Infra-Mirrors/docker-swag
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-swag.git synced 2025-02-23 16:09:46 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into certbot-dns-bunny

Browse Source
This commit is contained in:
Eric Nemchik 2023-07-27 09:44:46 -05:00 committed by GitHub
commit cae42496e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 170 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

181
package_versions.txt
View File

@ -1,33 +1,33 @@
NAME VERSION TYPE NAME VERSION TYPE
ConfigArgParse 1.5.5 python ConfigArgParse 1.7 python
PyJWT 2.7.0 python PyJWT 2.8.0 python
PyYAML 6.0 python PyYAML 6.0.1 python
acme 2.6.0 python acme 2.6.0 python
alpine-baselayout 3.4.3-r1 apk alpine-baselayout 3.4.3-r1 apk
alpine-baselayout-data 3.4.3-r1 apk alpine-baselayout-data 3.4.3-r1 apk
alpine-keys 2.4-r1 apk alpine-keys 2.4-r1 apk
alpine-release 3.18.2-r0 apk alpine-release 3.18.2-r0 apk
aom-libs 3.6.1-r0 apk aom-libs 3.6.1-r0 apk
apache2-utils 2.4.57-r2 apk apache2-utils 2.4.57-r3 apk
apk-tools 2.14.0-r2 apk apk-tools 2.14.0-r2 apk
apr 1.7.4-r0 apk apr 1.7.4-r0 apk
apr-util 1.6.3-r1 apk apr-util 1.6.3-r1 apk
argon2-libs 20190702-r4 apk argon2-libs 20190702-r4 apk
attrs 23.1.0 python attrs 23.1.0 python
azure-common 1.1.28 python azure-common 1.1.28 python
azure-core 1.27.1 python azure-core 1.28.0 python
azure-identity 1.13.0 python azure-identity 1.13.0 python
azure-mgmt-core 1.4.0 python azure-mgmt-core 1.4.0 python
azure-mgmt-dns 8.1.0 python azure-mgmt-dns 8.1.0 python
bash 5.2.15-r5 apk bash 5.2.15-r5 apk
beautifulsoup4 4.12.2 python beautifulsoup4 4.12.2 python
boto3 1.26.165 python boto3 1.28.12 python
botocore 1.29.165 python botocore 1.31.12 python
brotli-libs 1.0.9-r14 apk brotli-libs 1.0.9-r14 apk
bs4 0.0.1 python bs4 0.0.1 python
busybox 1.36.1 binary busybox 1.36.1 binary
busybox 1.36.1-r0 apk busybox 1.36.1-r1 apk
busybox-binsh 1.36.1-r0 apk busybox-binsh 1.36.1-r1 apk
c-client 2007f-r15 apk c-client 2007f-r15 apk
ca-certificates 20230506-r0 apk ca-certificates 20230506-r0 apk
ca-certificates-bundle 20230506-r0 apk ca-certificates-bundle 20230506-r0 apk
@ -49,7 +49,7 @@ certbot-dns-domeneshop 0.2.9 python
certbot-dns-duckdns 1.3 python certbot-dns-duckdns 1.3 python
certbot-dns-dynu 0.0.4 python certbot-dns-dynu 0.0.4 python
certbot-dns-gehirn 2.6.0 python certbot-dns-gehirn 2.6.0 python
certbot-dns-godaddy 0.2.2 python certbot-dns-godaddy 2.6.0 python
certbot-dns-google 2.6.0 python certbot-dns-google 2.6.0 python
certbot-dns-google-domains 0.1.11 python certbot-dns-google-domains 0.1.11 python
certbot-dns-he 1.0.0 python certbot-dns-he 1.0.0 python
@ -72,19 +72,19 @@ certbot-dns-standalone 1.1 python
certbot-dns-transip 0.5.2 python certbot-dns-transip 0.5.2 python
certbot-dns-vultr 1.1.0 python certbot-dns-vultr 1.1.0 python
certbot-plugin-gandi 1.4.3 python certbot-plugin-gandi 1.4.3 python
certifi 2023.5.7 python certifi 2023.7.22 python
cffi 1.15.1 python cffi 1.15.1 python
charset-normalizer 3.1.0 python charset-normalizer 3.2.0 python
cloudflare 2.11.6 python cloudflare 2.11.6 python
configobj 5.0.8 python configobj 5.0.8 python
coreutils 9.3-r1 apk coreutils 9.3-r1 apk
cryptography 41.0.1 python cryptography 41.0.2 python
curl 8.1.2-r0 apk curl 8.1.2-r0 apk
dataclasses-json 0.5.9 python dataclasses-json 0.5.13 python
distro 1.8.0 python distro 1.8.0 python
dns-lexicon 3.11.7 python dns-lexicon 3.11.7 python
dnslib 0.9.23 python dnslib 0.9.23 python
dnspython 2.3.0 python dnspython 2.4.1 python
domeneshop 0.4.3 python domeneshop 0.4.3 python
fail2ban 1.0.2 python fail2ban 1.0.2 python
fail2ban 1.0.2-r2 apk fail2ban 1.0.2-r2 apk
@ -97,28 +97,28 @@ gdbm 1.23-r1 apk
git 2.40.1-r0 apk git 2.40.1-r0 apk
git-perl 2.40.1-r0 apk git-perl 2.40.1-r0 apk
gmp 6.2.1-r3 apk gmp 6.2.1-r3 apk
gnupg 2.4.1-r1 apk gnupg 2.4.3-r0 apk
gnupg-dirmngr 2.4.1-r1 apk gnupg-dirmngr 2.4.3-r0 apk
gnupg-gpgconf 2.4.1-r1 apk gnupg-gpgconf 2.4.3-r0 apk
gnupg-keyboxd 2.4.1-r1 apk gnupg-keyboxd 2.4.3-r0 apk
gnupg-utils 2.4.1-r1 apk gnupg-utils 2.4.3-r0 apk
gnupg-wks-client 2.4.1-r1 apk gnupg-wks-client 2.4.3-r0 apk
gnutls 3.8.0-r2 apk gnutls 3.8.0-r2 apk
google-api-core 2.11.1 python google-api-core 2.11.1 python
google-api-python-client 2.91.0 python google-api-python-client 2.95.0 python
google-auth 2.21.0 python google-auth 2.22.0 python
google-auth-httplib2 0.1.0 python google-auth-httplib2 0.1.0 python
googleapis-common-protos 1.59.1 python googleapis-common-protos 1.59.1 python
gpg 2.4.1-r1 apk gpg 2.4.3-r0 apk
gpg-agent 2.4.1-r1 apk gpg-agent 2.4.3-r0 apk
gpg-wks-server 2.4.1-r1 apk gpg-wks-server 2.4.3-r0 apk
gpgsm 2.4.1-r1 apk gpgsm 2.4.3-r0 apk
gpgv 2.4.1-r1 apk gpgv 2.4.3-r0 apk
httplib2 0.22.0 python httplib2 0.22.0 python
icu-data-en 73.2-r1 apk icu-data-en 73.2-r2 apk
icu-libs 73.2-r1 apk icu-libs 73.2-r2 apk
idna 3.4 python idna 3.4 python
importlib-metadata 6.7.0 python importlib-metadata 6.8.0 python
ip6tables 1.8.9-r2 apk ip6tables 1.8.9-r2 apk
iptables 1.8.9-r2 apk iptables 1.8.9-r2 apk
isodate 0.6.1 python isodate 0.6.1 python
@ -134,7 +134,7 @@ libavif 0.11.1-r2 apk
libbsd 0.11.7-r1 apk libbsd 0.11.7-r1 apk
libbz2 1.0.8-r5 apk libbz2 1.0.8-r5 apk
libc-utils 0.7.2-r5 apk libc-utils 0.7.2-r5 apk
libcrypto3 3.1.1-r1 apk libcrypto3 3.1.1-r3 apk
libcurl 8.1.2-r0 apk libcurl 8.1.2-r0 apk
libdav1d 1.2.1-r0 apk libdav1d 1.2.1-r0 apk
libedit 20221030.3.1-r1 apk libedit 20221030.3.1-r1 apk
@ -150,7 +150,7 @@ libidn2 2.3.4-r1 apk
libintl 0.21.1-r7 apk libintl 0.21.1-r7 apk
libjpeg-turbo 2.1.5.1-r3 apk libjpeg-turbo 2.1.5.1-r3 apk
libksba 1.6.4-r0 apk libksba 1.6.4-r0 apk
libldap 2.6.4-r3 apk libldap 2.6.5-r0 apk
libmaxminddb-libs 1.7.1-r1 apk libmaxminddb-libs 1.7.1-r1 apk
libmcrypt 2.5.8-r10 apk libmcrypt 2.5.8-r10 apk
libmd 1.0.4-r2 apk libmd 1.0.4-r2 apk
@ -166,7 +166,7 @@ libsasl 2.1.28-r4 apk
libseccomp 2.5.4-r2 apk libseccomp 2.5.4-r2 apk
libsm 1.2.4-r1 apk libsm 1.2.4-r1 apk
libsodium 1.0.18-r3 apk libsodium 1.0.18-r3 apk
libssl3 3.1.1-r1 apk libssl3 3.1.1-r3 apk
libstdc++ 12.2.1_git20220924-r10 apk libstdc++ 12.2.1_git20220924-r10 apk
libtasn1 4.19.0-r1 apk libtasn1 4.19.0-r1 apk
libunistring 1.1-r1 apk libunistring 1.1-r1 apk
@ -185,15 +185,14 @@ libzip 1.9.2-r2 apk
linux-pam 1.5.2-r10 apk linux-pam 1.5.2-r10 apk
logrotate 3.21.0-r1 apk logrotate 3.21.0-r1 apk
loopialib 0.2.0 python loopialib 0.2.0 python
lxml 4.9.2 python lxml 4.9.3 python
lz4-libs 1.9.4-r4 apk lz4-libs 1.9.4-r4 apk
marshmallow 3.19.0 python marshmallow 3.20.1 python
marshmallow-enum 1.5.1 python
memcached 1.6.21 binary memcached 1.6.21 binary
memcached 1.6.21-r0 apk memcached 1.6.21-r0 apk
mock 5.0.2 python mock 5.1.0 python
mpdecimal 2.5.1-r2 apk mpdecimal 2.5.1-r2 apk
msal 1.22.0 python msal 1.23.0 python
msal-extensions 1.0.0 python msal-extensions 1.0.0 python
musl 1.2.4-r0 apk musl 1.2.4-r0 apk
musl-utils 1.2.4-r0 apk musl-utils 1.2.4-r0 apk
@ -224,7 +223,7 @@ nginx-mod-stream-geoip2 1.24.0-r6 apk
nginx-vim 1.24.0-r6 apk nginx-vim 1.24.0-r6 apk
npth 1.6-r4 apk npth 1.6-r4 apk
oniguruma 6.9.8-r1 apk oniguruma 6.9.8-r1 apk
openssl 3.1.1-r1 apk openssl 3.1.1-r3 apk
p11-kit 0.24.1-r2 apk p11-kit 0.24.1-r2 apk
packaging 23.1 python packaging 23.1 python
parsedatetime 2.6 python parsedatetime 2.6 python
@ -233,64 +232,64 @@ pcre2 10.42-r1 apk
perl 5.36.1-r2 apk perl 5.36.1-r2 apk
perl-error 0.17029-r1 apk perl-error 0.17029-r1 apk
perl-git 2.40.1-r0 apk perl-git 2.40.1-r0 apk
php-cli 8.2.7 binary php-cli 8.2.8 binary
php-fpm 8.2.7 binary php-fpm 8.2.8 binary
php82 8.2.7-r0 apk php82 8.2.8-r0 apk
php82-bcmath 8.2.7-r0 apk php82-bcmath 8.2.8-r0 apk
php82-bz2 8.2.7-r0 apk php82-bz2 8.2.8-r0 apk
php82-common 8.2.7-r0 apk php82-common 8.2.8-r0 apk
php82-ctype 8.2.7-r0 apk php82-ctype 8.2.8-r0 apk
php82-curl 8.2.7-r0 apk php82-curl 8.2.8-r0 apk
php82-dom 8.2.7-r0 apk php82-dom 8.2.8-r0 apk
php82-exif 8.2.7-r0 apk php82-exif 8.2.8-r0 apk
php82-fileinfo 8.2.7-r0 apk php82-fileinfo 8.2.8-r0 apk
php82-fpm 8.2.7-r0 apk php82-fpm 8.2.8-r0 apk
php82-ftp 8.2.7-r0 apk php82-ftp 8.2.8-r0 apk
php82-gd 8.2.7-r0 apk php82-gd 8.2.8-r0 apk
php82-gmp 8.2.7-r0 apk php82-gmp 8.2.8-r0 apk
php82-iconv 8.2.7-r0 apk php82-iconv 8.2.8-r0 apk
php82-imap 8.2.7-r0 apk php82-imap 8.2.8-r0 apk
php82-intl 8.2.7-r0 apk php82-intl 8.2.8-r0 apk
php82-ldap 8.2.7-r0 apk php82-ldap 8.2.8-r0 apk
php82-mbstring 8.2.7-r0 apk php82-mbstring 8.2.8-r0 apk
php82-mysqli 8.2.7-r0 apk php82-mysqli 8.2.8-r0 apk
php82-mysqlnd 8.2.7-r0 apk php82-mysqlnd 8.2.8-r0 apk
php82-opcache 8.2.7-r0 apk php82-opcache 8.2.8-r0 apk
php82-openssl 8.2.7-r0 apk php82-openssl 8.2.8-r0 apk
php82-pdo 8.2.7-r0 apk php82-pdo 8.2.8-r0 apk
php82-pdo_mysql 8.2.7-r0 apk php82-pdo_mysql 8.2.8-r0 apk
php82-pdo_odbc 8.2.7-r0 apk php82-pdo_odbc 8.2.8-r0 apk
php82-pdo_pgsql 8.2.7-r0 apk php82-pdo_pgsql 8.2.8-r0 apk
php82-pdo_sqlite 8.2.7-r0 apk php82-pdo_sqlite 8.2.8-r0 apk
php82-pear 8.2.7-r0 apk php82-pear 8.2.8-r0 apk
php82-pecl-apcu 5.1.22-r0 apk php82-pecl-apcu 5.1.22-r0 apk
php82-pecl-igbinary 3.2.14-r0 apk php82-pecl-igbinary 3.2.14-r0 apk
php82-pecl-mcrypt 1.0.6-r0 apk php82-pecl-mcrypt 1.0.6-r0 apk
php82-pecl-memcached 3.2.0-r1 apk php82-pecl-memcached 3.2.0-r1 apk
php82-pecl-msgpack 2.2.0-r0 apk php82-pecl-msgpack 2.2.0-r0 apk
php82-pecl-redis 5.3.7-r2 apk php82-pecl-redis 5.3.7-r2 apk
php82-pgsql 8.2.7-r0 apk php82-pgsql 8.2.8-r0 apk
php82-phar 8.2.7-r0 apk php82-phar 8.2.8-r0 apk
php82-posix 8.2.7-r0 apk php82-posix 8.2.8-r0 apk
php82-session 8.2.7-r0 apk php82-session 8.2.8-r0 apk
php82-simplexml 8.2.7-r0 apk php82-simplexml 8.2.8-r0 apk
php82-soap 8.2.7-r0 apk php82-soap 8.2.8-r0 apk
php82-sockets 8.2.7-r0 apk php82-sockets 8.2.8-r0 apk
php82-sodium 8.2.7-r0 apk php82-sodium 8.2.8-r0 apk
php82-sqlite3 8.2.7-r0 apk php82-sqlite3 8.2.8-r0 apk
php82-tokenizer 8.2.7-r0 apk php82-tokenizer 8.2.8-r0 apk
php82-xml 8.2.7-r0 apk php82-xml 8.2.8-r0 apk
php82-xmlreader 8.2.7-r0 apk php82-xmlreader 8.2.8-r0 apk
php82-xmlwriter 8.2.7-r0 apk php82-xmlwriter 8.2.8-r0 apk
php82-xsl 8.2.7-r0 apk php82-xsl 8.2.8-r0 apk
php82-zip 8.2.7-r0 apk php82-zip 8.2.8-r0 apk
pinentry 1.2.1-r1 apk pinentry 1.2.1-r1 apk
pip 23.1.2 python pip 23.2.1 python
pkb-client 1.2 python pkb-client 1.2 python
popt 1.19-r2 apk popt 1.19-r2 apk
portalocker 2.7.0 python portalocker 2.7.0 python
procps-ng 4.0.3-r1 apk procps-ng 4.0.3-r1 apk
protobuf 4.23.3 python protobuf 4.23.4 python
publicsuffixlist 0.9.4 python publicsuffixlist 0.9.4 python
pyOpenSSL 23.2.0 python pyOpenSSL 23.2.0 python
pyRFC3339 1.1 python pyRFC3339 1.1 python
@ -321,20 +320,20 @@ six 1.16.0 python
skalibs 2.13.1.1-r1 apk skalibs 2.13.1.1-r1 apk
soupsieve 2.4.1 python soupsieve 2.4.1 python
sqlite-libs 3.41.2-r2 apk sqlite-libs 3.41.2-r2 apk
ssl_client 1.36.1-r0 apk ssl_client 1.36.1-r1 apk
tiff 4.5.1-r0 apk tiff 4.5.1-r0 apk
tldextract 3.4.4 python tldextract 3.4.4 python
typing-inspect 0.9.0 python typing-inspect 0.9.0 python
typing_extensions 4.7.0 python typing_extensions 4.7.1 python
tzdata 2023c-r1 apk tzdata 2023c-r1 apk
unixodbc 2.3.11-r2 apk unixodbc 2.3.11-r2 apk
uritemplate 4.1.1 python uritemplate 4.1.1 python
urllib3 1.26.16 python urllib3 1.26.16 python
utmps-libs 0.1.2.1-r1 apk utmps-libs 0.1.2.1-r1 apk
wheel 0.40.0 python wheel 0.41.0 python
whois 5.5.17-r0 apk whois 5.5.17-r0 apk
xz-libs 5.4.3-r0 apk xz-libs 5.4.3-r0 apk
zipp 3.15.0 python zipp 3.16.2 python
zlib 1.2.13-r1 apk zlib 1.2.13-r1 apk
zope.interface 6.0 python zope.interface 6.0 python
zstd-libs 1.5.5-r4 apk zstd-libs 1.5.5-r4 apk

132
root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
View File

@ -29,6 +29,23 @@ if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azur
sleep infinity sleep infinity
fi fi
# set_ini_value logic:
# - if the name is not found in the file, append the name=value to the end of the file
# - if the name is found in the file, replace the value
# - if the name is found in the file but commented out, uncomment the line and replace the value
# call set_ini_value with parameters: $1=name $2=value $3=file
function set_ini_value() {
name=${1//\//\\/}
value=${2//\//\\/}
sed -i \
-e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
-e '$a'"${name}"'='"${value}" "${3}"
}
# ensure config files exist and has at least one value set (set_ini_value does not work on empty files)
touch /config/etc/letsencrypt/cli.ini
grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >>/config/etc/letsencrypt/cli.ini
# copy dns default configs # copy dns default configs
cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing') cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing')
lsiown -R abc:abc /config/dns-conf lsiown -R abc:abc /config/dns-conf
@ -157,21 +174,25 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}") REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
sleep infinity REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
fi
if [[ -n "${REV_ZEROSSL_EAB_KID}" ]] && [[ -n "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
REV_ACMESERVER+=("--eab-kid" "${REV_ZEROSSL_EAB_KID}" "--eab-hmac-key" "${REV_ZEROSSL_EAB_HMAC_KEY}")
fi fi
REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
elif [[ "${ORIGSTAGING}" = "true" ]]; then elif [[ "${ORIGSTAGING}" = "true" ]]; then
REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
else else
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
fi fi
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
else
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
fi fi
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
fi fi
@ -182,9 +203,11 @@ echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS
# Check if the cert is using the old LE root cert, revoke and regen if necessary # Check if the cert is using the old LE root cert, revoke and regen if necessary
if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking." echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} || true certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
else
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
fi fi
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
fi fi
@ -208,52 +231,51 @@ else
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
fi fi
# figuring out url only vs url & subdomains vs subdomains only set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini
# figuring out domain only vs domain & subdomains vs subdomains only
DOMAINS_ARRAY=()
if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then
DOMAINS_ARRAY+=("${URL}")
fi
if [[ -n "${SUBDOMAINS}" ]]; then if [[ -n "${SUBDOMAINS}" ]]; then
echo "SUBDOMAINS entered, processing" echo "SUBDOMAINS entered, processing"
SUBDOMAINS_ARRAY=()
if [[ "${SUBDOMAINS}" = "wildcard" ]]; then if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
if [[ "${ONLY_SUBDOMAINS}" = true ]]; then SUBDOMAINS_ARRAY+=("*.${URL}")
export URL_REAL="-d *.${URL}"
echo "Wildcard cert for only the subdomains of ${URL} will be requested"
else
export URL_REAL="-d *.${URL} -d ${URL}"
echo "Wildcard cert for ${URL} will be requested" echo "Wildcard cert for ${URL} will be requested"
fi
else else
echo "SUBDOMAINS entered, processing"
for job in $(echo "${SUBDOMAINS}" | tr "," " "); do for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}" SUBDOMAINS_ARRAY+=("${job}.${URL}")
done done
if [[ "${ONLY_SUBDOMAINS}" = true ]]; then echo "Sub-domains processed are: $(echo "${SUBDOMAINS_ARRAY[*]}" | tr " " ",")"
URL_REAL="${SUBDOMAINS_REAL}"
echo "Only subdomains, no URL in cert"
else
URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
fi fi
echo "Sub-domains processed are: ${SUBDOMAINS_REAL}" DOMAINS_ARRAY+=("${SUBDOMAINS_ARRAY[@]}")
fi
else
echo "No subdomains defined"
URL_REAL="-d ${URL}"
fi fi
# add extra domains # add extra domains
if [[ -n "${EXTRA_DOMAINS}" ]]; then if [[ -n "${EXTRA_DOMAINS}" ]]; then
echo "EXTRA_DOMAINS entered, processing" echo "EXTRA_DOMAINS entered, processing"
EXTRA_DOMAINS_ARRAY=()
for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}" EXTRA_DOMAINS_ARRAY+=("${job}")
done done
echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}" echo "Extra domains processed are: $(echo "${EXTRA_DOMAINS_ARRAY[*]}" | tr " " ",")"
URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}" DOMAINS_ARRAY+=("${EXTRA_DOMAINS_ARRAY[@]}")
fi fi
# setting domains in cli.ini
set_ini_value "domains" "$(echo "${DOMAINS_ARRAY[*]}" | tr " " ",")" /config/etc/letsencrypt/cli.ini
# figuring out whether to use e-mail and which # figuring out whether to use e-mail and which
if [[ ${EMAIL} == *@* ]]; then if [[ ${EMAIL} == *@* ]]; then
echo "E-mail address entered: ${EMAIL}" echo "E-mail address entered: ${EMAIL}"
EMAILPARAM="-m ${EMAIL} --no-eff-email" set_ini_value "email" "${EMAIL}" /config/etc/letsencrypt/cli.ini
set_ini_value "no-eff-email" "true" /config/etc/letsencrypt/cli.ini
set_ini_value "register-unsafely-without-email" "false" /config/etc/letsencrypt/cli.ini
else else
echo "No e-mail address entered or address invalid" echo "No e-mail address entered or address invalid"
EMAILPARAM="--register-unsafely-without-email" set_ini_value "register-unsafely-without-email" "true" /config/etc/letsencrypt/cli.ini
fi fi
# alter extension for error message # alter extension for error message
@ -265,37 +287,41 @@ fi
# setting the validation method to use # setting the validation method to use
if [[ "${VALIDATION}" = "dns" ]]; then if [[ "${VALIDATION}" = "dns" ]]; then
AUTHENTICATORPARAM="--authenticator dns-${DNSPLUGIN}" set_ini_value "preferred-challenges" "dns" /config/etc/letsencrypt/cli.ini
DNSCREDENTIALSPARAM="--dns-${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}" set_ini_value "authenticator" "dns-${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi set_ini_value "dns-${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
if [[ -n "${PROPAGATION}" ]]; then set_ini_value "dns-${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
# plugins that don't support setting credentials file # plugins that don't support setting credentials file
if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then
DNSCREDENTIALSPARAM="" sed "/^dns-${DNSPLUGIN}-credentials /d" /config/etc/letsencrypt/cli.ini
fi fi
# plugins that don't support setting propagation # plugins that don't support setting propagation
if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|route53|standalone)$ ]]; then if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|route53|standalone)$ ]]; then
if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
PROPAGATIONPARAM="" sed "/^dns-${DNSPLUGIN}-propagation-seconds /d" /config/etc/letsencrypt/cli.ini
fi fi
# plugins that use old parameter naming convention # plugins that use old parameter naming convention
if [[ "${DNSPLUGIN}" =~ ^(cpanel)$ ]]; then if [[ "${DNSPLUGIN}" =~ ^(cpanel|directadmin)$ ]]; then
AUTHENTICATORPARAM="--authenticator ${DNSPLUGIN}" sed "/^dns-${DNSPLUGIN}-credentials /d" /config/etc/letsencrypt/cli.ini
DNSCREDENTIALSPARAM="--${DNSPLUGIN}-credentials ${DNSCREDENTIALFILE}" sed "/^dns-${DNSPLUGIN}-propagation-seconds /d" /config/etc/letsencrypt/cli.ini
if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi set_ini_value "authenticator" "${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
set_ini_value "${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
if [[ -n "${PROPAGATION}" ]]; then set_ini_value "${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
fi fi
# don't restore txt records when using DuckDNS plugin # don't restore txt records when using DuckDNS plugin
if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
AUTHENTICATORPARAM="${AUTHENTICATORPARAM} --dns-${DNSPLUGIN}-no-txt-restore" set_ini_value "dns-${DNSPLUGIN}-no-txt-restore" "true" /config/etc/letsencrypt/cli.ini
fi fi
PREFCHAL="${AUTHENTICATORPARAM} ${DNSCREDENTIALSPARAM} ${PROPAGATIONPARAM}"
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
elif [[ "${VALIDATION}" = "tls-sni" ]]; then elif [[ "${VALIDATION}" = "tls-sni" ]]; then
PREFCHAL="--standalone --preferred-challenges http" set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
echo "*****tls-sni validation has been deprecated, attempting http validation instead" echo "*****tls-sni validation has been deprecated, attempting http validation instead"
else else
PREFCHAL="--standalone --preferred-challenges http" set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
echo "http validation is selected" echo "http validation is selected"
fi fi
@ -304,17 +330,17 @@ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
echo "Retrieving EAB from ZeroSSL" echo "Retrieving EAB from ZeroSSL"
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}") EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | jq .eab_kid)
ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | jq .eab_hmac_key)
if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
sleep infinity sleep infinity
fi fi
ZEROSSL_EAB="--eab-kid ${ZEROSSL_EAB_KID} --eab-hmac-key ${ZEROSSL_EAB_HMAC_KEY}" set_ini_value "eab-kid" "${ZEROSSL_EAB_KID}" /config/etc/letsencrypt/cli.ini
set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
fi fi
echo "Generating new certificate" echo "Generating new certificate"
# shellcheck disable=SC2086 certbot certonly --non-interactive --renew-by-default
certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL}
if [[ ! -d /config/keys/letsencrypt ]]; then if [[ ! -d /config/keys/letsencrypt ]]; then
if [[ "${VALIDATION}" = "dns" ]]; then if [[ "${VALIDATION}" = "dns" ]]; then
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file." echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."