docker-swag/root/etc/s6-overlay/s6-rc.d/init-certbot-config/run

354 lines
18 KiB
Plaintext
Raw Normal View History

2020-08-03 11:00:14 -04:00
#!/usr/bin/with-contenv bash
2022-11-22 15:55:25 -05:00
# shellcheck shell=bash
2020-08-03 11:00:14 -04:00
# Display variables for troubleshooting
echo -e "Variables set:\\n\
PUID=${PUID}\\n\
PGID=${PGID}\\n\
TZ=${TZ}\\n\
URL=${URL}\\n\
SUBDOMAINS=${SUBDOMAINS}\\n\
EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
VALIDATION=${VALIDATION}\\n\
CERTPROVIDER=${CERTPROVIDER}\\n\
2020-08-03 11:00:14 -04:00
DNSPLUGIN=${DNSPLUGIN}\\n\
EMAIL=${EMAIL}\\n\
STAGING=${STAGING}\\n"
# Sanitize variables
SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
for i in "${SANED_VARS[@]}"; do
2022-11-22 15:55:25 -05:00
export echo "${i}"="${!i//\"/}"
export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
2020-08-03 11:00:14 -04:00
done
# check to make sure DNSPLUGIN is selected if dns validation is used
2023-02-06 19:26:07 -05:00
if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
2021-04-27 15:32:41 -04:00
sleep infinity
fi
2020-08-03 11:00:14 -04:00
# set_ini_value logic:
# - if the name is not found in the file, append the name=value to the end of the file
# - if the name is found in the file, replace the value
# - if the name is found in the file but commented out, uncomment the line and replace the value
# call set_ini_value with parameters: $1=name $2=value $3=file
2023-02-18 11:05:06 -05:00
function set_ini_value() {
name=${1//\//\\/}
value=${2//\//\\/}
sed -i \
-e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
-e '$a'"${name}"'='"${value}" "${3}"
}
# ensure config files exist and has at least one value set (set_ini_value does not work on empty files)
2023-02-18 11:05:06 -05:00
touch /config/etc/letsencrypt/cli.ini
grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >> /config/etc/letsencrypt/cli.ini
2023-02-18 11:05:06 -05:00
# copy dns default configs
cp -n /defaults/dns-conf/* /config/dns-conf/
2023-01-20 23:42:13 -05:00
lsiown -R abc:abc /config/dns-conf
# copy default renewal hooks
chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/
2023-01-20 23:42:13 -05:00
lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
# replace nginx service location in renewal hooks
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
2023-01-21 15:59:25 -05:00
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
# create original config file if it doesn't exist, move non-hidden legacy file to hidden
2022-11-29 10:18:56 -05:00
if [[ -f "/config/donoteditthisfile.conf" ]]; then
2021-04-27 15:32:41 -04:00
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
fi
2022-11-29 10:18:56 -05:00
if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
2022-11-22 15:55:25 -05:00
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
2021-04-27 15:32:41 -04:00
echo "Created .donoteditthisfile.conf"
2020-08-03 11:00:14 -04:00
fi
# load original config settings
2022-11-22 15:55:25 -05:00
# shellcheck source=/dev/null
. /config/.donoteditthisfile.conf
2020-08-03 11:00:14 -04:00
2022-12-08 10:22:14 -05:00
# setting ORIGDOMAIN for use in revoke sections
if [[ "${ORIGONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${ORIGSUBDOMAINS}" = "wildcard" ]]; then
ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
else
ORIGDOMAIN="${ORIGURL}"
fi
# update plugin names in dns conf inis
sed -i 's|^certbot[-_]dns[-_]aliyun:||g' /config/dns-conf/aliyun.ini
sed -i 's|^certbot[-_]dns[-_]cpanel:||g' /config/dns-conf/cpanel.ini
sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' /config/dns-conf/cpanel.ini
sed -i 's|^directadmin[-_]|dns_directadmin_|g' /config/dns-conf/directadmin.ini
sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' /config/dns-conf/domeneshop.ini
sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' /config/dns-conf/gandi.ini
sed -i 's|^certbot[-_]dns[-_]inwx:||g' /config/dns-conf/inwx.ini
sed -i 's|^certbot[-_]dns[-_]transip:||g' /config/dns-conf/transip.ini
2022-12-08 10:22:14 -05:00
# update plugin names in renewal conf
if [[ -f "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" ]] && [[ "${ORIGVALIDATION}" = "dns" ]]; then
if [[ "${ORIGDNSPLUGIN}" =~ ^(aliyun)$ ]]; then
sed -i 's|^authenticator = certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
2022-12-08 10:22:14 -05:00
fi
if [[ "${ORIGDNSPLUGIN}" =~ ^(cpanel)$ ]]; then
sed -i 's|^authenticator = certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^authenticator = dns[-_]cpanel|authenticator = cpanel|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
2022-12-08 10:22:14 -05:00
fi
2022-12-13 09:22:25 -05:00
if [[ "${ORIGDNSPLUGIN}" =~ ^(directadmin)$ ]]; then
sed -i 's|^authenticator = directadmin|authenticator = dns-directadmin|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^directadmin[-_]|dns_directadmin_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
2022-12-13 09:22:25 -05:00
fi
2022-12-08 10:22:14 -05:00
if [[ "${ORIGDNSPLUGIN}" =~ ^(domeneshop)$ ]]; then
sed -i 's|^authenticator = certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
2022-12-08 10:22:14 -05:00
fi
2022-12-13 09:27:27 -05:00
if [[ "${ORIGDNSPLUGIN}" =~ ^(gandi)$ ]]; then
sed -i 's|^authenticator = certbot[-_]plugin[-_]gandi:dns|authenticator = dns-gandi|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
2022-12-13 09:27:27 -05:00
fi
2022-12-08 10:22:14 -05:00
if [[ "${ORIGDNSPLUGIN}" =~ ^(inwx)$ ]]; then
sed -i 's|^authenticator = certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
2022-12-08 10:22:14 -05:00
fi
if [[ "${ORIGDNSPLUGIN}" =~ ^(transip)$ ]]; then
sed -i 's|^authenticator = certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
sed -i 's|^certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
2022-12-08 10:22:14 -05:00
fi
fi
2020-08-03 11:00:14 -04:00
# set default validation to http
2022-11-29 10:18:56 -05:00
if [[ -z "${VALIDATION}" ]]; then
2021-04-27 15:32:41 -04:00
VALIDATION="http"
echo "VALIDATION parameter not set; setting it to http"
2020-08-03 11:00:14 -04:00
fi
2022-10-06 14:08:20 -04:00
# set duckdns validation to dns
2022-11-29 10:18:56 -05:00
if [[ "${VALIDATION}" = "duckdns" ]]; then
2022-10-06 14:08:20 -04:00
VALIDATION="dns"
DNSPLUGIN="duckdns"
2022-11-29 10:18:56 -05:00
if [[ -n "${DUCKDNSTOKEN}" ]] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then
2022-10-06 14:08:20 -04:00
sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
fi
fi
2022-11-29 10:18:56 -05:00
if [[ "${VALIDATION}" = "dns" ]] && [[ "${DNSPLUGIN}" = "duckdns" ]]; then
if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
2022-10-06 14:08:20 -04:00
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
export ONLY_SUBDOMAINS=true
else
echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
export SUBDOMAINS=""
fi
export EXTRA_DOMAINS=""
fi
2022-12-08 10:22:14 -05:00
# setting the symlink for key location
rm -rf /config/keys/letsencrypt
if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then
DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
else
ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
fi
# checking for changes in cert variables, revoking certs if necessary
if [[ ! "${URL}" = "${ORIGURL}" ]] ||
[[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] ||
[[ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ]] ||
[[ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ]] ||
[[ ! "${VALIDATION}" = "${ORIGVALIDATION}" ]] ||
[[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] ||
[[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] ||
[[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}")
REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | jq .eab_kid)
REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | js .eab_hmac_key)
2022-12-08 10:22:14 -05:00
if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity
fi
2023-02-18 18:26:34 -05:00
REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90" "--eab-kid" "${REV_ZEROSSL_EAB_KID}" "--eab-hmac-key" "${REV_ZEROSSL_EAB_HMAC_KEY}")
2022-12-08 10:22:14 -05:00
elif [[ "${ORIGSTAGING}" = "true" ]]; then
2023-02-18 18:26:34 -05:00
REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
2022-12-08 10:22:14 -05:00
else
2023-02-18 18:26:34 -05:00
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
2022-12-08 10:22:14 -05:00
fi
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
2023-02-18 11:05:06 -05:00
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
2022-12-08 10:22:14 -05:00
