[DOCKER][BOOTSTRAP] Add option to use a self signed cert

This commit is contained in:
Diogo Cordeiro 2020-05-10 22:33:03 +01:00 committed by Hugo Sales
parent cb7518a750
commit f60e37ba3d
Signed by: someonewithpc
GPG Key ID: 7D0C7EAFC9D835A0
5 changed files with 71 additions and 45 deletions

3
.gitignore vendored
View File

@ -27,3 +27,6 @@ DOCUMENTATION/database/*
docker/certbot
docker/*/*.env
# V2
config.php

View File

@ -1,21 +1,34 @@
#!/bin/sh
read -p "Domain root: " domain_root
read -p "Subdomain (can be empty): " sub_domain
read -p "Email: " email
printf "Domain root: "
read -r domain_root
printf "Subdomain (can be empty): "
read -r sub_domain
printf "Email: "
read -r email
printf "Use certificate signed by Let's Encrypt (Y/n): "
read -r signed
if [ -z $sub_domain ]; then
domain="${domain_root}"
[ "${signed}" = "${signed#[Yy]}" ]
signed=$?
if [ -z "$sub_domain" ]
then
domain="${domain_root}"
else
domain="${sub_domain}.${domain_root}"
domain="${sub_domain}.${domain_root}"
fi
mkdir -p ./docker/bootstrap
cat > ./docker/bootstrap/bootstrap.env <<EOF
#!/bin/sh
email=${email}
domain=${domain}
domain_root=${domain_root}
signed=${signed}
EOF
chmod +x ./docker/bootstrap/bootstrap.env
docker-compose -f docker/bootstrap/bootstrap.yaml up

View File

@ -29,20 +29,20 @@ services:
done &
nginx -g "daemon off;"'
#certbot:
# image: certbot/certbot
# depends_on:
# - nginx
# # Check for certificate renewal every 12h as
# # recomnended by Let's Encryot
# entrypoint: /bin/sh -c 'trap exit TERM;
# while :; do
# certbot renew > /dev/null;
# sleep 12h & wait $${!};
# done'
# volumes:
# - ./docker/certbot/www:/var/www/certbot
# - ./docker/certbot/files:/etc/letsencrypt
certbot:
image: certbot/certbot
depends_on:
- nginx
# Check for certificate renewal every 12h as
# recomnended by Let's Encryot
entrypoint: /bin/sh -c 'trap exit TERM;
while :; do
certbot renew > /dev/null;
sleep 12h & wait $${!};
done'
volumes:
- ./docker/certbot/www:/var/www/certbot
- ./docker/certbot/files:/etc/letsencrypt
php:
build: docker/php

View File

@ -1,6 +1,8 @@
#!/bin/sh
sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf
. bootstrap.env
sed -ri "s/%hostname%/${domain}/" /etc/nginx/conf.d/challenge.conf
nginx
@ -10,43 +12,50 @@ lets_path="/etc/letsencrypt"
echo "Starting bootstrap"
if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \
|| [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then
if [ ! -e "$lets_path/live//options-ssl-nginx.conf" ] || [ ! -e "$lets_path/live/ssl-dhparams.pem" ]
then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "${lets_path}/live"
echo "### Downloading recommended TLS parameters ..."
mkdir -p "${lets_path}/live/${domain_root}"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \
"${lets_path}/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
"${lets_path}/ssl-dhparams.pem"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
echo "### Creating dummy certificate for ${root_domain} ..."
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-keyout "${lets_path}/live/privkey.pem" \
-out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost'
if [ ${signed} -eq 0 ]
then
echo "### Creating self signed certificate for ${domain_root} ..."
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
-keyout "${lets_path}/live/${domain_root}/privkey.pem" \
-out "${lets_path}/live/${domain_root}/fullchain.pem" -subj "/CN=${domain_root}"
nginx -s reload
else
echo "### Creating dummy certificate for ${domain_root} ..."
openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
-keyout "${lets_path}/live/${domain_root}/privkey.pem" \
-out "${lets_path}/live/${domain_root}/fullchain.pem" -subj '/CN=localhost'
nginx -s reload
rm -Rf "${lets_path}/live/${root_domain}"
rm -Rf "${lets_path}/archive/${root_domain}"
rm -Rf "${lets_path}/renewal/${root_domain}.conf"
rm -Rf "${lets_path}/live/${domain_root}"
rm -Rf "${lets_path}/archive/${domain_root}"
rm -Rf "${lets_path}/renewal/${domain_root}.conf"
echo "### Requesting Let's Encrypt certificate for $root_domain ..."
# Format domain_args with the cartesian product of `root_domain` and `subdomains`
echo "### Requesting Let's Encrypt certificate for ${domain_root} ..."
# Format domain_args with the cartesian product of `domain_root` and `subdomains`
email_arg="--email ${email}"
domain_arg=$([ "${domain_root}" = "${domain}" ] && printf "-d ${domain_root}" || printf "-d ${domain_root} -d ${domain}")
if [ "${domain_root}" = "${domain}" ]; then domain_arg="-d ${domain_root}"; else domain_arg="-d ${domain_root} -d ${domain}"; fi
# Ask Let's Encrypt to create certificates, if challenge passed
certbot certonly --webroot -w /var/www/certbot \
${email_arg} \
certbot certonly --webroot -w "${certbot_path}" \
--email "${email}" \
${domain_arg} \
--non-interactive \
--rsa-key-size ${rsa_key_size} \
--rsa-key-size "${rsa_key_size}" \
--agree-tos \
--force-renewal
fi
else
echo "Certificate related files exists, exiting"
echo "Certificate related files exists, exiting"
fi

View File

@ -7,6 +7,7 @@ services:
- ../certbot/www:/var/www/certbot
- ../certbot/files:/etc/letsencrypt
- ./bootstrap.sh:/bootstrap.sh
- ./bootstrap.env:/bootstrap.env
ports:
- 80:80
env_file: