[DOKER][MAIL][BOOTSTRAP] Make bootstrap generate separate certificates for the web root and the mail server
This commit is contained in:
		| @@ -1,56 +1,62 @@ | ||||
| #!/bin/sh | ||||
|  | ||||
| # This script is intended to run inside the bootstrap container. It | ||||
| # should work outside, but that use case is not tested. | ||||
|  | ||||
| . bootstrap.env | ||||
|  | ||||
| sed -ri "s/%hostname%/${DOMAIN}/" /etc/nginx/conf.d/challenge.conf | ||||
|  | ||||
| nginx | ||||
|  | ||||
| rsa_key_size=4096 | ||||
| certbot_path="/var/www/certbot" | ||||
| lets_path="/etc/letsencrypt" | ||||
| # TODO Expose these in the configuration utility | ||||
| RSA_KEY_SIZE=4096 | ||||
| PREFIX="/etc/letsencrypt" | ||||
| SELF_SIGNED_CERTIFICATE_TTL=365 | ||||
|  | ||||
| echo "Starting bootstrap" | ||||
|  | ||||
| if [ ! -e "${lets_path}/live/${DOMAIN}/options-ssl-nginx.conf" ] ||  [ ! -e "$lets_path/live/ssl-dhparams.pem" ];then | ||||
|     echo "### Downloading recommended TLS parameters ..." | ||||
|     mkdir -p "${lets_path}/live/${DOMAIN}" | ||||
| obtain_certificates () { | ||||
|     DOMAIN="$1" | ||||
|     if [ ! -e "${PREFIX}/live/${DOMAIN}" ] ||  [ ! -e "${PREFIX}/live/ssl-dhparams.pem" ];then | ||||
|         echo "### Downloading recommended TLS parameters ..." | ||||
|         mkdir -p "${PREFIX}/live/${DOMAIN}" | ||||
|  | ||||
|     curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf" | ||||
|     curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem" | ||||
|         curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${PREFIX}/options-ssl-nginx.conf" | ||||
|         curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"${PREFIX}/ssl-dhparams.pem" | ||||
|  | ||||
|     if [ ${SIGNED} -eq 0 ]; then | ||||
|         echo "### Creating self signed certificate for ${DOMAIN} ..." | ||||
|         openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \ | ||||
|                 -keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \ | ||||
|                 -out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}" | ||||
|         if [ ${SIGNED} -eq 0 ]; then | ||||
|             echo "### Creating self signed certificate for ${DOMAIN} ..." | ||||
|             openssl req -x509 -nodes -newkey "rsa:${RSA_KEY_SIZE}" -days "${SELF_SIGNED_CERTIFICATE_TTL}" \ | ||||
|                     -keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \ | ||||
|                     -out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}" | ||||
|         else | ||||
|             echo "### Creating dummy certificate for ${DOMAIN} ..." | ||||
|             openssl req -x509 -nodes -newkey rsa:1024 -days 1 \ | ||||
|                     -keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \ | ||||
|                     -out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost' | ||||
|  | ||||
|             nginx -s reload | ||||
|  | ||||
|             rm -Rf "${PREFIX}/live/${DOMAIN}" | ||||
|             rm -Rf "${PREFIX}/archive/${DOMAIN}" | ||||
|             rm -Rf "${PREFIX}/renewal/${DOMAIN}.conf" | ||||
|  | ||||
|             echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..." | ||||
|  | ||||
|             # Ask Let's Encrypt to create certificates, if challenge passes | ||||
|             certbot certonly --webroot -w "/var/www/certbot" \ | ||||
|                     --email "${EMAIL}" \ | ||||
|                     -d "${DOMAIN}" \ | ||||
|                     --non-interactive \ | ||||
|                     --rsa-key-size "${RSA_KEY_SIZE}" \ | ||||
|                     --agree-tos \ | ||||
|                     --force-renewal | ||||
|         fi | ||||
|     else | ||||
|         echo "### Creating dummy certificate for ${DOMAIN} ..." | ||||
|         openssl req -x509 -nodes -newkey rsa:1024 -days 1 \ | ||||
|                 -keyout "${lets_path}/live/${DOMAIN}/privkey.pem" \ | ||||
|                 -out "${lets_path}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost' | ||||
|  | ||||
|         nginx -s reload | ||||
|  | ||||
|         rm -Rf "${lets_path}/live/${DOMAIN}" | ||||
|         rm -Rf "${lets_path}/archive/${DOMAIN}" | ||||
|         rm -Rf "${lets_path}/renewal/${DOMAIN}.conf" | ||||
|  | ||||
|         echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..." | ||||
|         # Format domain_args with the cartesian product of `domain_root` and `subdomains` | ||||
|  | ||||
|         # if [ "${DOMAIN_ROOT}" = "${DOMAIN}" ]; then domain_arg="-d ${DOMAIN_ROOT}"; else domain_arg="-d ${DOMAIN_ROOT} -d ${DOMAIN}"; fi | ||||
|         # ${domain_arg} \ | ||||
|  | ||||
|         # Ask Let's Encrypt to create certificates, if challenge passed | ||||
|         certbot certonly --webroot -w "${certbot_path}" \ | ||||
|                 --email "${EMAIL}" \ | ||||
|                 -d "${DOMAIN}" \ | ||||
|                 --non-interactive \ | ||||
|                 --rsa-key-size "${rsa_key_size}" \ | ||||
|                 --agree-tos \ | ||||
|                 --force-renewal | ||||
|         echo "Certificate related files exists, exiting" | ||||
|     fi | ||||
| else | ||||
|     echo "Certificate related files exists, exiting" | ||||
| fi | ||||
| } | ||||
|  | ||||
| obtain_certificates "${WEB_DOMAIN}" | ||||
| obtain_certificates "${MAIL_DOMAIN}" | ||||
|   | ||||
		Reference in New Issue
	
	Block a user