fi
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
fi
# saving new variables
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
# Check if the cert is using the old LE root cert, revoke and regen if necessary
if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
2023-02-18 11:05:06 -05:00
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
2022-12-08 10:22:14 -05:00
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
2023-02-18 11:05:06 -05:00
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
2022-12-08 10:22:14 -05:00
fi
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
fi
# if zerossl is selected or staging is set to true, use the relevant server
2022-11-29 10:18:56 -05:00
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
2021-04-27 15:32:41 -04:00
echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
fi
2022-11-29 10:18:56 -05:00
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
2022-11-22 15:55:25 -05:00
echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
2021-04-27 15:32:41 -04:00
ACMESERVER="https://acme.zerossl.com/v2/DV90"
2022-11-29 10:18:56 -05:00
elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then
2021-04-27 15:32:41 -04:00
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
sleep infinity
2022-11-29 10:18:56 -05:00
elif [[ "${STAGING}" = "true" ]]; then
2021-04-27 15:32:41 -04:00
echo "NOTICE: Staging is active"
echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
2020-08-03 11:00:14 -04:00
fi
2023-02-18 11:05:06 -05:00
set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini
# figuring out domain only vs domain & subdomains vs subdomains only
DOMAINS_ARRAY=()
if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then
DOMAINS_ARRAY+=("${URL}")
fi
2022-11-29 10:18:56 -05:00
if [[ -n "${SUBDOMAINS}" ]]; then
2020-08-03 11:00:14 -04:00
echo "SUBDOMAINS entered, processing"
SUBDOMAINS_ARRAY=()
2022-11-29 10:18:56 -05:00
if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
SUBDOMAINS_ARRAY+=("*.${URL}")
echo "Wildcard cert for ${URL} will be requested"
2020-08-03 11:00:14 -04:00
else
2022-11-22 15:55:25 -05:00
for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
SUBDOMAINS_ARRAY+=("${job}.${URL}")
2021-04-27 15:32:41 -04:00
done
echo "Sub-domains processed are: $(echo "${SUBDOMAINS_ARRAY[*]}" | tr " " ",")"
2020-08-03 11:00:14 -04:00
fi
DOMAINS_ARRAY+=("${SUBDOMAINS_ARRAY[@]}")
2020-08-03 11:00:14 -04:00
fi
# add extra domains
2022-11-29 10:18:56 -05:00
if [[ -n "${EXTRA_DOMAINS}" ]]; then
2021-04-27 15:32:41 -04:00
echo "EXTRA_DOMAINS entered, processing"
EXTRA_DOMAINS_ARRAY=()
2022-11-22 15:55:25 -05:00
for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
EXTRA_DOMAINS_ARRAY+=("${job}")
2021-04-27 15:32:41 -04:00
done
echo "Extra domains processed are: $(echo "${EXTRA_DOMAINS_ARRAY[*]}" | tr " " ",")"
DOMAINS_ARRAY+=("${EXTRA_DOMAINS_ARRAY[@]}")
2020-08-03 11:00:14 -04:00
fi
# setting domains in cli.ini
set_ini_value "domains" "$(echo "${DOMAINS_ARRAY[*]}" | tr " " ",")" /config/etc/letsencrypt/cli.ini
2020-08-03 11:00:14 -04:00
# figuring out whether to use e-mail and which
2022-11-22 15:55:25 -05:00
if [[ ${EMAIL} == *@* ]]; then
2021-04-27 15:32:41 -04:00
echo "E-mail address entered: ${EMAIL}"
2023-02-18 11:05:06 -05:00
set_ini_value "email" "${EMAIL}" /config/etc/letsencrypt/cli.ini
set_ini_value "no-eff-email" "true" /config/etc/letsencrypt/cli.ini
set_ini_value "register-unsafely-without-email" "false" /config/etc/letsencrypt/cli.ini
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
echo "No e-mail address entered or address invalid"
2023-02-18 11:05:06 -05:00
set_ini_value "register-unsafely-without-email" "true" /config/etc/letsencrypt/cli.ini
2020-08-03 11:00:14 -04:00
fi
2022-12-08 10:22:14 -05:00
# alter extension for error message
if [[ "${DNSPLUGIN}" = "google" ]]; then
DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.json"
else
DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.ini"
fi
2020-08-03 11:00:14 -04:00
# setting the validation method to use
2022-11-29 10:18:56 -05:00
if [[ "${VALIDATION}" = "dns" ]]; then
2023-02-18 11:05:06 -05:00
set_ini_value "preferred-challenges" "dns" /config/etc/letsencrypt/cli.ini
