2020-08-03 11:00:14 -04:00
#!/usr/bin/with-contenv bash
# Display variables for troubleshooting
echo -e "Variables set:\\n\
PUID=${PUID}\\n\
PGID=${PGID}\\n\
TZ=${TZ}\\n\
URL=${URL}\\n\
SUBDOMAINS=${SUBDOMAINS}\\n\
EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
VALIDATION=${VALIDATION}\\n\
2020-12-10 11:58:52 -05:00
CERTPROVIDER=${CERTPROVIDER}\\n\
2020-08-03 11:00:14 -04:00
DNSPLUGIN=${DNSPLUGIN}\\n\
EMAIL=${EMAIL}\\n\
STAGING=${STAGING}\\n"
# Echo init finish for test runs
if [ -n "${TEST_RUN}" ]; then
2021-04-27 15:32:41 -04:00
echo '[services.d] done.'
2020-08-03 11:00:14 -04:00
fi
# Sanitize variables
2020-12-10 11:58:52 -05:00
SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER )
2020-08-03 11:00:14 -04:00
for i in "${SANED_VARS[@]}"
do
2021-04-27 15:32:41 -04:00
export echo "$i"="${!i//\"/}"
export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
2020-08-03 11:00:14 -04:00
done
# check to make sure that the required variables are set
[[ -z "$URL" ]] && \
2021-04-27 15:32:41 -04:00
echo "Please pass your URL as an environment variable in your docker run command. See docker info for more details." && \
sleep infinity
2020-08-03 11:00:14 -04:00
# make our folders and links
mkdir -p \
2021-04-27 15:32:41 -04:00
/config/{log/letsencrypt,log/fail2ban,etc/letsencrypt,fail2ban,crontabs,dns-conf,geoip2db} \
/var/run/fail2ban
2020-08-03 11:00:14 -04:00
rm -rf /etc/letsencrypt
ln -s /config/etc/letsencrypt /etc/letsencrypt
# copy dns default configs
cp -n /defaults/dns-conf/* /config/dns-conf/
chown -R abc:abc /config/dns-conf
# copy reverse proxy configs
cp -R /defaults/proxy-confs /config/nginx/
# copy/update the fail2ban config defaults to/in /config
cp -R /defaults/fail2ban/filter.d /config/fail2ban/
cp -R /defaults/fail2ban/action.d /config/fail2ban/
# if jail.local is missing in /config, copy default
[[ ! -f /config/fail2ban/jail.local ]] && \
2021-04-27 15:32:41 -04:00
cp /defaults/jail.local /config/fail2ban/jail.local
2020-08-03 11:00:14 -04:00
# Replace fail2ban config with user config
[[ -d /etc/fail2ban/filter.d ]] && \
2021-04-27 15:32:41 -04:00
rm -rf /etc/fail2ban/filter.d
2020-08-03 11:00:14 -04:00
[[ -d /etc/fail2ban/action.d ]] && \
2021-04-27 15:32:41 -04:00
rm -rf /etc/fail2ban/action.d
2020-08-03 11:00:14 -04:00
cp -R /config/fail2ban/filter.d /etc/fail2ban/
cp -R /config/fail2ban/action.d /etc/fail2ban/
cp /defaults/fail2ban/fail2ban.local /etc/fail2ban/
cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
# copy crontab and proxy defaults if needed
[[ ! -f /config/crontabs/root ]] && \
2021-04-27 15:32:41 -04:00
cp /etc/crontabs/root /config/crontabs/
2020-08-03 11:00:14 -04:00
[[ ! -f /config/nginx/proxy.conf ]] && \
2021-04-27 15:32:41 -04:00
cp /defaults/proxy.conf /config/nginx/proxy.conf
2020-08-03 11:00:14 -04:00
[[ ! -f /config/nginx/ssl.conf ]] && \
2021-04-27 15:32:41 -04:00
cp /defaults/ssl.conf /config/nginx/ssl.conf
2020-08-03 11:00:14 -04:00
[[ ! -f /config/nginx/ldap.conf ]] && \
2021-04-27 15:32:41 -04:00
cp /defaults/ldap.conf /config/nginx/ldap.conf
2020-08-03 11:00:14 -04:00
[[ ! -f /config/nginx/authelia-server.conf ]] && \
2021-04-27 15:32:41 -04:00
cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
2020-08-03 11:00:14 -04:00
[[ ! -f /config/nginx/authelia-location.conf ]] && \
2021-04-27 15:32:41 -04:00
cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
2020-12-30 16:58:59 -05:00
[[ ! -f /config/www/502.html ]] &&
2021-04-27 15:32:41 -04:00
cp /defaults/502.html /config/www/502.html
2020-08-03 11:00:14 -04:00
2021-05-20 17:11:51 -04:00
# Set resolver, ignore ipv6 addresses
2021-04-27 15:23:35 -04:00
if ! grep -q 'resolver' /config/nginx/resolver.conf; then
2021-05-20 17:11:51 -04:00
RESOLVERRAW=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf)
for i in ${RESOLVERRAW}; do
if [ $(awk -F ':' '{print NF-1}' <<< ${i}) -le 2 ]; then
RESOLVER="${RESOLVER} ${i}"
fi
done
if [ -z "${RESOLVER}" ]; then
RESOLVER="127.0.0.11"
fi
2021-04-27 15:23:35 -04:00
echo "Setting resolver to ${RESOLVER}"
2021-05-18 10:27:25 -04:00
echo -e "# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.\n\nresolver ${RESOLVER} valid=30s;" > /config/nginx/resolver.conf
