[DOCKER][BOOTSTRAP] Add option to use a self signed cert
This commit is contained in:
parent
cb7518a750
commit
f60e37ba3d
5
.gitignore
vendored
5
.gitignore
vendored
@ -26,4 +26,7 @@ DOCUMENTATION/database/*
|
||||
!DOCUMENTATION/database/database.pdf
|
||||
|
||||
docker/certbot
|
||||
docker/*/*.env
|
||||
docker/*/*.env
|
||||
|
||||
# V2
|
||||
config.php
|
@ -1,21 +1,34 @@
|
||||
#!/bin/sh
|
||||
|
||||
read -p "Domain root: " domain_root
|
||||
read -p "Subdomain (can be empty): " sub_domain
|
||||
read -p "Email: " email
|
||||
printf "Domain root: "
|
||||
read -r domain_root
|
||||
printf "Subdomain (can be empty): "
|
||||
read -r sub_domain
|
||||
printf "Email: "
|
||||
read -r email
|
||||
printf "Use certificate signed by Let's Encrypt (Y/n): "
|
||||
read -r signed
|
||||
|
||||
if [ -z $sub_domain ]; then
|
||||
domain="${domain_root}"
|
||||
[ "${signed}" = "${signed#[Yy]}" ]
|
||||
signed=$?
|
||||
|
||||
if [ -z "$sub_domain" ]
|
||||
then
|
||||
domain="${domain_root}"
|
||||
else
|
||||
domain="${sub_domain}.${domain_root}"
|
||||
domain="${sub_domain}.${domain_root}"
|
||||
fi
|
||||
|
||||
mkdir -p ./docker/bootstrap
|
||||
|
||||
cat > ./docker/bootstrap/bootstrap.env <<EOF
|
||||
#!/bin/sh
|
||||
email=${email}
|
||||
domain=${domain}
|
||||
domain_root=${domain_root}
|
||||
signed=${signed}
|
||||
EOF
|
||||
|
||||
chmod +x ./docker/bootstrap/bootstrap.env
|
||||
|
||||
docker-compose -f docker/bootstrap/bootstrap.yaml up
|
||||
|
@ -29,20 +29,20 @@ services:
|
||||
done &
|
||||
nginx -g "daemon off;"'
|
||||
|
||||
#certbot:
|
||||
# image: certbot/certbot
|
||||
# depends_on:
|
||||
# - nginx
|
||||
# # Check for certificate renewal every 12h as
|
||||
# # recomnended by Let's Encryot
|
||||
# entrypoint: /bin/sh -c 'trap exit TERM;
|
||||
# while :; do
|
||||
# certbot renew > /dev/null;
|
||||
# sleep 12h & wait $${!};
|
||||
# done'
|
||||
# volumes:
|
||||
# - ./docker/certbot/www:/var/www/certbot
|
||||
# - ./docker/certbot/files:/etc/letsencrypt
|
||||
certbot:
|
||||
image: certbot/certbot
|
||||
depends_on:
|
||||
- nginx
|
||||
# Check for certificate renewal every 12h as
|
||||
# recomnended by Let's Encryot
|
||||
entrypoint: /bin/sh -c 'trap exit TERM;
|
||||
while :; do
|
||||
certbot renew > /dev/null;
|
||||
sleep 12h & wait $${!};
|
||||
done'
|
||||
volumes:
|
||||
- ./docker/certbot/www:/var/www/certbot
|
||||
- ./docker/certbot/files:/etc/letsencrypt
|
||||
|
||||
php:
|
||||
build: docker/php
|
||||
|
@ -1,6 +1,8 @@
|
||||
#!/bin/sh
|
||||
|
||||
sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf
|
||||
. bootstrap.env
|
||||
|
||||
sed -ri "s/%hostname%/${domain}/" /etc/nginx/conf.d/challenge.conf
|
||||
|
||||
nginx
|
||||
|
||||
@ -10,43 +12,50 @@ lets_path="/etc/letsencrypt"
|
||||
|
||||
echo "Starting bootstrap"
|
||||
|
||||
if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \
|
||||
|| [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then
|
||||
if [ ! -e "$lets_path/live//options-ssl-nginx.conf" ] || [ ! -e "$lets_path/live/ssl-dhparams.pem" ]
|
||||
then
|
||||
|
||||
echo "### Downloading recommended TLS parameters ..."
