forked from GNUsocial/gnu-social
[DOCKER][BOOTSTRAP] Add option to use a self signed cert
This commit is contained in:
parent
cb7518a750
commit
f60e37ba3d
3
.gitignore
vendored
3
.gitignore
vendored
@ -27,3 +27,6 @@ DOCUMENTATION/database/*
|
|||||||
|
|
||||||
docker/certbot
|
docker/certbot
|
||||||
docker/*/*.env
|
docker/*/*.env
|
||||||
|
|
||||||
|
# V2
|
||||||
|
config.php
|
@ -1,21 +1,34 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
read -p "Domain root: " domain_root
|
printf "Domain root: "
|
||||||
read -p "Subdomain (can be empty): " sub_domain
|
read -r domain_root
|
||||||
read -p "Email: " email
|
printf "Subdomain (can be empty): "
|
||||||
|
read -r sub_domain
|
||||||
|
printf "Email: "
|
||||||
|
read -r email
|
||||||
|
printf "Use certificate signed by Let's Encrypt (Y/n): "
|
||||||
|
read -r signed
|
||||||
|
|
||||||
if [ -z $sub_domain ]; then
|
[ "${signed}" = "${signed#[Yy]}" ]
|
||||||
domain="${domain_root}"
|
signed=$?
|
||||||
|
|
||||||
|
if [ -z "$sub_domain" ]
|
||||||
|
then
|
||||||
|
domain="${domain_root}"
|
||||||
else
|
else
|
||||||
domain="${sub_domain}.${domain_root}"
|
domain="${sub_domain}.${domain_root}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p ./docker/bootstrap
|
mkdir -p ./docker/bootstrap
|
||||||
|
|
||||||
cat > ./docker/bootstrap/bootstrap.env <<EOF
|
cat > ./docker/bootstrap/bootstrap.env <<EOF
|
||||||
|
#!/bin/sh
|
||||||
email=${email}
|
email=${email}
|
||||||
domain=${domain}
|
domain=${domain}
|
||||||
domain_root=${domain_root}
|
domain_root=${domain_root}
|
||||||
|
signed=${signed}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
chmod +x ./docker/bootstrap/bootstrap.env
|
||||||
|
|
||||||
docker-compose -f docker/bootstrap/bootstrap.yaml up
|
docker-compose -f docker/bootstrap/bootstrap.yaml up
|
||||||
|
@ -29,20 +29,20 @@ services:
|
|||||||
done &
|
done &
|
||||||
nginx -g "daemon off;"'
|
nginx -g "daemon off;"'
|
||||||
|
|
||||||
#certbot:
|
certbot:
|
||||||
# image: certbot/certbot
|
image: certbot/certbot
|
||||||
# depends_on:
|
depends_on:
|
||||||
# - nginx
|
- nginx
|
||||||
# # Check for certificate renewal every 12h as
|
# Check for certificate renewal every 12h as
|
||||||
# # recomnended by Let's Encryot
|
# recomnended by Let's Encryot
|
||||||
# entrypoint: /bin/sh -c 'trap exit TERM;
|
entrypoint: /bin/sh -c 'trap exit TERM;
|
||||||
# while :; do
|
while :; do
|
||||||
# certbot renew > /dev/null;
|
certbot renew > /dev/null;
|
||||||
# sleep 12h & wait $${!};
|
sleep 12h & wait $${!};
|
||||||
# done'
|
done'
|
||||||
# volumes:
|
volumes:
|
||||||
# - ./docker/certbot/www:/var/www/certbot
|
- ./docker/certbot/www:/var/www/certbot
|
||||||
# - ./docker/certbot/files:/etc/letsencrypt
|
- ./docker/certbot/files:/etc/letsencrypt
|
||||||
|
|
||||||
php:
|
php:
|
||||||
build: docker/php
|
build: docker/php
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf
|
. bootstrap.env
|
||||||
|
|
||||||
|
sed -ri "s/%hostname%/${domain}/" /etc/nginx/conf.d/challenge.conf
|
||||||
|
|
||||||
nginx
|
nginx
|
||||||
|
|
||||||
@ -10,43 +12,50 @@ lets_path="/etc/letsencrypt"
|
|||||||
|
|
||||||
echo "Starting bootstrap"
|
echo "Starting bootstrap"
|
||||||
|
|
||||||
if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \
|
if [ ! -e "$lets_path/live//options-ssl-nginx.conf" ] || [ ! -e "$lets_path/live/ssl-dhparams.pem" ]
|
||||||
|| [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then
|
then
|
||||||
|
|
||||||
echo "### Downloading recommended TLS parameters ..."
|
echo "### Downloading recommended TLS parameters ..."
|
||||||
mkdir -p "${lets_path}/live"
|
mkdir -p "${lets_path}/live/${domain_root}"
|
||||||
|
|
||||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$lets_path/options-ssl-nginx.conf"
|
||||||
"${lets_path}/options-ssl-nginx.conf"
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$lets_path/ssl-dhparams.pem"
|
||||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
|
|
||||||
"${lets_path}/ssl-dhparams.pem"
|
|
||||||
|
|
||||||
echo "### Creating dummy certificate for ${root_domain} ..."
|
if [ ${signed} -eq 0 ]
|
||||||
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
|
then
|
||||||
-keyout "${lets_path}/live/privkey.pem" \
|
echo "### Creating self signed certificate for ${domain_root} ..."
|
||||||
-out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost'
|
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 365 \
|
||||||
|
-keyout "${lets_path}/live/${domain_root}/privkey.pem" \
|
||||||
|
-out "${lets_path}/live/${domain_root}/fullchain.pem" -subj "/CN=${domain_root}"
|
||||||
|
|
||||||
|
nginx -s reload
|
||||||
|
else
|
||||||
|
echo "### Creating dummy certificate for ${domain_root} ..."
|
||||||
|
openssl req -x509 -nodes -newkey rsa:1024 -days 1 \
|
||||||
|
-keyout "${lets_path}/live/${domain_root}/privkey.pem" \
|
||||||
|
-out "${lets_path}/live/${domain_root}/fullchain.pem" -subj '/CN=localhost'
|
||||||
|
|
||||||
nginx -s reload
|
nginx -s reload
|
||||||
|
|
||||||
rm -Rf "${lets_path}/live/${root_domain}"
|
rm -Rf "${lets_path}/live/${domain_root}"
|
||||||
rm -Rf "${lets_path}/archive/${root_domain}"
|
rm -Rf "${lets_path}/archive/${domain_root}"
|
||||||
rm -Rf "${lets_path}/renewal/${root_domain}.conf"
|
rm -Rf "${lets_path}/renewal/${domain_root}.conf"
|
||||||
|
|
||||||
echo "### Requesting Let's Encrypt certificate for $root_domain ..."
|
echo "### Requesting Let's Encrypt certificate for ${domain_root} ..."
|
||||||
# Format domain_args with the cartesian product of `root_domain` and `subdomains`
|
# Format domain_args with the cartesian product of `domain_root` and `subdomains`
|
||||||
|
|
||||||
email_arg="--email ${email}"
|
if [ "${domain_root}" = "${domain}" ]; then domain_arg="-d ${domain_root}"; else domain_arg="-d ${domain_root} -d ${domain}"; fi
|
||||||
domain_arg=$([ "${domain_root}" = "${domain}" ] && printf "-d ${domain_root}" || printf "-d ${domain_root} -d ${domain}")
|
|
||||||
|
|
||||||
# Ask Let's Encrypt to create certificates, if challenge passed
|
# Ask Let's Encrypt to create certificates, if challenge passed
|
||||||
certbot certonly --webroot -w /var/www/certbot \
|
certbot certonly --webroot -w "${certbot_path}" \
|
||||||
${email_arg} \
|
--email "${email}" \
|
||||||
${domain_arg} \
|
${domain_arg} \
|
||||||
--non-interactive \
|
--non-interactive \
|
||||||
--rsa-key-size ${rsa_key_size} \
|
--rsa-key-size "${rsa_key_size}" \
|
||||||
--agree-tos \
|
--agree-tos \
|
||||||
--force-renewal
|
--force-renewal
|
||||||
|
fi
|
||||||
|
|
||||||
else
|
else
|
||||||
echo "Certificate related files exists, exiting"
|
echo "Certificate related files exists, exiting"
|
||||||
fi
|
fi
|
||||||
|
@ -7,6 +7,7 @@ services:
|
|||||||
- ../certbot/www:/var/www/certbot
|
- ../certbot/www:/var/www/certbot
|
||||||
- ../certbot/files:/etc/letsencrypt
|
- ../certbot/files:/etc/letsencrypt
|
||||||
- ./bootstrap.sh:/bootstrap.sh
|
- ./bootstrap.sh:/bootstrap.sh
|
||||||
|
- ./bootstrap.env:/bootstrap.env
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 80:80
|
||||||
env_file:
|
env_file:
|
||||||
|
Loading…
Reference in New Issue
Block a user