disable=SC2086 certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL} @@ -177,13 +179,13 @@ if [ ! -f "/letsencrypt/certs/fullchain.pem" ]; then # export RENEWED_LINEAGE # echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}" - # force deploy script on initial generation + # explicitly run deploy script on initial generation if [ -f /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh ]; then /usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh fi - if [ -f "/letsencrypt/certs/fullchain.pem" ]; then - cd /letsencrypt/certs || exit + if [ -f "/letsencrypt/fullchain.pem" ]; then + cd /letsencrypt || exit else echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/credentials/cloudflare.ini file." sleep infinity diff --git a/root/etc/cont-init.d/60_renewal-init.sh b/root/etc/cont-init.d/60_renewal-init.sh index 159d9a2..a28d347 100644 --- a/root/etc/cont-init.d/60_renewal-init.sh +++ b/root/etc/cont-init.d/60_renewal-init.sh @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # Check if the cert is expired or expires within a day, if so, renew -if openssl x509 -in /letsencrypt/certs/fullchain.pem -noout -checkend 86400 >/dev/null; then +if openssl x509 -in /letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then echo "The cert does not expire within the next day." # if [ ! "${STAGING}" = "true" ]; then # echo "Testing renewal..."