mirror of
https://github.com/linuxserver/docker-swag.git
synced 2026-03-04 01:13:35 +09:00
Compare commits
6 Commits
2.11.0-ls3
...
renewal-ho
| Author | SHA1 | Date | |
|---|---|---|---|
|
732b6d1bf1 | ||
|
|
0c3bc63349 | ||
|
ed0c949267 | ||
|
|
5027f6f7b3 | ||
|
|
502d10303c | ||
|
|
00afe35e21 |
@@ -131,7 +131,7 @@ RUN \
|
||||
certbot-dns-transip \
|
||||
certbot-dns-vultr \
|
||||
certbot-plugin-gandi \
|
||||
cryptography \
|
||||
cryptography==42.0.7 \
|
||||
future \
|
||||
requests && \
|
||||
echo "**** enable OCSP stapling from base ****" && \
|
||||
|
||||
@@ -131,7 +131,7 @@ RUN \
|
||||
certbot-dns-transip \
|
||||
certbot-dns-vultr \
|
||||
certbot-plugin-gandi \
|
||||
cryptography \
|
||||
cryptography==42.0.7 \
|
||||
future \
|
||||
requests && \
|
||||
echo "**** enable OCSP stapling from base ****" && \
|
||||
|
||||
@@ -400,6 +400,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
|
||||
|
||||
## Versions
|
||||
|
||||
* **30.08.24:** - Fix zerossl cert revocation.
|
||||
* **24.07.14:** - Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings.
|
||||
* **01.07.24:** - Fall back to iptables-legacy if iptables doesn't work.
|
||||
* **23.03.24:** - Fix perms on the generated `priv-fullchain-bundle.pem`.
|
||||
|
||||
@@ -8,7 +8,7 @@ alpine-release 3.20.2-r0 apk
|
||||
aom-libs 3.9.1-r0 apk
|
||||
apache2-utils 2.4.62-r0 apk
|
||||
apk-tools 2.14.4-r0 apk
|
||||
apr 1.7.4-r0 apk
|
||||
apr 1.7.5-r0 apk
|
||||
apr-util 1.6.3-r1 apk
|
||||
argon2-libs 20190702-r5 apk
|
||||
attrs 24.2.0 python
|
||||
@@ -21,8 +21,8 @@ azure-mgmt-dns 8.1.0 python
|
||||
backports-tarfile 1.2.0 python
|
||||
bash 5.2.26-r0 apk
|
||||
beautifulsoup4 4.12.3 python
|
||||
boto3 1.35.10 python
|
||||
botocore 1.35.10 python
|
||||
boto3 1.35.14 python
|
||||
botocore 1.35.14 python
|
||||
brotli-libs 1.1.0-r2 apk
|
||||
bs4 0.0.2 python
|
||||
busybox 1.36.1-r29 apk
|
||||
@@ -78,18 +78,18 @@ certbot-dns-transip 0.5.2 python
|
||||
certbot-dns-vultr 1.1.0 python
|
||||
certbot-plugin-gandi 1.5.0 python
|
||||
certifi 2024.8.30 python
|
||||
cffi 1.17.0 python
|
||||
cffi 1.17.1 python
|
||||
charset-normalizer 3.3.2 python
|
||||
cloudflare 2.19.4 python
|
||||
composer 2.7.8 binary
|
||||
composer 2.7.9 binary
|
||||
configargparse 1.7 python
|
||||
configobj 5.0.8 python
|
||||
coreutils 9.5-r1 apk
|
||||
coreutils-env 9.5-r1 apk
|
||||
coreutils-fmt 9.5-r1 apk
|
||||
coreutils-sha512sum 9.5-r1 apk
|
||||
cryptography 43.0.0 python
|
||||
curl 8.9.0-r0 apk
|
||||
cryptography 43.0.1 python
|
||||
curl 8.9.1-r1 apk
|
||||
distro 1.9.0 python
|
||||
dns-lexicon 3.18.0 python
|
||||
dnslib 0.9.25 python
|
||||
@@ -116,7 +116,7 @@ gnupg-utils 2.4.5-r0 apk
|
||||
gnupg-wks-client 2.4.5-r0 apk
|
||||
gnutls 3.8.5-r0 apk
|
||||
google-api-core 2.19.2 python
|
||||
google-api-python-client 2.143.0 python
|
||||
google-api-python-client 2.144.0 python
|
||||
google-auth 2.34.0 python
|
||||
google-auth-httplib2 0.2.0 python
|
||||
googleapis-common-protos 1.65.0 python
|
||||
@@ -142,19 +142,19 @@ jmespath 1.0.1 python
|
||||
josepy 1.14.0 python
|
||||
jq 1.7.1-r0 apk
|
||||
jsonlines 4.0.0 python
|
||||
jsonpickle 3.2.2 python
|
||||
jsonpickle 3.3.0 python
|
||||
libacl 2.3.2-r0 apk
|
||||
libassuan 2.5.7-r0 apk
|
||||
libattr 2.5.2-r0 apk
|
||||
libavif 1.0.4-r0 apk
|
||||
libbsd 0.12.2-r0 apk
|
||||
libbz2 1.0.8-r6 apk
|
||||
libcrypto3 3.3.1-r3 apk
|
||||
libcurl 8.9.0-r0 apk
|
||||
libcrypto3 3.3.2-r0 apk
|
||||
libcurl 8.9.1-r1 apk
|
||||
libdav1d 1.4.2-r0 apk
|
||||
libedit 20240517.3.1-r0 apk
|
||||
libevent 2.1.12-r7 apk
|
||||
libexpat 2.6.2-r0 apk
|
||||
libexpat 2.6.3-r0 apk
|
||||
libffi 3.4.6-r0 apk
|
||||
libgcc 13.2.1_git20240309-r0 apk
|
||||
libgcrypt 1.10.3-r0 apk
|
||||
@@ -185,7 +185,7 @@ libseccomp 2.5.5-r1 apk
|
||||
libsharpyuv 1.3.2-r0 apk
|
||||
libsm 1.2.4-r4 apk
|
||||
libsodium 1.0.19-r0 apk
|
||||
libssl3 3.3.1-r3 apk
|
||||
libssl3 3.3.2-r0 apk
|
||||
libstdc++ 13.2.1_git20240309-r0 apk
|
||||
libtasn1 4.19.0-r2 apk
|
||||
libunistring 1.2-r0 apk
|
||||
@@ -211,7 +211,7 @@ memcached 1.6.27-r0 apk
|
||||
mock 5.1.0 python
|
||||
more-itertools 10.3.0 python
|
||||
mpdecimal 4.0.0-r0 apk
|
||||