set_ini_value "authenticator" "dns-${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
set_ini_value "dns-${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
if [[ -n "${PROPAGATION}" ]]; then set_ini_value "dns-${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
2022-12-08 10:22:14 -05:00
# plugins that don't support setting credentials file
if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then
2023-02-18 11:05:06 -05:00
sed "/^dns-${DNSPLUGIN}-credentials /d" /config/etc/letsencrypt/cli.ini
2022-12-08 10:22:14 -05:00
fi
2022-12-08 10:42:08 -05:00
# plugins that don't support setting propagation
2022-12-08 10:22:14 -05:00
if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|standalone)$ ]]; then
2022-11-29 10:18:56 -05:00
if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
2023-02-18 11:05:06 -05:00
sed "/^dns-${DNSPLUGIN}-propagation-seconds /d" /config/etc/letsencrypt/cli.ini
2022-12-08 10:22:14 -05:00
fi
# plugins that use old parameter naming convention
2023-02-18 11:05:06 -05:00
if [[ "${DNSPLUGIN}" =~ ^(cpanel|directadmin)$ ]]; then
sed "/^dns-${DNSPLUGIN}-credentials /d" /config/etc/letsencrypt/cli.ini
sed "/^dns-${DNSPLUGIN}-propagation-seconds /d" /config/etc/letsencrypt/cli.ini
set_ini_value "authenticator" "${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
set_ini_value "${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
if [[ -n "${PROPAGATION}" ]]; then set_ini_value "${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
2021-04-27 15:32:41 -04:00
fi
2022-12-08 10:22:14 -05:00
# don't restore txt records when using DuckDNS plugin
if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
2023-02-18 11:05:06 -05:00
set_ini_value "dns-${DNSPLUGIN}-no-txt-restore" "true" /config/etc/letsencrypt/cli.ini
2022-12-08 10:22:14 -05:00
fi
2021-04-27 15:32:41 -04:00
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
2022-11-29 10:18:56 -05:00
elif [[ "${VALIDATION}" = "tls-sni" ]]; then
2023-02-18 11:05:06 -05:00
set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
2021-04-27 15:32:41 -04:00
echo "*****tls-sni validation has been deprecated, attempting http validation instead"
2020-08-03 11:00:14 -04:00
else
2023-02-18 11:05:06 -05:00
set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
2021-04-27 15:32:41 -04:00
echo "http validation is selected"
2020-08-03 11:00:14 -04:00
fi
# generating certs if necessary
2022-11-29 10:18:56 -05:00
if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
2021-04-27 15:32:41 -04:00
echo "Retrieving EAB from ZeroSSL"
2022-11-22 15:55:25 -05:00
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | jq .eab_kid)
ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | jq .eab_hmac_key)
2022-11-29 10:18:56 -05:00
if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
2021-05-14 16:22:32 -04:00
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity
2021-04-27 15:32:41 -04:00
fi
2023-02-18 11:05:06 -05:00
set_ini_value "eab-kid" "${ZEROSSL_EAB_KID}" /config/etc/letsencrypt/cli.ini
set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
2021-01-20 08:43:55 -05:00
fi
2021-04-27 15:32:41 -04:00
echo "Generating new certificate"
2023-02-18 11:05:06 -05:00
certbot certonly --non-interactive --renew-by-default
2022-11-29 10:18:56 -05:00
if [[ ! -d /config/keys/letsencrypt ]]; then
if [[ "${VALIDATION}" = "dns" ]]; then
2022-12-08 10:22:14 -05:00
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."
2021-04-27 15:32:41 -04:00
else
2021-05-14 16:22:32 -04:00
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
2021-04-27 15:32:41 -04:00
fi
sleep infinity
2020-08-03 11:00:14 -04:00
fi
run-parts /config/etc/letsencrypt/renewal-hooks/deploy/
2021-04-27 15:32:41 -04:00
echo "New certificate generated; starting nginx"
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
echo "Certificate exists; parameters unchanged; starting nginx"
2020-08-03 11:00:14 -04:00
fi
2022-11-23 09:39:22 -05:00
# if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert
2022-11-29 10:18:56 -05:00
if [[ -d /config/keys/letsencrypt ]]; then
2022-11-23 09:39:22 -05:00
rm -rf /config/keys/cert.crt
ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
rm -rf /config/keys/cert.key
ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
fi