| 
									
										
										
										
											2020-05-05 01:23:55 +00:00
										 |  |  | #!/bin/sh
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-03-24 11:48:45 +00:00
										 |  |  | # This script is intended to run inside the bootstrap container. It | 
					
						
							|  |  |  | # should work outside, but that use case is not tested. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-05-10 22:33:03 +01:00
										 |  |  | . bootstrap.env | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-03-24 22:31:43 +00:00
										 |  |  | sed -ri "s/%hostname%/${MAIL_DOMAIN}/" /etc/nginx/conf.d/challenge.conf | 
					
						
							| 
									
										
										
										
											2020-05-05 01:23:55 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | nginx | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-03-24 11:48:45 +00:00
										 |  |  | # TODO Expose these in the configuration utility | 
					
						
							|  |  |  | RSA_KEY_SIZE=4096 | 
					
						
							|  |  |  | PREFIX="/etc/letsencrypt" | 
					
						
							|  |  |  | SELF_SIGNED_CERTIFICATE_TTL=365 | 
					
						
							| 
									
										
										
										
											2020-05-05 01:23:55 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | echo "Starting bootstrap" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-03-24 11:48:45 +00:00
										 |  |  | obtain_certificates () { | 
					
						
							|  |  |  |     DOMAIN="$1" | 
					
						
							|  |  |  |     if [ ! -e "${PREFIX}/live/${DOMAIN}" ] ||  [ ! -e "${PREFIX}/live/ssl-dhparams.pem" ];then | 
					
						
							|  |  |  |         echo "### Downloading recommended TLS parameters ..." | 
					
						
							|  |  |  |         mkdir -p "${PREFIX}/live/${DOMAIN}" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${PREFIX}/options-ssl-nginx.conf" | 
					
						
							|  |  |  |         curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"${PREFIX}/ssl-dhparams.pem" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if [ ${SIGNED} -eq 0 ]; then | 
					
						
							|  |  |  |             echo "### Creating self signed certificate for ${DOMAIN} ..." | 
					
						
							|  |  |  |             openssl req -x509 -nodes -newkey "rsa:${RSA_KEY_SIZE}" -days "${SELF_SIGNED_CERTIFICATE_TTL}" \
 | 
					
						
							|  |  |  |                     -keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
 | 
					
						
							|  |  |  |                     -out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj "/CN=${DOMAIN}" | 
					
						
							|  |  |  |         else | 
					
						
							|  |  |  |             echo "### Creating dummy certificate for ${DOMAIN} ..." | 
					
						
							|  |  |  |             openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
 | 
					
						
							|  |  |  |                     -keyout "${PREFIX}/live/${DOMAIN}/privkey.pem" \
 | 
					
						
							|  |  |  |                     -out "${PREFIX}/live/${DOMAIN}/fullchain.pem" -subj '/CN=localhost' | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |             nginx -s reload | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |             rm -Rf "${PREFIX}/live/${DOMAIN}" | 
					
						
							|  |  |  |             rm -Rf "${PREFIX}/archive/${DOMAIN}" | 
					
						
							|  |  |  |             rm -Rf "${PREFIX}/renewal/${DOMAIN}.conf" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |             echo "### Requesting Let's Encrypt certificate for ${DOMAIN} ..." | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |             # Ask Let's Encrypt to create certificates, if challenge passes | 
					
						
							|  |  |  |             certbot certonly --webroot -w "/var/www/certbot" \
 | 
					
						
							|  |  |  |                     --email "${EMAIL}" \
 | 
					
						
							|  |  |  |                     -d "${DOMAIN}" \
 | 
					
						
							|  |  |  |                     --non-interactive \
 | 
					
						
							|  |  |  |                     --rsa-key-size "${RSA_KEY_SIZE}" \
 | 
					
						
							|  |  |  |                     --agree-tos \
 | 
					
						
							|  |  |  |                     --force-renewal | 
					
						
							|  |  |  |         fi | 
					
						
							| 
									
										
										
										
											2021-03-20 23:09:50 +00:00
										 |  |  |     else | 
					
						
							| 
									
										
										
										
											2021-03-24 11:48:45 +00:00
										 |  |  |         echo "Certificate related files exists, exiting" | 
					
						
							| 
									
										
										
										
											2021-03-20 23:09:50 +00:00
										 |  |  |     fi | 
					
						
							| 
									
										
										
										
											2021-03-24 11:48:45 +00:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | obtain_certificates "${WEB_DOMAIN}" | 
					
						
							|  |  |  | obtain_certificates "${MAIL_DOMAIN}" |