|
|
|
@@ -16,30 +16,39 @@ EMAIL=${EMAIL}\\n\
|
|
|
|
|
STAGING=${STAGING}\\n"
|
|
|
|
|
|
|
|
|
|
# Sanitize variables
|
|
|
|
|
SANED_VARS=( DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER )
|
|
|
|
|
for i in "${SANED_VARS[@]}"
|
|
|
|
|
do
|
|
|
|
|
SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
|
|
|
|
|
for i in "${SANED_VARS[@]}"; do
|
|
|
|
|
export echo "$i"="${!i//\"/}"
|
|
|
|
|
export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
# copy dns default configs
|
|
|
|
|
cp -n /defaults/dns-conf/* /config/dns-conf/
|
|
|
|
|
chown -R abc:abc /config/dns-conf
|
|
|
|
|
|
|
|
|
|
# check to make sure DNSPLUGIN is selected if dns validation is used
|
|
|
|
|
if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
|
|
|
|
|
echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
|
|
|
|
|
sleep infinity
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# copy dns default configs
|
|
|
|
|
cp -n /defaults/dns-conf/* /config/dns-conf/
|
|
|
|
|
chown -R abc:abc /config/dns-conf
|
|
|
|
|
|
|
|
|
|
# update plugin names in dns conf inis
|
|
|
|
|
sed -i 's|^certbot_dns_aliyun:||g' /config/dns-conf/aliyun.ini
|
|
|
|
|
sed -i 's|^certbot_dns_domeneshop:||g' /config/dns-conf/domeneshop.ini
|
|
|
|
|
sed -i 's|^certbot_dns_inwx:||g' /config/dns-conf/inwx.ini
|
|
|
|
|
sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
|
|
|
|
|
|
|
|
|
|
# copy default renewal hooks
|
|
|
|
|
chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
|
|
|
|
|
cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/
|
|
|
|
|
chown -R abc:abc /config/etc/letsencrypt/renewal-hooks
|
|
|
|
|
|
|
|
|
|
# create original config file if it doesn't exist, move non-hidden legacy file to hidden
|
|
|
|
|
if [ -f "/config/donoteditthisfile.conf" ]; then
|
|
|
|
|
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
|
|
|
|
|
fi
|
|
|
|
|
if [ ! -f "/config/.donoteditthisfile.conf" ]; then
|
|
|
|
|
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
|
|
|
|
|
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf
|
|
|
|
|
echo "Created .donoteditthisfile.conf"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
@@ -120,40 +129,34 @@ else
|
|
|
|
|
EMAILPARAM="--register-unsafely-without-email"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# update plugin names in dns conf inis
|
|
|
|
|
sed -i 's|^certbot_dns_aliyun:||g' /config/dns-conf/aliyun.ini
|
|
|
|
|
sed -i 's|^certbot_dns_domeneshop:||g' /config/dns-conf/domeneshop.ini
|
|
|
|
|
sed -i 's|^certbot_dns_inwx:||g' /config/dns-conf/inwx.ini
|
|
|
|
|
sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
|
|
|
|
|
|
|
|
|
|
# setting the validation method to use
|
|
|
|
|
if [ "$VALIDATION" = "dns" ]; then
|
|
|
|
|
if [ "$DNSPLUGIN" = "route53" ]; then
|
|
|
|
|
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
|
|
|
|
|
elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
|
|
|
|
|
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
|
|
|
|
elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
|
|
|
|
|
if [ -n "$PROPAGATION" ];then echo "Gandi dns plugin does not support setting propagation time"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then echo "Gandi dns plugin does not support setting propagation time"; fi
|
|
|
|
|
PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
|
|
|
|
|
elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
|
|
|
|
|
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
|
|
|
|
|
elif [[ "$DNSPLUGIN" =~ ^(aliyun|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then
|
|
|
|
|
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
|
|
|
|
elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then
|
|
|
|
|
if [ -n "$PROPAGATION" ];then echo "standalone dns plugin does not support setting propagation time"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then echo "standalone dns plugin does not support setting propagation time"; fi
|
|
|
|
|
PREFCHAL="-a dns-${DNSPLUGIN}"
|
|
|
|
|
elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
|
|
|
|
|
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
|
|
|
|
elif [[ "$DNSPLUGIN" =~ ^(azure)$ ]]; then
|
|
|
|
|
if [ -n "$PROPAGATION" ];then echo "Azure dns plugin does not support setting propagation time"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then echo "Azure dns plugin does not support setting propagation time"; fi
|
|
|
|
|
PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
|
|
|
|
|
else
|
|
|
|
|
if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
|
|
|
|
|
PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
|
|
|
|
|
fi
|
|
|
|
|
echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
|
|
|
|
@@ -178,7 +181,7 @@ fi
|
|
|
|
|
|
|
|
|
|
# setting the symlink for key location
|
|
|
|
|
rm -rf /config/keys/letsencrypt
|
|
|
|
|
if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ] ; then
|
|
|
|
|
if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ]; then
|
|
|
|
|
DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
|
|
|
|
|
ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
|
|
|
|
|
else
|
|
|
|
@@ -214,12 +217,11 @@ if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "
|
|
|
|
|
if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then
|
|
|
|
|
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
|
|
|
|
|
fi
|
|
|
|
|
rm -rf /config/etc/letsencrypt
|
|
|
|
|
mkdir -p /config/etc/letsencrypt
|
|
|
|
|
rm -rf /config/etc/letsencrypt/{archive,live,renewal}
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# saving new variables
|
|
|
|
|
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" > /config/.donoteditthisfile.conf
|
|
|
|
|
echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf
|
|
|
|
|
|
|
|
|
|
# alter extension for error message
|
|
|
|
|
if [ "$DNSPLUGIN" = "google" ]; then
|
|
|
|
@@ -229,12 +231,11 @@ else
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Check if the cert is using the old LE root cert, revoke and regen if necessary
|
|
|
|
|
if [ -f "/config/keys/letsencrypt/chain.pem" ] && ([ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]) && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
|
|
|
|
|
if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
|
|
|
|
|
echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
|
|
|
|
|
REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
|
|
|
|
|
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
|
|
|
|
|
rm -rf /config/etc/letsencrypt
|
|
|
|
|
mkdir -p /config/etc/letsencrypt
|
|
|
|
|
rm -rf /config/etc/letsencrypt/{archive,live,renewal}
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# generating certs if necessary
|
|
|
|
@@ -252,10 +253,8 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
|
|
|
|
|
fi
|
|
|
|
|
echo "Generating new certificate"
|
|
|
|
|
# shellcheck disable=SC2086
|
|
|
|
|
certbot certonly --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
|
|
|
|
|
if [ -d /config/keys/letsencrypt ]; then
|
|
|
|
|
cd /config/keys/letsencrypt || exit
|
|
|
|
|
else
|
|
|
|
|
certbot certonly --non-interactive --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
|
|
|
|
|
if [ ! -d /config/keys/letsencrypt ]; then
|
|
|
|
|
if [ "$VALIDATION" = "dns" ]; then
|
|
|
|
|
echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
|
|
|
|
|
elif [ "$VALIDATION" = "duckdns" ]; then
|
|
|
|
@@ -265,9 +264,7 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
|
|
|
|
|
fi
|
|
|
|
|
sleep infinity
|
|
|
|
|
fi
|
|
|
|
|
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
|
|
|
|
|
sleep 1
|
|
|
|
|
cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
|
|
|
|
|
run-parts /config/etc/letsencrypt/renewal-hooks/deploy/
|
|
|
|
|
echo "New certificate generated; starting nginx"
|
|
|
|
|
else
|
|
|
|
|
echo "Certificate exists; parameters unchanged; starting nginx"
|
|
|
|
|