[DOCKER][BOOTSTRAP] Add option to use a self signed cert

.gitignore

@@ -27,3 +27,6 @@ DOCUMENTATION/database/*
 
 docker/certbot
 docker/*/*.env
+
+# V2
+config.php

bin/bootstrap_certificates

@@ -1,10 +1,19 @@
 #!/bin/sh
 
-read -p "Domain root: " domain_root
+printf "Domain root: "
-read -p "Subdomain (can be empty): " sub_domain
+read -r domain_root
-read -p "Email: " email
+printf "Subdomain (can be empty): "
+read -r sub_domain
+printf "Email: "
+read -r email
+printf "Use certificate signed by Let's Encrypt (Y/n): "
+read -r signed
 
-if [ -z $sub_domain ]; then
+[ "${signed}" = "${signed#[Yy]}" ]
+signed=$?
+
+if [ -z "$sub_domain" ]
+then
   domain="${domain_root}"
 else
   domain="${sub_domain}.${domain_root}"
@@ -13,9 +22,13 @@ fi
 mkdir -p ./docker/bootstrap
 
 cat > ./docker/bootstrap/bootstrap.env <<EOF
+#!/bin/sh
 email=${email}
 domain=${domain}
 domain_root=${domain_root}
+signed=${signed}
 EOF
 
+chmod +x ./docker/bootstrap/bootstrap.env
+
 docker-compose -f docker/bootstrap/bootstrap.yaml up

docker-compose.yaml

@@ -29,20 +29,20 @@ services:
                          done &
                          nginx -g "daemon off;"'
 
-  #certbot:
+  certbot:
-  #  image: certbot/certbot
+    image: certbot/certbot
-  #  depends_on:
+    depends_on:
-  #    - nginx
+      - nginx
-  #  # Check for certificate renewal every 12h as
+    # Check for certificate renewal every 12h as
-  #  # recomnended by Let's Encryot
+    # recomnended by Let's Encryot
-  #  entrypoint: /bin/sh -c 'trap exit TERM;
+    entrypoint: /bin/sh -c 'trap exit TERM;
-  #                          while :; do
+                            while :; do
-  #                              certbot renew > /dev/null;
+                                certbot renew > /dev/null;
-  #                              sleep 12h & wait $${!};
+                                sleep 12h & wait $${!};
-  #                          done'
+                            done'
-  #  volumes:
+    volumes:
-  #    - ./docker/certbot/www:/var/www/certbot
+      - ./docker/certbot/www:/var/www/certbot
-  #    - ./docker/certbot/files:/etc/letsencrypt
+      - ./docker/certbot/files:/etc/letsencrypt
 
   php:
     build: docker/php

docker/bootstrap/bootstrap.sh

@@ -1,6 +1,8 @@
 #!/bin/sh
 
-sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf
+. bootstrap.env
+
+sed -ri "s/%hostname%/${domain}/" /etc/nginx/conf.d/challenge.conf
 
 nginx
 
@@ -10,42 +12,49 @@ lets_path="/etc/letsencrypt"
 
 echo "Starting bootstrap"
 
-if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \
+if [ ! -e "$lets_path/live//options-ssl-nginx.conf" ] ||  [ ! -e "$lets_path/live/ssl-dhparams.pem" ]
-    || [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then
+then
 
   echo "### Downloading recommended TLS parameters ..."
-    mkdir -p "${lets_path}/live"
+  mkdir -p "${lets_path}/live/${domain_root}"
 
-    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
-         "${lets_path}/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
-    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
-         "${lets_path}/ssl-dhparams.pem"
 
-    echo "### Creating dummy certificate for ${root_domain} ..."
+  if [ ${signed} -eq 0 ]
-    openssl req -x509 -nodes -newkey rsa:1024 -days 1\
+  then
-            -keyout "${lets_path}/live/privkey.pem" \
+    echo "### Creating self signed certificate for ${domain_root} ..."
-            -out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost'
+    openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
+      -keyout "${lets_path}/live/${domain_root}/privkey.pem" \
+      -out "${lets_path}/live/${domain_root}/fullchain.pem" -subj "/CN=${domain_root}"
+
+    nginx -s reload
+  else
+    echo "### Creating dummy certificate for ${domain_root} ..."
+    openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
+      -keyout "${lets_path}/live/${domain_root}/privkey.pem" \
+      -out "${lets_path}/live/${domain_root}/fullchain.pem" -subj '/CN=localhost'
 
     nginx -s reload
 
-    rm -Rf "${lets_path}/live/${root_domain}"
+    rm -Rf "${lets_path}/live/${domain_root}"
-    rm -Rf "${lets_path}/archive/${root_domain}"
+    rm -Rf "${lets_path}/archive/${domain_root}"
-    rm -Rf "${lets_path}/renewal/${root_domain}.conf"
+    rm -Rf "${lets_path}/renewal/${domain_root}.conf"
 
-    echo "### Requesting Let's Encrypt certificate for $root_domain ..."
+    echo "### Requesting Let's Encrypt certificate for ${domain_root} ..."
-    # Format domain_args with the cartesian product of `root_domain` and `subdomains`
+    # Format domain_args with the cartesian product of `domain_root` and `subdomains`
 
-    email_arg="--email ${email}"
+    if [ "${domain_root}" = "${domain}" ]; then domain_arg="-d ${domain_root}"; else domain_arg="-d ${domain_root} -d ${domain}"; fi
-    domain_arg=$([ "${domain_root}" = "${domain}" ] && printf "-d ${domain_root}" || printf "-d ${domain_root} -d ${domain}")
 
     # Ask Let's Encrypt to create certificates, if challenge passed
-    certbot certonly --webroot -w /var/www/certbot \
+    certbot certonly --webroot -w "${certbot_path}" \
-            ${email_arg} \
+            --email "${email}" \
             ${domain_arg} \
             --non-interactive \
-            --rsa-key-size ${rsa_key_size} \
+            --rsa-key-size "${rsa_key_size}" \
             --agree-tos \
             --force-renewal
+  fi
 
 else
   echo "Certificate related files exists, exiting"

docker/bootstrap/bootstrap.yaml

@@ -7,6 +7,7 @@ services:
       - ../certbot/www:/var/www/certbot
       - ../certbot/files:/etc/letsencrypt
       - ./bootstrap.sh:/bootstrap.sh
+      - ./bootstrap.env:/bootstrap.env
     ports:
       - 80:80
     env_file: