From 78bae9dd491e293c24f5aae88100a33284497ec8 Mon Sep 17 00:00:00 2001
From: Feilner <github@oliver.4of.de>
Date: Mon, 15 Feb 2021 19:02:26 +0100
Subject: [PATCH] use certbot file hooks instead of command line hooks

---
 README.md                                     |  1 +
 root/app/le-renew.sh                          | 20 ++-----------------
 root/defaults/renewal-hooks/deploy/10-default |  9 +++++++++
 root/defaults/renewal-hooks/post/10-nginx     | 13 ++++++++++++
 root/defaults/renewal-hooks/pre/10-nginx      |  9 +++++++++
 root/etc/cont-init.d/50-config                | 11 ++++++----
 6 files changed, 41 insertions(+), 22 deletions(-)
 create mode 100644 root/defaults/renewal-hooks/deploy/10-default
 create mode 100644 root/defaults/renewal-hooks/post/10-nginx
 create mode 100644 root/defaults/renewal-hooks/pre/10-nginx

diff --git a/README.md b/README.md
index a62e2c7..afbc03e 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,7 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel
 * If you need a dynamic dns provider, you can use the free provider duckdns.org where the `URL` will be `yoursubdomain.duckdns.org` and the `SUBDOMAINS` can be `www,ftp,cloud` with http validation, or `wildcard` with dns validation.
 * After setup, navigate to `https://yourdomain.url` to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at `/config/nginx/site-confs/default`).
 * Certs are checked nightly and if expiration is within 30 days, renewal is attempted. If your cert is about to expire in less than 30 days, check the logs under `/config/log/letsencrypt` to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.
+* It's possible to extend default renewal-hooks `/etc/letsencrypt/renewal-hooks/*` they are executed in sorted order.
 ### Security and password protection
 * The container detects changes to url and subdomains, revokes existing certs and generates new ones during start.
 * The container provides a pre-generated 4096-bit dhparams.pem (rotated weekly via [Jenkins job](https://ci.linuxserver.io/blue/organizations/jenkins/Xtras-Builders-Etc%2Fdhparams-uploader/activity)) for new instances, however you may generate your own by running `docker exec swag openssl dhparam -out /config/nginx/dhparams.pem 4096` WARNING: This takes a very long time
diff --git a/root/app/le-renew.sh b/root/app/le-renew.sh
index 5c638a5..65ef525 100644
--- a/root/app/le-renew.sh
+++ b/root/app/le-renew.sh
@@ -7,21 +7,5 @@ echo
 echo "<------------------------------------------------->"
 echo "cronjob running on "$(date)
 echo "Running certbot renew"
-if [ "$ORIGVALIDATION" = "dns" ] || [ "$ORIGVALIDATION" = "duckdns" ]; then
-  certbot -n renew \
-    --post-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -h /var/run/s6/services/nginx; fi; \
-    cd /config/keys/letsencrypt && \
-    openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
-    sleep 1 && \
-    cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem && \
-    chown -R abc:abc /config/etc/letsencrypt"
-else
-  certbot -n renew \
-    --pre-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi" \
-    --post-hook "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; \
-    cd /config/keys/letsencrypt && \
-    openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
-    sleep 1 && \
-    cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem && \
-    chown -R abc:abc /config/etc/letsencrypt"
-fi
+certbot -n renew
+
diff --git a/root/defaults/renewal-hooks/deploy/10-default b/root/defaults/renewal-hooks/deploy/10-default
new file mode 100644
index 0000000..e445084
--- /dev/null
+++ b/root/defaults/renewal-hooks/deploy/10-default
@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+
+. /config/.donoteditthisfile.conf
+
+cd /config/keys/letsencrypt
+openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
+sleep 1
+cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem
+chown -R abc:abc /config/etc/letsencrypt
diff --git a/root/defaults/renewal-hooks/post/10-nginx b/root/defaults/renewal-hooks/post/10-nginx
new file mode 100644
index 0000000..0d27997
--- /dev/null
+++ b/root/defaults/renewal-hooks/post/10-nginx
@@ -0,0 +1,13 @@
+#!/usr/bin/with-contenv bash
+
+. /config/.donoteditthisfile.conf
+
+if [ "$ORIGVALIDATION" = "dns" ] || [ "$ORIGVALIDATION" = "duckdns" ]; then
+	if ps aux | grep [n]ginx: > /dev/null; then
+		s6-svc -h /var/run/s6/services/nginx
+	fi
+else
+	if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then
+		s6-svc -u /var/run/s6/services/nginx
+	fi
+fi
diff --git a/root/defaults/renewal-hooks/pre/10-nginx b/root/defaults/renewal-hooks/pre/10-nginx
new file mode 100644
index 0000000..656fd5f
--- /dev/null
+++ b/root/defaults/renewal-hooks/pre/10-nginx
@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+
+. /config/.donoteditthisfile.conf
+
+if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then
+	if ps aux | grep [n]ginx: > /dev/null; then
+		s6-svc -d /var/run/s6/services/nginx
+	fi
+fi
diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config
index bb78177..e76f0ac 100644
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -35,7 +35,7 @@ done
 
 # make our folders and links
 mkdir -p \
-	/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
+	/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt/renewal-hooks,fail2ban,crontabs,dns-conf,geoip2db} \
 	/var/run/fail2ban
 rm -rf /etc/letsencrypt
 ln -s /config/etc/letsencrypt /etc/letsencrypt
@@ -81,6 +81,11 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 [[ ! -f /config/www/502.html ]] &&
 	cp /defaults/502.html /config/www/502.html
 
+# copy default renewal hooks
+chmod -R +x /defaults/renewal-hooks
+cp -nR /defaults/renewal-hooks/* /etc/letsencrypt/renewal-hooks/
+chown -R abc:abc /config/renewal-hooks
+
 # remove lua bits from nginx.conf if not done before
 if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then 
   echo "Removing lua specific info from nginx.conf"
@@ -314,9 +319,7 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
     fi
     sleep infinity
   fi
-  openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
-  sleep 1
-  cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
+  run-parts  /etc/letsencrypt/renewal-hooks/deploy/
   echo "New certificate generated; starting nginx"
 else
   echo "Certificate exists; parameters unchanged; starting nginx"