|
||||
mkdir -p "${lets_path}/live"
|
||||
echo "### Downloading recommended TLS parameters ..."
|
||||
mkdir -p "${lets_path}/live/${domain_root}"
|
||||
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \
|
||||
"${lets_path}/options-ssl-nginx.conf"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
|
||||
"${lets_path}/ssl-dhparams.pem"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
|
||||
|
||||
echo "### Creating dummy certificate for ${root_domain} ..."
|
||||
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
|
||||
-keyout "${lets_path}/live/privkey.pem" \
|
||||
-out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost'
|
||||
if [ ${signed} -eq 0 ]
|
||||
then
|
||||
echo "### Creating self signed certificate for ${domain_root} ..."
|
||||
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
|
||||
-keyout "${lets_path}/live/${domain_root}/privkey.pem" \
|
||||
-out "${lets_path}/live/${domain_root}/fullchain.pem" -subj "/CN=${domain_root}"
|
||||
|
||||
nginx -s reload
|
||||
else
|
||||
echo "### Creating dummy certificate for ${domain_root} ..."
|
||||
openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
|
||||
-keyout "${lets_path}/live/${domain_root}/privkey.pem" \
|
||||
-out "${lets_path}/live/${domain_root}/fullchain.pem" -subj '/CN=localhost'
|
||||
|
||||
nginx -s reload
|
||||
|
||||
rm -Rf "${lets_path}/live/${root_domain}"
|
||||
rm -Rf "${lets_path}/archive/${root_domain}"
|
||||
rm -Rf "${lets_path}/renewal/${root_domain}.conf"
|
||||
rm -Rf "${lets_path}/live/${domain_root}"
|
||||
rm -Rf "${lets_path}/archive/${domain_root}"
|
||||
rm -Rf "${lets_path}/renewal/${domain_root}.conf"
|
||||
|
||||
echo "### Requesting Let's Encrypt certificate for $root_domain ..."
|
||||
# Format domain_args with the cartesian product of `root_domain` and `subdomains`
|
||||
echo "### Requesting Let's Encrypt certificate for ${domain_root} ..."
|
||||
# Format domain_args with the cartesian product of `domain_root` and `subdomains`
|
||||
|
||||
email_arg="--email ${email}"
|
||||
domain_arg=$([ "${domain_root}" = "${domain}" ] && printf "-d ${domain_root}" || printf "-d ${domain_root} -d ${domain}")
|
||||
if [ "${domain_root}" = "${domain}" ]; then domain_arg="-d ${domain_root}"; else domain_arg="-d ${domain_root} -d ${domain}"; fi
|
||||
|
||||
# Ask Let's Encrypt to create certificates, if challenge passed
|
||||
certbot certonly --webroot -w /var/www/certbot \
|
||||
${email_arg} \
|
||||
certbot certonly --webroot -w "${certbot_path}" \
|
||||
--email "${email}" \
|
||||
${domain_arg} \
|
||||
--non-interactive \
|
||||
--rsa-key-size ${rsa_key_size} \
|
||||
--rsa-key-size "${rsa_key_size}" \
|
||||
--agree-tos \
|
||||
--force-renewal
|
||||
fi
|
||||
|
||||
else
|
||||
echo "Certificate related files exists, exiting"
|
||||
echo "Certificate related files exists, exiting"
|
||||
fi
|
||||
|
@ -7,6 +7,7 @@ services:
|
||||
- ../certbot/www:/var/www/certbot
|
||||
- ../certbot/files:/etc/letsencrypt
|
||||
- ./bootstrap.sh:/bootstrap.sh
|
||||
- ./bootstrap.env:/bootstrap.env
|
||||
ports:
|
||||
- 80:80
|
||||
env_file:
|
||||
|
Loading…
Reference in New Issue
Block a user