From f60e37ba3d40eb2131b034be375d41b77f4b0d72 Mon Sep 17 00:00:00 2001
From: Diogo Cordeiro <diogo@fc.up.pt>
Date: Sun, 10 May 2020 22:33:03 +0100
Subject: [PATCH] [DOCKER][BOOTSTRAP] Add option to use a self signed cert

---
 .gitignore                      |  5 ++-
 bin/bootstrap_certificates      | 25 +++++++++++----
 docker-compose.yaml             | 28 ++++++++--------
 docker/bootstrap/bootstrap.sh   | 57 +++++++++++++++++++--------------
 docker/bootstrap/bootstrap.yaml |  1 +
 5 files changed, 71 insertions(+), 45 deletions(-)

diff --git a/.gitignore b/.gitignore
index c133c6d125..fc0682a8df 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,4 +26,7 @@ DOCUMENTATION/database/*
 !DOCUMENTATION/database/database.pdf
 
 docker/certbot
-docker/*/*.env
\ No newline at end of file
+docker/*/*.env
+
+# V2
+config.php
\ No newline at end of file
diff --git a/bin/bootstrap_certificates b/bin/bootstrap_certificates
index d699b772b6..30dd538061 100755
--- a/bin/bootstrap_certificates
+++ b/bin/bootstrap_certificates
@@ -1,21 +1,34 @@
 #!/bin/sh
 
-read -p "Domain root: " domain_root
-read -p "Subdomain (can be empty): " sub_domain
-read -p "Email: " email
+printf "Domain root: "
+read -r domain_root
+printf "Subdomain (can be empty): "
+read -r sub_domain
+printf "Email: "
+read -r email
+printf "Use certificate signed by Let's Encrypt (Y/n): "
+read -r signed
 
-if [ -z $sub_domain ]; then
-    domain="${domain_root}"
+[ "${signed}" = "${signed#[Yy]}" ]
+signed=$?
+
+if [ -z "$sub_domain" ]
+then
+  domain="${domain_root}"
 else
-    domain="${sub_domain}.${domain_root}"
+  domain="${sub_domain}.${domain_root}"
 fi
 
 mkdir -p ./docker/bootstrap
 
 cat > ./docker/bootstrap/bootstrap.env <<EOF
+#!/bin/sh
 email=${email}
 domain=${domain}
 domain_root=${domain_root}
+signed=${signed}
 EOF
 
+chmod +x ./docker/bootstrap/bootstrap.env
+
 docker-compose -f docker/bootstrap/bootstrap.yaml up
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 47551d0b54..1476a966ea 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -29,20 +29,20 @@ services:
                          done &
                          nginx -g "daemon off;"'
 
-  #certbot:
-  #  image: certbot/certbot
-  #  depends_on:
-  #    - nginx
-  #  # Check for certificate renewal every 12h as
-  #  # recomnended by Let's Encryot
-  #  entrypoint: /bin/sh -c 'trap exit TERM;
-  #                          while :; do
-  #                              certbot renew > /dev/null;
-  #                              sleep 12h & wait $${!};
-  #                          done'
-  #  volumes:
-  #    - ./docker/certbot/www:/var/www/certbot
-  #    - ./docker/certbot/files:/etc/letsencrypt
+  certbot:
+    image: certbot/certbot
+    depends_on:
+      - nginx
+    # Check for certificate renewal every 12h as
+    # recomnended by Let's Encryot
+    entrypoint: /bin/sh -c 'trap exit TERM;
+                            while :; do
+                                certbot renew > /dev/null;
+                                sleep 12h & wait $${!};
+                            done'
+    volumes:
+      - ./docker/certbot/www:/var/www/certbot
+      - ./docker/certbot/files:/etc/letsencrypt
 
   php:
     build: docker/php
diff --git a/docker/bootstrap/bootstrap.sh b/docker/bootstrap/bootstrap.sh
index 4957dbd47c..cc4653f7ac 100755
--- a/docker/bootstrap/bootstrap.sh
+++ b/docker/bootstrap/bootstrap.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf
+. bootstrap.env
+
+sed -ri "s/%hostname%/${domain}/" /etc/nginx/conf.d/challenge.conf
 
 nginx
 
@@ -10,43 +12,50 @@ lets_path="/etc/letsencrypt"
 
 echo "Starting bootstrap"
 
-if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \
-    || [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then
+if [ ! -e "$lets_path/live//options-ssl-nginx.conf" ] ||  [ ! -e "$lets_path/live/ssl-dhparams.pem" ]
+then
 
-    echo "### Downloading recommended TLS parameters ..."
-    mkdir -p "${lets_path}/live"
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "${lets_path}/live/${domain_root}"
 
-    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \
-         "${lets_path}/options-ssl-nginx.conf"
-    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
-         "${lets_path}/ssl-dhparams.pem"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
 
-    echo "### Creating dummy certificate for ${root_domain} ..."
-    openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-            -keyout "${lets_path}/live/privkey.pem" \
-            -out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost'
+  if [ ${signed} -eq 0 ]
+  then
+    echo "### Creating self signed certificate for ${domain_root} ..."
+    openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
+      -keyout "${lets_path}/live/${domain_root}/privkey.pem" \
+      -out "${lets_path}/live/${domain_root}/fullchain.pem" -subj "/CN=${domain_root}"
+
+    nginx -s reload
+  else
+    echo "### Creating dummy certificate for ${domain_root} ..."
+    openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
+      -keyout "${lets_path}/live/${domain_root}/privkey.pem" \
+      -out "${lets_path}/live/${domain_root}/fullchain.pem" -subj '/CN=localhost'
 
     nginx -s reload
 
-    rm -Rf "${lets_path}/live/${root_domain}"
-    rm -Rf "${lets_path}/archive/${root_domain}"
-    rm -Rf "${lets_path}/renewal/${root_domain}.conf"
+    rm -Rf "${lets_path}/live/${domain_root}"
+    rm -Rf "${lets_path}/archive/${domain_root}"
+    rm -Rf "${lets_path}/renewal/${domain_root}.conf"
 
-    echo "### Requesting Let's Encrypt certificate for $root_domain ..."
-    # Format domain_args with the cartesian product of `root_domain` and `subdomains`
+    echo "### Requesting Let's Encrypt certificate for ${domain_root} ..."
+    # Format domain_args with the cartesian product of `domain_root` and `subdomains`
 
-    email_arg="--email ${email}"
-    domain_arg=$([ "${domain_root}" = "${domain}" ] && printf "-d ${domain_root}" || printf "-d ${domain_root} -d ${domain}")
+    if [ "${domain_root}" = "${domain}" ]; then domain_arg="-d ${domain_root}"; else domain_arg="-d ${domain_root} -d ${domain}"; fi
 
     # Ask Let's Encrypt to create certificates, if challenge passed
-    certbot certonly --webroot -w /var/www/certbot \
-            ${email_arg} \
+    certbot certonly --webroot -w "${certbot_path}" \
+            --email "${email}" \
             ${domain_arg} \
             --non-interactive \
-            --rsa-key-size ${rsa_key_size} \
+            --rsa-key-size "${rsa_key_size}" \
             --agree-tos \
             --force-renewal
+  fi
 
 else
-    echo "Certificate related files exists, exiting"
+  echo "Certificate related files exists, exiting"
 fi
diff --git a/docker/bootstrap/bootstrap.yaml b/docker/bootstrap/bootstrap.yaml
index 0b84a908fb..468bc3b52a 100644
--- a/docker/bootstrap/bootstrap.yaml
+++ b/docker/bootstrap/bootstrap.yaml
@@ -7,6 +7,7 @@ services:
       - ../certbot/www:/var/www/certbot
       - ../certbot/files:/etc/letsencrypt
       - ./bootstrap.sh:/bootstrap.sh
+      - ./bootstrap.env:/bootstrap.env
     ports:
       - 80:80
     env_file: