mirror of
https://github.com/linuxserver/docker-swag.git
synced 2024-12-18 04:04:23 -05:00
907dfc8c03
This reverts commit bf21a51e10
.
381 lines
20 KiB
Plaintext
Executable File
381 lines
20 KiB
Plaintext
Executable File
#!/usr/bin/with-contenv bash
|
|
# shellcheck shell=bash
|
|
|
|
# Display variables for troubleshooting
|
|
echo -e "Variables set:\\n\
|
|
PUID=${PUID}\\n\
|
|
PGID=${PGID}\\n\
|
|
TZ=${TZ}\\n\
|
|
URL=${URL}\\n\
|
|
SUBDOMAINS=${SUBDOMAINS}\\n\
|
|
EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
|
|
ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
|
|
VALIDATION=${VALIDATION}\\n\
|
|
CERTPROVIDER=${CERTPROVIDER}\\n\
|
|
DNSPLUGIN=${DNSPLUGIN}\\n\
|
|
EMAIL=${EMAIL}\\n\
|
|
STAGING=${STAGING}\\n"
|
|
|
|
# Sanitize variables
|
|
SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
|
|
for i in "${SANED_VARS[@]}"; do
|
|
export echo "${i}"="${!i//\"/}"
|
|
export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
|
|
done
|
|
|
|
# Check for and install requested DNS plugins
|
|
if grep -q "universal-package-install" <<< "${DOCKER_MODS}" && grep -q "certbot-dns" <<< "${INSTALL_PIP_PACKAGES}"; then
|
|
echo "**** Installing requested dns plugins ****"
|
|
/etc/s6-overlay/s6-rc.d/init-mod-universal-package-install-add-package/run
|
|
/etc/s6-overlay/s6-rc.d/init-mods-package-install/run
|
|
fi
|
|
|
|
# check to make sure DNSPLUGIN is selected if dns validation is used
|
|
CERTBOT_DNS_AUTHENTICATORS=$(certbot plugins --authenticators 2>/dev/null | sed -e 's/^Entry point: EntryPoint(name='\''cpanel'\''/Entry point: EntryPoint(name='\''dns-cpanel'\''/' -e '/EntryPoint(name='\''dns-/!d' -e 's/^Entry point: EntryPoint(name='\''dns-\([^ ]*\)'\'',/\1/' | sort)
|
|
if [[ "${VALIDATION}" = "dns" ]] && ! echo "${CERTBOT_DNS_AUTHENTICATORS}" | grep -q "${DNSPLUGIN}"; then
|
|
echo "Please set the DNSPLUGIN variable to one of the following:"
|
|
echo "${CERTBOT_DNS_AUTHENTICATORS}"
|
|
sleep infinity
|
|
fi
|
|
|
|
# set owner of certbot's CONFIG_DIR, WORK_DIR, and LOGS_DIR to abc
|
|
lsiown -R abc:abc \
|
|
/etc/letsencrypt \
|
|
/var/lib/letsencrypt \
|
|
/var/log/letsencrypt
|
|
|
|
# set_ini_value logic:
|
|
# - if the name is not found in the file, append the name=value to the end of the file
|
|
# - if the name is found in the file, replace the value
|
|
# - if the name is found in the file but commented out, uncomment the line and replace the value
|
|
# call set_ini_value with parameters: $1=name $2=value $3=file
|
|
function set_ini_value() {
|
|
name=${1//\//\\/}
|
|
value=${2//\//\\/}
|
|
sed -i \
|
|
-e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
|
|
-e '$a'"${name}"'='"${value}" "${3}"
|
|
}
|
|
|
|
# ensure config files exist and has at least one value set (set_ini_value does not work on empty files)
|
|
touch /config/etc/letsencrypt/cli.ini
|
|
lsiown abc:abc /config/etc/letsencrypt/cli.ini
|
|
grep -qF 'agree-tos' /config/etc/letsencrypt/cli.ini || echo 'agree-tos=true' >>/config/etc/letsencrypt/cli.ini
|
|
|
|
# copy dns default configs
|
|
cp -n /defaults/dns-conf/* /config/dns-conf/ 2> >(grep -v 'cp: not replacing')
|
|
lsiown -R abc:abc /config/dns-conf
|
|
|
|
# copy default renewal hooks
|
|
chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
|
|
cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
|
|
lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
|
|
|
|
# replace nginx service location in renewal hooks
|
|
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
|
|
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
|
|
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|s6-supervise nginx|s6-supervise svc-nginx|g' {} \;
|
|
|
|
# create original config file if it doesn't exist, move non-hidden legacy file to hidden
|
|
if [[ -f "/config/donoteditthisfile.conf" ]]; then
|
|
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
|
|
fi
|
|
if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
|
|
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
|
|
echo "Created .donoteditthisfile.conf"
|
|
fi
|
|
|
|
# load original config settings
|
|
# shellcheck source=/dev/null
|
|
. /config/.donoteditthisfile.conf
|
|
|
|
# setting ORIGDOMAIN for use in revoke sections
|
|
if [[ "${ORIGONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${ORIGSUBDOMAINS}" = "wildcard" ]]; then
|
|
ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
|
|
else
|
|
ORIGDOMAIN="${ORIGURL}"
|
|
fi
|
|
|
|
# update plugin names in dns conf inis
|
|
sed -i 's|^certbot[-_]dns[-_]aliyun:||g' /config/dns-conf/aliyun.ini
|
|
sed -i 's|^certbot[-_]dns[-_]cpanel:||g' /config/dns-conf/cpanel.ini
|
|
sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' /config/dns-conf/cpanel.ini
|
|
sed -i 's|^directadmin[-_]|dns_directadmin_|g' /config/dns-conf/directadmin.ini
|
|
sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' /config/dns-conf/domeneshop.ini
|
|
sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' /config/dns-conf/gandi.ini
|
|
sed -i 's|^certbot[-_]dns[-_]inwx:||g' /config/dns-conf/inwx.ini
|
|
sed -i 's|^certbot[-_]dns[-_]transip:||g' /config/dns-conf/transip.ini
|
|
|
|
# update plugin names in renewal conf
|
|
if [[ -f "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" ]] && [[ "${ORIGVALIDATION}" = "dns" ]]; then
|
|
if [[ "${ORIGDNSPLUGIN}" =~ ^(aliyun)$ ]]; then
|
|
sed -i 's|^authenticator = certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^certbot[-_]dns[-_]aliyun:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
fi
|
|
if [[ "${ORIGDNSPLUGIN}" =~ ^(cpanel)$ ]]; then
|
|
sed -i 's|^authenticator = certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^certbot[-_]dns[-_]cpanel:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^authenticator = dns[-_]cpanel|authenticator = cpanel|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^dns[-_]cpanel[-_]|cpanel_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
fi
|
|
if [[ "${ORIGDNSPLUGIN}" =~ ^(directadmin)$ ]]; then
|
|
sed -i 's|^authenticator = directadmin|authenticator = dns-directadmin|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^directadmin[-_]|dns_directadmin_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
fi
|
|
if [[ "${ORIGDNSPLUGIN}" =~ ^(domeneshop)$ ]]; then
|
|
sed -i 's|^authenticator = certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^certbot[-_]dns[-_]domeneshop:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
fi
|
|
if [[ "${ORIGDNSPLUGIN}" =~ ^(gandi)$ ]]; then
|
|
sed -i 's|^authenticator = certbot[-_]plugin[-_]gandi:dns|authenticator = dns-gandi|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^certbot[-_]plugin[-_]gandi:dns[-_]|dns_gandi_|g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
fi
|
|
if [[ "${ORIGDNSPLUGIN}" =~ ^(inwx)$ ]]; then
|
|
sed -i 's|^authenticator = certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^certbot[-_]dns[-_]inwx:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
fi
|
|
if [[ "${ORIGDNSPLUGIN}" =~ ^(transip)$ ]]; then
|
|
sed -i 's|^authenticator = certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
sed -i 's|^certbot[-_]dns[-_]transip:||g' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf"
|
|
fi
|
|
fi
|
|
|
|
# set default validation to http
|
|
if [[ -z "${VALIDATION}" ]]; then
|
|
VALIDATION="http"
|
|
echo "VALIDATION parameter not set; setting it to http"
|
|
fi
|
|
|
|
# set duckdns validation to dns
|
|
if [[ "${VALIDATION}" = "duckdns" ]]; then
|
|
VALIDATION="dns"
|
|
DNSPLUGIN="duckdns"
|
|
if [[ -n "${DUCKDNSTOKEN}" ]] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then
|
|
sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
|
|
fi
|
|
fi
|
|
if [[ "${VALIDATION}" = "dns" ]] && [[ "${DNSPLUGIN}" = "duckdns" ]]; then
|
|
if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
|
|
echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
|
|
export ONLY_SUBDOMAINS=true
|
|
else
|
|
echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org"
|
|
export SUBDOMAINS=""
|
|
fi
|
|
export EXTRA_DOMAINS=""
|
|
fi
|
|
|
|
# setting the symlink for key location
|
|
rm -rf /config/keys/letsencrypt
|
|
if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then
|
|
DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
|
|
ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
|
|
else
|
|
ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
|
|
fi
|
|
|
|
# cleanup unused csr and keys folders
|
|
rm -rf /etc/letsencrypt/csr
|
|
rm -rf /etc/letsencrypt/keys
|
|
|
|
# checking for changes in cert variables, revoking certs if necessary
|
|
if [[ ! "${URL}" = "${ORIGURL}" ]] ||
|
|
[[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] ||
|
|
[[ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ]] ||
|
|
[[ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ]] ||
|
|
[[ ! "${VALIDATION}" = "${ORIGVALIDATION}" ]] ||
|
|
[[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] ||
|
|
[[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] ||
|
|
[[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
|
|
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
|
|
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
|
|
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
|
|
REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
|
|
REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
|
|
REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
|
|
if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
|
|
REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
|
|
REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
|
|
fi
|
|
if [[ -n "${REV_ZEROSSL_EAB_KID}" ]] && [[ -n "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
|
|
REV_ACMESERVER+=("--eab-kid" "${REV_ZEROSSL_EAB_KID}" "--eab-hmac-key" "${REV_ZEROSSL_EAB_HMAC_KEY}")
|
|
fi
|
|
elif [[ "${ORIGSTAGING}" = "true" ]]; then
|
|
REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
|
|
else
|
|
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
|
|
fi
|
|
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
|
|
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
|
|
else
|
|
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
|
|
fi
|
|
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
|
|
fi
|
|
|
|
# saving new variables
|
|
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
|
|
|
|
# Check if the cert is using the old LE root cert, revoke and regen if necessary
|
|
if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
|
|
echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
|
|
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
|
|
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
|
|
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
|
|
else
|
|
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
|
|
fi
|
|
rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
|
|
fi
|
|
|
|
# if zerossl is selected or staging is set to true, use the relevant server
|
|
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
|
|
echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
|
|
fi
|
|
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
|
|
echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
|
|
ACMESERVER="https://acme.zerossl.com/v2/DV90"
|
|
elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then
|
|
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
|
|
sleep infinity
|
|
elif [[ "${STAGING}" = "true" ]]; then
|
|
echo "NOTICE: Staging is active"
|
|
echo "Using Let's Encrypt as the cert provider"
|
|
ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
else
|
|
echo "Using Let's Encrypt as the cert provider"
|
|
ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
|
|
fi
|
|
|
|
set_ini_value "server" "${ACMESERVER}" /config/etc/letsencrypt/cli.ini
|
|
|
|
# figuring out domain only vs domain & subdomains vs subdomains only
|
|
DOMAINS_ARRAY=()
|
|
if [[ -z "${SUBDOMAINS}" ]] || [[ "${ONLY_SUBDOMAINS}" != true ]]; then
|
|
DOMAINS_ARRAY+=("${URL}")
|
|
fi
|
|
if [[ -n "${SUBDOMAINS}" ]]; then
|
|
echo "SUBDOMAINS entered, processing"
|
|
SUBDOMAINS_ARRAY=()
|
|
if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
|
|
SUBDOMAINS_ARRAY+=("*.${URL}")
|
|
echo "Wildcard cert for ${URL} will be requested"
|
|
else
|
|
for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
|
|
SUBDOMAINS_ARRAY+=("${job}.${URL}")
|
|
done
|
|
echo "Sub-domains processed are: $(echo "${SUBDOMAINS_ARRAY[*]}" | tr " " ",")"
|
|
fi
|
|
DOMAINS_ARRAY+=("${SUBDOMAINS_ARRAY[@]}")
|
|
fi
|
|
|
|
# add extra domains
|
|
if [[ -n "${EXTRA_DOMAINS}" ]]; then
|
|
echo "EXTRA_DOMAINS entered, processing"
|
|
EXTRA_DOMAINS_ARRAY=()
|
|
for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
|
|
EXTRA_DOMAINS_ARRAY+=("${job}")
|
|
done
|
|
echo "Extra domains processed are: $(echo "${EXTRA_DOMAINS_ARRAY[*]}" | tr " " ",")"
|
|
DOMAINS_ARRAY+=("${EXTRA_DOMAINS_ARRAY[@]}")
|
|
fi
|
|
|
|
# setting domains in cli.ini
|
|
set_ini_value "domains" "$(echo "${DOMAINS_ARRAY[*]}" | tr " " ",")" /config/etc/letsencrypt/cli.ini
|
|
|
|
# figuring out whether to use e-mail and which
|
|
if [[ ${EMAIL} == *@* ]]; then
|
|
echo "E-mail address entered: ${EMAIL}"
|
|
set_ini_value "email" "${EMAIL}" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "no-eff-email" "true" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "register-unsafely-without-email" "false" /config/etc/letsencrypt/cli.ini
|
|
else
|
|
echo "No e-mail address entered or address invalid"
|
|
set_ini_value "register-unsafely-without-email" "true" /config/etc/letsencrypt/cli.ini
|
|
fi
|
|
|
|
# alter extension for error message
|
|
if [[ "${DNSPLUGIN}" = "google" ]]; then
|
|
DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.json"
|
|
else
|
|
DNSCREDENTIALFILE="/config/dns-conf/${DNSPLUGIN}.ini"
|
|
fi
|
|
|
|
# setting the validation method to use
|
|
if [[ "${VALIDATION}" = "dns" ]]; then
|
|
set_ini_value "preferred-challenges" "dns" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "authenticator" "dns-${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "dns-${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
|
|
if [[ -n "${PROPAGATION}" ]]; then set_ini_value "dns-${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
|
|
|
|
# plugins that don't support setting credentials file
|
|
if [[ "${DNSPLUGIN}" =~ ^(route53|standalone)$ ]]; then
|
|
sed -i "/^dns-${DNSPLUGIN}-credentials\b/d" /config/etc/letsencrypt/cli.ini
|
|
fi
|
|
# plugins that don't support setting propagation
|
|
if [[ "${DNSPLUGIN}" =~ ^(azure|gandi|route53|standalone)$ ]]; then
|
|
if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
|
|
sed -i "/^dns-${DNSPLUGIN}-propagation-seconds\b/d" /config/etc/letsencrypt/cli.ini
|
|
fi
|
|
# plugins that use old parameter naming convention
|
|
if [[ "${DNSPLUGIN}" =~ ^(cpanel)$ ]]; then
|
|
sed -i "/^dns-${DNSPLUGIN}-credentials\b/d" /config/etc/letsencrypt/cli.ini
|
|
sed -i "/^dns-${DNSPLUGIN}-propagation-seconds\b/d" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "authenticator" "${DNSPLUGIN}" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "${DNSPLUGIN}-credentials" "${DNSCREDENTIALFILE}" /config/etc/letsencrypt/cli.ini
|
|
if [[ -n "${PROPAGATION}" ]]; then set_ini_value "${DNSPLUGIN}-propagation-seconds" "${PROPAGATION}" /config/etc/letsencrypt/cli.ini; fi
|
|
fi
|
|
# don't restore txt records when using DuckDNS plugin
|
|
if [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
|
|
set_ini_value "dns-${DNSPLUGIN}-no-txt-restore" "true" /config/etc/letsencrypt/cli.ini
|
|
fi
|
|
|
|
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
|
|
elif [[ "${VALIDATION}" = "tls-sni" ]]; then
|
|
set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
|
|
echo "*****tls-sni validation has been deprecated, attempting http validation instead"
|
|
else
|
|
set_ini_value "preferred-challenges" "http" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "authenticator" "standalone" /config/etc/letsencrypt/cli.ini
|
|
echo "http validation is selected"
|
|
fi
|
|
|
|
# generating certs if necessary
|
|
if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
|
|
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
|
|
echo "Retrieving EAB from ZeroSSL"
|
|
EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
|
|
ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | jq .eab_kid)
|
|
ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | jq .eab_hmac_key)
|
|
if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
|
|
echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
|
|
sleep infinity
|
|
fi
|
|
set_ini_value "eab-kid" "${ZEROSSL_EAB_KID}" /config/etc/letsencrypt/cli.ini
|
|
set_ini_value "eab-hmac-key" "${ZEROSSL_EAB_HMAC_KEY}" /config/etc/letsencrypt/cli.ini
|
|
fi
|
|
echo "Generating new certificate"
|
|
certbot certonly --non-interactive --renew-by-default
|
|
if [[ ! -d /config/keys/letsencrypt ]]; then
|
|
if [[ "${VALIDATION}" = "dns" ]]; then
|
|
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the ${DNSCREDENTIALFILE} file."
|
|
else
|
|
echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
|
|
fi
|
|
sleep infinity
|
|
fi
|
|
run-parts /config/etc/letsencrypt/renewal-hooks/deploy/
|
|
echo "New certificate generated; starting nginx"
|
|
else
|
|
echo "Certificate exists; parameters unchanged; starting nginx"
|
|
fi
|
|
|
|
# if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert
|
|
if [[ -d /config/keys/letsencrypt ]]; then
|
|
rm -rf /config/keys/cert.crt
|
|
ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
|
|
rm -rf /config/keys/cert.key
|
|
ln -s ./letsencrypt/privkey.pem /config/keys/cert.key
|
|
fi
|