2021-04-27 15:23:35 -04:00
fi
# Set worker_processes
if ! grep -q 'worker_processes' /config/nginx/worker_processes.conf; then
2021-05-14 14:25:47 -04:00
WORKER_PROCESSES=$(nproc)
2021-04-27 15:23:35 -04:00
echo "Setting worker_processes to ${WORKER_PROCESSES}"
2021-05-18 10:27:25 -04:00
echo -e "# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.\n\nworker_processes ${WORKER_PROCESSES};" > /config/nginx/worker_processes.conf
2021-04-27 15:23:35 -04:00
fi
2021-02-09 10:50:54 -05:00
# remove lua bits from nginx.conf if not done before
2021-04-27 15:23:35 -04:00
if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
2021-04-27 15:32:41 -04:00
echo "Removing lua specific info from nginx.conf"
sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
2021-02-09 10:50:54 -05:00
fi
2021-05-28 18:19:22 -04:00
# patch authelia-server.conf for CVE-2021-32637
2021-05-28 18:24:23 -04:00
if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
2021-05-28 18:19:22 -04:00
sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf
fi
2020-08-03 11:00:14 -04:00
# copy pre-generated dhparams or generate if needed
[[ ! -f /config/nginx/dhparams.pem ]] && \
2021-04-27 15:32:41 -04:00
cp /defaults/dhparams.pem /config/nginx/dhparams.pem
2020-08-03 11:00:14 -04:00
if ! grep -q 'PARAMETERS' "/config/nginx/dhparams.pem"; then
2021-05-14 10:43:47 -04:00
curl -o /config/nginx/dhparams.pem -L "https://ssl-config.mozilla.org/ffdhe4096.txt"
2020-08-03 11:00:14 -04:00
fi
# check to make sure DNSPLUGIN is selected if dns validation is used
2022-08-10 05:27:53 -04:00
[[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|domeneshop|dynu|gandi|gehirn|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]] && \
2021-04-27 15:32:41 -04:00
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." && \
sleep infinity
2020-08-03 11:00:14 -04:00
# import user crontabs
rm /etc/crontabs/*
cp /config/crontabs/* /etc/crontabs/
2020-12-10 11:58:52 -05:00
# create original config file if it doesn't exist, move non-hidden legacy file to hidden
if [ -f "/config/donoteditthisfile.conf" ]; then
2021-04-27 15:32:41 -04:00
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
2020-12-10 11:58:52 -05:00
fi
if [ ! -f "/config/.donoteditthisfile.conf" ]; then
2021-04-27 15:32:41 -04:00
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
echo "Created .donoteditthisfile.conf"
2020-08-03 11:00:14 -04:00
fi
# load original config settings
# shellcheck disable=SC1091
2020-12-10 11:58:52 -05:00
. /config/.donoteditthisfile.conf
2020-08-03 11:00:14 -04:00
# set default validation to http
if [ -z "$VALIDATION" ]; then
2021-04-27 15:32:41 -04:00
VALIDATION="http"
echo "VALIDATION parameter not set; setting it to http"
2020-08-03 11:00:14 -04:00
fi
2020-12-10 11:58:52 -05:00
# if zerossl is selected or staging is set to true, use the relevant server
if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then
2021-04-27 15:32:41 -04:00
echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
2020-12-10 11:58:52 -05:00
fi
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
2021-04-27 15:32:41 -04:00
echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
ACMESERVER="https://acme.zerossl.com/v2/DV90"
2020-12-10 11:58:52 -05:00
elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then
2021-04-27 15:32:41 -04:00
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
sleep infinity
2020-12-10 11:58:52 -05:00
elif [ "$STAGING" = "true" ]; then
2021-04-27 15:32:41 -04:00
echo "NOTICE: Staging is active"
echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
echo "Using Let's Encrypt as the cert provider"
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
2020-08-03 11:00:14 -04:00
fi
# figuring out url only vs url & subdomains vs subdomains only
if [ -n "$SUBDOMAINS" ]; then
echo "SUBDOMAINS entered, processing"
2021-04-27 15:32:41 -04:00
if [ "$SUBDOMAINS" = "wildcard" ]; then
if [ "$ONLY_SUBDOMAINS" = true ]; then
export URL_REAL="-d *.${URL}"
echo "Wildcard cert for only the subdomains of $URL will be requested"
else
export URL_REAL="-d *.${URL} -d ${URL}"
echo "Wildcard cert for $URL will be requested"
fi
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
echo "SUBDOMAINS entered, processing"
for job in $(echo "$SUBDOMAINS" | tr "," " "); do
export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
done
if [ "$ONLY_SUBDOMAINS" = true ]; then
URL_REAL="$SUBDOMAINS_REAL"
echo "Only subdomains, no URL in cert"
else
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
fi
echo "Sub-domains processed are: $SUBDOMAINS_REAL"
2020-08-03 11:00:14 -04:00
fi
else
2021-04-27 15:32:41 -04:00
echo "No subdomains defined"
URL_REAL="-d $URL"
2020-08-03 11:00:14 -04:00
fi
# add extra domains
if [ -n "$EXTRA_DOMAINS" ]; then
2021-04-27 15:32:41 -04:00
echo "EXTRA_DOMAINS entered, processing"
for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
done
echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
2020-08-03 11:00:14 -04:00
fi
# figuring out whether to use e-mail and which
if [[ $EMAIL == *@* ]]; then
2021-04-27 15:32:41 -04:00
echo "E-mail address entered: ${EMAIL}"
EMAILPARAM="-m ${EMAIL} --no-eff-email"
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
echo "No e-mail address entered or address invalid"
EMAILPARAM="--register-unsafely-without-email"
2020-08-03 11:00:14 -04:00
fi
2020-12-27 16:48:09 -05:00
# update plugin names in dns conf inis
2021-02-10 13:35:55 -05:00
sed -i 's|^certbot_dns_aliyun:||g' /config/dns-conf/aliyun.ini
sed -i 's|^certbot_dns_domeneshop:||g' /config/dns-conf/domeneshop.ini
sed -i 's|^certbot_dns_inwx:||g' /config/dns-conf/inwx.ini
sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
2020-12-27 16:48:09 -05:00
2020-08-03 11:00:14 -04:00
# setting the validation method to use
if [ "$VALIDATION" = "dns" ]; then
2021-04-27 15:32:41 -04:00
if [ "$DNSPLUGIN" = "route53" ]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
2022-08-10 05:27:53 -04:00
elif [[ "$DNSPLUGIN" =~ ^(aliyun|desec|dnspod|domeneshop|dynu|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|transip|vultr)$ ]]; then
2021-04-27 15:32:41 -04:00
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
2021-11-06 11:07:51 -04:00
elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then
if [ -n "$PROPAGATION" ];then echo "standalone dns plugin does not support setting propagation time"; fi
PREFCHAL="-a dns-${DNSPLUGIN}"
2021-04-27 15:32:41 -04:00
elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
2022-02-25 04:53:59 -05:00
elif [[ "$DNSPLUGIN" =~ ^(azure)$ ]]; then
if [ -n "$PROPAGATION" ];then echo "Azure dns plugin does not support setting propagation time"; fi
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
2021-04-27 15:32:41 -04:00
else
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
fi
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
2020-08-03 11:00:14 -04:00
elif [ "$VALIDATION" = "tls-sni" ]; then
2021-04-27 15:32:41 -04:00
PREFCHAL="--non-interactive --standalone --preferred-challenges http"
echo "*****tls-sni validation has been deprecated, attempting http validation instead"
2020-08-03 11:00:14 -04:00
elif [ "$VALIDATION" = "duckdns" ]; then
2021-04-27 15:32:41 -04:00
PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
chmod +x /app/duckdns-txt
echo "duckdns validation is selected"
if [ "$SUBDOMAINS" = "wildcard" ]; then
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
export URL_REAL="-d *.${URL}"
else
echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
export URL_REAL="-d ${URL}"
fi
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
PREFCHAL="--non-interactive --standalone --preferred-challenges http"
echo "http validation is selected"
2020-08-03 11:00:14 -04:00
fi
# setting the symlink for key location
rm -rf /config/keys/letsencrypt
if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
2021-04-27 15:32:41 -04:00
DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
2020-08-03 11:00:14 -04:00
else
2021-05-14 16:22:32 -04:00
ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
2020-08-03 11:00:14 -04:00
fi
# checking for changes in cert variables, revoking certs if necessary
2020-12-10 11:58:52 -05:00
if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
2021-04-27 15:32:41 -04:00
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
else
ORIGDOMAIN="$ORIGURL"
2021-01-20 08:43:55 -05:00
fi
2021-04-27 15:32:41 -04:00
if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
2021-05-14 16:22:32 -04:00
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity
2021-04-27 15:32:41 -04:00
fi
REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
elif [ "$ORIGSTAGING" = "true" ]; then
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
else
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
fi
[[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]] && certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
rm -rf /config/etc/letsencrypt
mkdir -p /config/etc/letsencrypt
2020-08-03 11:00:14 -04:00
fi
# saving new variables
2020-12-10 16:04:10 -05:00
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
2020-08-03 11:00:14 -04:00
# alter extension for error message
if [ "$DNSPLUGIN" = "google" ]; then
2021-04-27 15:32:41 -04:00
FILENAME="$DNSPLUGIN.json"
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
FILENAME="$DNSPLUGIN.ini"
2020-08-03 11:00:14 -04:00
fi
2021-10-01 11:18:12 -04:00
# Check if the cert is using the old LE root cert, revoke and regen if necessary
2021-10-12 10:04:57 -04:00
if [ -f "/config/keys/letsencrypt/chain.pem" ] && ([ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]) && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
2021-10-01 11:18:12 -04:00
echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
2021-10-12 10:04:57 -04:00
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
2021-10-01 11:18:12 -04:00
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
rm -rf /config/etc/letsencrypt
mkdir -p /config/etc/letsencrypt
fi
2020-08-03 11:00:14 -04:00
# generating certs if necessary
if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
2021-04-27 15:32:41 -04:00
if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
echo "Retrieving EAB from ZeroSSL"
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
2021-05-14 16:22:32 -04:00
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity
2021-04-27 15:32:41 -04:00
fi
ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}"
2021-01-20 08:43:55 -05:00
fi
2021-04-27 15:32:41 -04:00
echo "Generating new certificate"
# shellcheck disable=SC2086
certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
if [ -d /config/keys/letsencrypt ]; then
cd /config/keys/letsencrypt || exit
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
if [ "$VALIDATION" = "dns" ]; then
2021-05-14 16:22:32 -04:00
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
2021-04-27 15:32:41 -04:00
elif [ "$VALIDATION" = "duckdns" ]; then
2021-05-14 16:22:32 -04:00
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct."
2021-04-27 15:32:41 -04:00
else
2021-05-14 16:22:32 -04:00
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
2021-04-27 15:32:41 -04:00
fi
sleep infinity
2020-08-03 11:00:14 -04:00
fi
2021-04-27 15:32:41 -04:00
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
sleep 1
cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
echo "New certificate generated; starting nginx"
2020-08-03 11:00:14 -04:00
else
2021-04-27 15:32:41 -04:00
echo "Certificate exists; parameters unchanged; starting nginx"
2020-08-03 11:00:14 -04:00
fi
# create GeoIP2 folder symlink
[[ -d /var/lib/libmaxminddb ]] && [[ ! -L /var/lib/libmaxminddb ]] && \
2021-04-27 15:32:41 -04:00
rm -rf /var/lib/libmaxminddb
2020-08-03 11:00:14 -04:00
[[ ! -d /var/lib/libmaxminddb ]] && \
2021-04-27 15:32:41 -04:00
ln -s /config/geoip2db /var/lib/libmaxminddb
2020-08-03 11:00:14 -04:00
# logfiles needed by fail2ban
[[ ! -f /config/log/nginx/error.log ]] && \
2021-04-27 15:32:41 -04:00
touch /config/log/nginx/error.log
2020-08-03 11:00:14 -04:00
[[ ! -f /config/log/nginx/access.log ]] && \
2021-04-27 15:32:41 -04:00
touch /config/log/nginx/access.log
2022-03-26 16:46:39 -04:00
[[ ! -f /config/log/nginx/unauthorized.log ]] && \
touch /config/log/nginx/unauthorized.log
2020-08-03 11:00:14 -04:00
# permissions
chown -R abc:abc \
2021-04-27 15:32:41 -04:00
/config
2020-08-03 11:00:14 -04:00
chmod -R 0644 /etc/logrotate.d
chmod -R +r /config/log
chmod +x /app/le-renew.sh
chmod 700 /defaults/dns-conf
chmod 600 /defaults/dns-conf/*