[DOCKER][BOOTSTRAP] Add option to use a self signed cert

This commit is contained in:
Diogo Cordeiro 2020-05-10 22:33:03 +01:00 committed by Hugo Sales
parent cb7518a750
commit f60e37ba3d
Signed by untrusted user: someonewithpc
GPG Key ID: 7D0C7EAFC9D835A0
5 changed files with 71 additions and 45 deletions

3
.gitignore vendored
View File

@ -27,3 +27,6 @@ DOCUMENTATION/database/*
docker/certbot docker/certbot
docker/*/*.env docker/*/*.env
# V2
config.php

View File

@ -1,21 +1,34 @@
#!/bin/sh #!/bin/sh
read -p "Domain root: " domain_root printf "Domain root: "
read -p "Subdomain (can be empty): " sub_domain read -r domain_root
read -p "Email: " email printf "Subdomain (can be empty): "
read -r sub_domain
printf "Email: "
read -r email
printf "Use certificate signed by Let's Encrypt (Y/n): "
read -r signed
if [ -z $sub_domain ]; then [ "${signed}" = "${signed#[Yy]}" ]
domain="${domain_root}" signed=$?
if [ -z "$sub_domain" ]
then
domain="${domain_root}"
else else
domain="${sub_domain}.${domain_root}" domain="${sub_domain}.${domain_root}"
fi fi
mkdir -p ./docker/bootstrap mkdir -p ./docker/bootstrap
cat > ./docker/bootstrap/bootstrap.env <<EOF cat > ./docker/bootstrap/bootstrap.env <<EOF
#!/bin/sh
email=${email} email=${email}
domain=${domain} domain=${domain}
domain_root=${domain_root} domain_root=${domain_root}
signed=${signed}
EOF EOF
chmod +x ./docker/bootstrap/bootstrap.env
docker-compose -f docker/bootstrap/bootstrap.yaml up docker-compose -f docker/bootstrap/bootstrap.yaml up

View File

@ -29,20 +29,20 @@ services:
done & done &
nginx -g "daemon off;"' nginx -g "daemon off;"'
#certbot: certbot:
# image: certbot/certbot image: certbot/certbot
# depends_on: depends_on:
# - nginx - nginx
# # Check for certificate renewal every 12h as # Check for certificate renewal every 12h as
# # recomnended by Let's Encryot # recomnended by Let's Encryot
# entrypoint: /bin/sh -c 'trap exit TERM; entrypoint: /bin/sh -c 'trap exit TERM;
# while :; do while :; do
# certbot renew > /dev/null; certbot renew > /dev/null;
# sleep 12h & wait $${!}; sleep 12h & wait $${!};
# done' done'
# volumes: volumes:
# - ./docker/certbot/www:/var/www/certbot - ./docker/certbot/www:/var/www/certbot
# - ./docker/certbot/files:/etc/letsencrypt - ./docker/certbot/files:/etc/letsencrypt
php: php:
build: docker/php build: docker/php

View File

@ -1,6 +1,8 @@
#!/bin/sh #!/bin/sh
sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf . bootstrap.env
sed -ri "s/%hostname%/${domain}/" /etc/nginx/conf.d/challenge.conf
nginx nginx
@ -10,43 +12,50 @@ lets_path="/etc/letsencrypt"
echo "Starting bootstrap" echo "Starting bootstrap"
if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \ if [ ! -e "$lets_path/live//options-ssl-nginx.conf" ] || [ ! -e "$lets_path/live/ssl-dhparams.pem" ]
|| [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then then
echo "### Downloading recommended TLS parameters ..." echo "### Downloading recommended TLS parameters ..."
mkdir -p "${lets_path}/live" mkdir -p "${lets_path}/live/${domain_root}"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \ curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
"${lets_path}/options-ssl-nginx.conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
"${lets_path}/ssl-dhparams.pem"
echo "### Creating dummy certificate for ${root_domain} ..." if [ ${signed} -eq 0 ]
openssl req -x509 -nodes -newkey rsa:1024 -days 1\ then
-keyout "${lets_path}/live/privkey.pem" \ echo "### Creating self signed certificate for ${domain_root} ..."
-out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost' openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
-keyout "${lets_path}/live/${domain_root}/privkey.pem" \
-out "${lets_path}/live/${domain_root}/fullchain.pem" -subj "/CN=${domain_root}"
nginx -s reload
else
echo "### Creating dummy certificate for ${domain_root} ..."
openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
-keyout "${lets_path}/live/${domain_root}/privkey.pem" \
-out "${lets_path}/live/${domain_root}/fullchain.pem" -subj '/CN=localhost'
nginx -s reload nginx -s reload
rm -Rf "${lets_path}/live/${root_domain}" rm -Rf "${lets_path}/live/${domain_root}"
rm -Rf "${lets_path}/archive/${root_domain}" rm -Rf "${lets_path}/archive/${domain_root}"
rm -Rf "${lets_path}/renewal/${root_domain}.conf" rm -Rf "${lets_path}/renewal/${domain_root}.conf"
echo "### Requesting Let's Encrypt certificate for $root_domain ..." echo "### Requesting Let's Encrypt certificate for ${domain_root} ..."
# Format domain_args with the cartesian product of `root_domain` and `subdomains` # Format domain_args with the cartesian product of `domain_root` and `subdomains`
email_arg="--email ${email}" if [ "${domain_root}" = "${domain}" ]; then domain_arg="-d ${domain_root}"; else domain_arg="-d ${domain_root} -d ${domain}"; fi
domain_arg=$([ "${domain_root}" = "${domain}" ] && printf "-d ${domain_root}" || printf "-d ${domain_root} -d ${domain}")
# Ask Let's Encrypt to create certificates, if challenge passed # Ask Let's Encrypt to create certificates, if challenge passed
certbot certonly --webroot -w /var/www/certbot \ certbot certonly --webroot -w "${certbot_path}" \
${email_arg} \ --email "${email}" \
${domain_arg} \ ${domain_arg} \
--non-interactive \ --non-interactive \
--rsa-key-size ${rsa_key_size} \ --rsa-key-size "${rsa_key_size}" \
--agree-tos \ --agree-tos \
--force-renewal --force-renewal
fi
else else
echo "Certificate related files exists, exiting" echo "Certificate related files exists, exiting"
fi fi

View File

@ -7,6 +7,7 @@ services:
- ../certbot/www:/var/www/certbot - ../certbot/www:/var/www/certbot
- ../certbot/files:/etc/letsencrypt - ../certbot/files:/etc/letsencrypt
- ./bootstrap.sh:/bootstrap.sh - ./bootstrap.sh:/bootstrap.sh
- ./bootstrap.env:/bootstrap.env
ports: ports:
- 80:80 - 80:80
env_file: env_file: