diff --git a/root/app/le-renew.sh b/root/app/le-renew.sh index dcdb595..7f2137a 100644 --- a/root/app/le-renew.sh +++ b/root/app/le-renew.sh @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash echo "<------------------------------------------------->" echo diff --git a/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default b/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default index aada3c5..e87f85c 100644 --- a/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default +++ b/root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash cd /config/keys/letsencrypt || exit 1 openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: diff --git a/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx b/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx index f23a4d9..781831d 100644 --- a/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx +++ b/root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx @@ -1,13 +1,15 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash +# shellcheck source=/dev/null . /config/.donoteditthisfile.conf -if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then - if ps aux | grep 's6-supervise nginx' | grep -v grep >/dev/null; then +if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then + if pgrep -f "s6-supervise nginx" >/dev/null; then s6-svc -u /run/service/nginx fi else - if ps aux | grep [n]ginx: >/dev/null; then + if pgrep -f "nginx:" >/dev/null; then s6-svc -h /run/service/nginx fi fi diff --git a/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx b/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx index 638121c..cb493ea 100644 --- a/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx +++ b/root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx @@ -1,9 +1,11 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash +# shellcheck source=/dev/null . /config/.donoteditthisfile.conf -if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then - if ps aux | grep [n]ginx: >/dev/null; then +if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then + if pgrep -f "nginx:" >/dev/null; then s6-svc -d /run/service/nginx fi fi diff --git a/root/etc/cont-init.d/30-test-run b/root/etc/cont-init.d/30-test-run index d559814..f4b2243 100644 --- a/root/etc/cont-init.d/30-test-run +++ b/root/etc/cont-init.d/30-test-run @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # Echo init finish for test runs if [[ -n "${TEST_RUN}" ]]; then diff --git a/root/etc/cont-init.d/31-require-url b/root/etc/cont-init.d/31-require-url index 4761521..4e936fa 100644 --- a/root/etc/cont-init.d/31-require-url +++ b/root/etc/cont-init.d/31-require-url @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # check to make sure that the required variables are set if [[ -z "${URL}" ]]; then diff --git a/root/etc/cont-init.d/40-folders b/root/etc/cont-init.d/40-folders index a244cca..87cef4e 100644 --- a/root/etc/cont-init.d/40-folders +++ b/root/etc/cont-init.d/40-folders @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # make our folders and links mkdir -p \ diff --git a/root/etc/cont-init.d/41-samples b/root/etc/cont-init.d/41-samples index b80dd41..83054d6 100644 --- a/root/etc/cont-init.d/41-samples +++ b/root/etc/cont-init.d/41-samples @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # samples are removed on init by the nginx base diff --git a/root/etc/cont-init.d/42-fail2ban b/root/etc/cont-init.d/42-fail2ban index 36ed2de..abd14b4 100644 --- a/root/etc/cont-init.d/42-fail2ban +++ b/root/etc/cont-init.d/42-fail2ban @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # copy/update the fail2ban config defaults to/in /config cp -R /defaults/fail2ban/filter.d /config/fail2ban/ diff --git a/root/etc/cont-init.d/43-crontabs b/root/etc/cont-init.d/43-crontabs index 2cc0d27..30065b7 100644 --- a/root/etc/cont-init.d/43-crontabs +++ b/root/etc/cont-init.d/43-crontabs @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # copy crontabs if needed if [[ ! -f /config/crontabs/root ]]; then diff --git a/root/etc/cont-init.d/45-nginx b/root/etc/cont-init.d/45-nginx index 87778b7..e94c92a 100644 --- a/root/etc/cont-init.d/45-nginx +++ b/root/etc/cont-init.d/45-nginx @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # copy default config files if they don't exist if [[ ! -f /config/nginx/proxy.conf ]]; then diff --git a/root/etc/cont-init.d/50-certbot b/root/etc/cont-init.d/50-certbot index b36310e..395a6d8 100644 --- a/root/etc/cont-init.d/50-certbot +++ b/root/etc/cont-init.d/50-certbot @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # Display variables for troubleshooting echo -e "Variables set:\\n\ @@ -18,12 +19,12 @@ STAGING=${STAGING}\\n" # Sanitize variables SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER) for i in "${SANED_VARS[@]}"; do - export echo "$i"="${!i//\"/}" - export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" + export echo "${i}"="${!i//\"/}" + export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')" done # check to make sure DNSPLUGIN is selected if dns validation is used -if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then +if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." sleep infinity fi @@ -46,34 +47,34 @@ cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal chown -R abc:abc /config/etc/letsencrypt/renewal-hooks # create original config file if it doesn't exist, move non-hidden legacy file to hidden -if [ -f "/config/donoteditthisfile.conf" ]; then +if [[ -f "/config/donoteditthisfile.conf" ]]; then mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf fi -if [ ! -f "/config/.donoteditthisfile.conf" ]; then - echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf +if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then + echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf echo "Created .donoteditthisfile.conf" fi # load original config settings -# shellcheck disable=SC1091 +# shellcheck source=/dev/null . /config/.donoteditthisfile.conf # set default validation to http -if [ -z "$VALIDATION" ]; then +if [[ -z "${VALIDATION}" ]]; then VALIDATION="http" echo "VALIDATION parameter not set; setting it to http" fi # set duckdns validation to dns -if [ "$VALIDATION" = "duckdns" ]; then +if [[ "${VALIDATION}" = "duckdns" ]]; then VALIDATION="dns" DNSPLUGIN="duckdns" - if [ -n "$DUCKDNSTOKEN" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini;then + if [[ -n "${DUCKDNSTOKEN}" ]] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini fi fi -if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then - if [ "$SUBDOMAINS" = "wildcard" ]; then +if [[ "${VALIDATION}" = "dns" ]] && [[ "${DNSPLUGIN}" = "duckdns" ]]; then + if [[ "${SUBDOMAINS}" = "wildcard" ]]; then echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" export ONLY_SUBDOMAINS=true else @@ -84,16 +85,16 @@ if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then fi # if zerossl is selected or staging is set to true, use the relevant server -if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then +if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then echo "ZeroSSL does not support staging mode, ignoring STAGING variable" fi -if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then - echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL" +if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then + echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}" ACMESERVER="https://acme.zerossl.com/v2/DV90" -elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then +elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable" sleep infinity -elif [ "$STAGING" = "true" ]; then +elif [[ "${STAGING}" = "true" ]]; then echo "NOTICE: Staging is active" echo "Using Let's Encrypt as the cert provider" ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" @@ -103,46 +104,46 @@ else fi # figuring out url only vs url & subdomains vs subdomains only -if [ -n "$SUBDOMAINS" ]; then +if [[ -n "${SUBDOMAINS}" ]]; then echo "SUBDOMAINS entered, processing" - if [ "$SUBDOMAINS" = "wildcard" ]; then - if [ "$ONLY_SUBDOMAINS" = true ]; then + if [[ "${SUBDOMAINS}" = "wildcard" ]]; then + if [[ "${ONLY_SUBDOMAINS}" = true ]]; then export URL_REAL="-d *.${URL}" - echo "Wildcard cert for only the subdomains of $URL will be requested" + echo "Wildcard cert for only the subdomains of ${URL} will be requested" else export URL_REAL="-d *.${URL} -d ${URL}" - echo "Wildcard cert for $URL will be requested" + echo "Wildcard cert for ${URL} will be requested" fi else echo "SUBDOMAINS entered, processing" - for job in $(echo "$SUBDOMAINS" | tr "," " "); do - export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}" + for job in $(echo "${SUBDOMAINS}" | tr "," " "); do + export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}" done - if [ "$ONLY_SUBDOMAINS" = true ]; then - URL_REAL="$SUBDOMAINS_REAL" + if [[ "${ONLY_SUBDOMAINS}" = true ]]; then + URL_REAL="${SUBDOMAINS_REAL}" echo "Only subdomains, no URL in cert" else URL_REAL="-d ${URL}${SUBDOMAINS_REAL}" fi - echo "Sub-domains processed are: $SUBDOMAINS_REAL" + echo "Sub-domains processed are: ${SUBDOMAINS_REAL}" fi else echo "No subdomains defined" - URL_REAL="-d $URL" + URL_REAL="-d ${URL}" fi # add extra domains -if [ -n "$EXTRA_DOMAINS" ]; then +if [[ -n "${EXTRA_DOMAINS}" ]]; then echo "EXTRA_DOMAINS entered, processing" - for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do - export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}" + for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do + export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}" done - echo "Extra domains processed are: $EXTRA_DOMAINS_REAL" - URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL" + echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}" + URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}" fi # figuring out whether to use e-mail and which -if [[ $EMAIL == *@* ]]; then +if [[ ${EMAIL} == *@* ]]; then echo "E-mail address entered: ${EMAIL}" EMAILPARAM="-m ${EMAIL} --no-eff-email" else @@ -151,34 +152,34 @@ else fi # setting the validation method to use -if [ "$VALIDATION" = "dns" ]; then - if [ "$DNSPLUGIN" = "route53" ]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi +if [[ "${VALIDATION}" = "dns" ]]; then + if [[ "${DNSPLUGIN}" = "route53" ]]; then + if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(azure|gandi)$ ]]; then - if [ -n "$PROPAGATION" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi + elif [[ "${DNSPLUGIN}" =~ ^(azure|gandi)$ ]]; then + if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini" - elif [[ "$DNSPLUGIN" =~ ^(duckdns)$ ]]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + elif [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then + if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini --dns-duckdns-no-txt-restore ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + elif [[ "${DNSPLUGIN}" =~ ^(google)$ ]]; then + if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + elif [[ "${DNSPLUGIN}" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then + if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then - if [ -n "$PROPAGATION" ]; then echo "standalone dns plugin does not support setting propagation time"; fi + elif [[ "${DNSPLUGIN}" =~ ^(standalone)$ ]]; then + if [[ -n "${PROPAGATION}" ]]; then echo "standalone dns plugin does not support setting propagation time"; fi PREFCHAL="-a dns-${DNSPLUGIN}" - elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + elif [[ "${DNSPLUGIN}" =~ ^(directadmin)$ ]]; then + if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" else - if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi + if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" fi echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected" -elif [ "$VALIDATION" = "tls-sni" ]; then +elif [[ "${VALIDATION}" = "tls-sni" ]]; then PREFCHAL="--standalone --preferred-challenges http" echo "*****tls-sni validation has been deprecated, attempting http validation instead" else @@ -188,69 +189,69 @@ fi # setting the symlink for key location rm -rf /config/keys/letsencrypt -if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ]; then - DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}" - ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt +if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then + DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}" + ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt else - ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt + ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt fi # checking for changes in cert variables, revoking certs if necessary -if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then +if [[ ! "${URL}" = "${ORIGURL}" ]] || [[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] || [[ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ]] || [[ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ]] || [[ ! "${VALIDATION}" = "${ORIGVALIDATION}" ]] || [[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] || [[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] || [[ ! "${STAGING}" = "${ORIGSTAGING}" ]] || [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" - if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then - ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" + if [[ "${ORIGONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${ORIGSUBDOMAINS}" = "wildcard" ]]; then + ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" else - ORIGDOMAIN="$ORIGURL" + ORIGDOMAIN="${ORIGURL}" fi - if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then - REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL") - REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then + if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then + REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}") + REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." sleep infinity fi REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}" - elif [ "$ORIGSTAGING" = "true" ]; then + elif [[ "${ORIGSTAGING}" = "true" ]]; then REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory" else REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" fi - if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then - certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER + if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then + certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} fi rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} fi # saving new variables -echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf +echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf # alter extension for error message -if [ "$DNSPLUGIN" = "google" ]; then - FILENAME="$DNSPLUGIN.json" +if [[ "${DNSPLUGIN}" = "google" ]]; then + FILENAME="${DNSPLUGIN}.json" else - FILENAME="$DNSPLUGIN.ini" + FILENAME="${DNSPLUGIN}.ini" fi # Check if the cert is using the old LE root cert, revoke and regen if necessary -if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then +if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking." REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory" - if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then - certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER + if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then + certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER} fi rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal} fi # generating certs if necessary -if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then - if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then +if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then + if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then echo "Retrieving EAB from ZeroSSL" - EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL") - ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") - ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") - if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then + EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}") + ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])") + ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])") + if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping." sleep infinity fi @@ -258,9 +259,9 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then fi echo "Generating new certificate" # shellcheck disable=SC2086 - certbot certonly --non-interactive --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL - if [ ! -d /config/keys/letsencrypt ]; then - if [ "$VALIDATION" = "dns" ]; then + certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL} + if [[ ! -d /config/keys/letsencrypt ]]; then + if [[ "${VALIDATION}" = "dns" ]]; then echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." else echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" @@ -274,7 +275,7 @@ else fi # if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert -if [ -d /config/keys/letsencrypt ]; then +if [[ -d /config/keys/letsencrypt ]]; then rm -rf /config/keys/cert.crt ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt rm -rf /config/keys/cert.key diff --git a/root/etc/cont-init.d/55-permissions b/root/etc/cont-init.d/55-permissions index 6808b20..4c50bd8 100644 --- a/root/etc/cont-init.d/55-permissions +++ b/root/etc/cont-init.d/55-permissions @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # permissions chown -R abc:abc \ diff --git a/root/etc/cont-init.d/60-renew b/root/etc/cont-init.d/60-renew index 0bc3daa..b402a0b 100644 --- a/root/etc/cont-init.d/60-renew +++ b/root/etc/cont-init.d/60-renew @@ -1,7 +1,8 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash # Check if the cert is expired or expires within a day, if so, renew -if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then +if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)." else echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes." diff --git a/root/etc/cont-init.d/70-outdated b/root/etc/cont-init.d/70-outdated index 04e0335..42f3ad1 100644 --- a/root/etc/cont-init.d/70-outdated +++ b/root/etc/cont-init.d/70-outdated @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash if [[ -f /config/nginx/geoip2.conf ]]; then echo "/config/nginx/geoip2.conf exists. diff --git a/root/etc/services.d/fail2ban/run b/root/etc/services.d/fail2ban/run index 6f7f3af..a06f3d0 100644 --- a/root/etc/services.d/fail2ban/run +++ b/root/etc/services.d/fail2ban/run @@ -1,4 +1,5 @@ #!/usr/bin/with-contenv bash +# shellcheck shell=bash exec \ fail2ban-client -x -f start