msal 1.30.0 python
|
||||
msal 1.31.0 python
|
||||
msal-extensions 1.2.0 python
|
||||
musl 1.2.5-r0 apk
|
||||
musl-utils 1.2.5-r0 apk
|
||||
@@ -242,7 +242,7 @@ nginx-mod-stream-geoip2 1.26.2-r0 apk
|
||||
nginx-vim 1.26.2-r0 apk
|
||||
npth 1.6-r4 apk
|
||||
oniguruma 6.9.9-r0 apk
|
||||
openssl 3.3.1-r3 apk
|
||||
openssl 3.3.2-r0 apk
|
||||
p11-kit 0.25.3-r0 apk
|
||||
packaging 24.1 python
|
||||
parsedatetime 2.6 python
|
||||
@@ -335,7 +335,7 @@ requests-mock 1.12.1 python
|
||||
rsa 4.9 python
|
||||
s3transfer 0.10.2 python
|
||||
scanelf 1.3.7-r2 apk
|
||||
setuptools 74.0.0 python
|
||||
setuptools 74.1.2 python
|
||||
shadow 4.15.1-r0 apk
|
||||
six 1.16.0 python
|
||||
skalibs 2.14.1.1-r0 apk
|
||||
|
||||
@@ -140,6 +140,7 @@ app_setup_block: |
|
||||
|
||||
# changelog
|
||||
changelogs:
|
||||
- { date: "30.08.24:", desc: "Fix zerossl cert revocation." }
|
||||
- { date: "24.07.14:", desc: "Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
|
||||
- { date: "01.07.24:", desc: "Fall back to iptables-legacy if iptables doesn't work." }
|
||||
- { date: "23.03.24:", desc: "Fix perms on the generated `priv-fullchain-bundle.pem`." }
|
||||
|
||||
0
root/app/le-renew.sh
Normal file → Executable file
0
root/app/le-renew.sh
Normal file → Executable file
2
root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default
Normal file → Executable file
2
root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default
Normal file → Executable file
@@ -1,7 +1,9 @@
|
||||
#!/usr/bin/with-contenv bash
|
||||
# shellcheck shell=bash
|
||||
# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
|
||||
|
||||
cd /config/keys/letsencrypt || exit 1
|
||||
echo "**** Generating pfx and fullchain bundle certs ****"
|
||||
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
|
||||
sleep 1
|
||||
cat {privkey,fullchain}.pem >priv-fullchain-bundle.pem
|
||||
|
||||
3
root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx
Normal file → Executable file
3
root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx
Normal file → Executable file
@@ -1,15 +1,18 @@
|
||||
#!/usr/bin/with-contenv bash
|
||||
# shellcheck shell=bash
|
||||
# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
|
||||
|
||||
# shellcheck source=/dev/null
|
||||
. /config/.donoteditthisfile.conf
|
||||
|
||||
if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
|
||||
if pgrep -f "s6-supervise svc-nginx" >/dev/null; then
|
||||
echo "**** Starting Nginx ****"
|
||||
s6-svc -u /run/service/svc-nginx
|
||||
fi
|
||||
else
|
||||
if pgrep -f "nginx:" >/dev/null; then
|
||||
echo "**** Reloading Nginx to load the new cert ****"
|
||||
s6-svc -h /run/service/svc-nginx
|
||||
fi
|
||||
fi
|
||||
|
||||
2
root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx
Normal file → Executable file
2
root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx
Normal file → Executable file
@@ -1,11 +1,13 @@
|
||||
#!/usr/bin/with-contenv bash
|
||||
# shellcheck shell=bash
|
||||
# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
|
||||
|
||||
# shellcheck source=/dev/null
|
||||
. /config/.donoteditthisfile.conf
|
||||
|
||||
if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
|
||||
if pgrep -f "nginx:" >/dev/null; then
|
||||
echo "**** Stopping Nginx in preparation of cert generation/renewal ****"
|
||||
s6-svc -d /run/service/svc-nginx
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -68,14 +68,9 @@ lsiown -R abc:abc /config/dns-conf
|
||||
|
||||
# copy default renewal hooks
|
||||
chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
|
||||
cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
|
||||
cp -Rf /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
|
||||
lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
|
||||
|
||||
# replace nginx service location in renewal hooks
|
||||
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
|
||||
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
|
||||
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|s6-supervise nginx|s6-supervise svc-nginx|g' {} \;
|
||||
|
||||
# create original config file if it doesn't exist, move non-hidden legacy file to hidden
|
||||
if [[ -f "/config/donoteditthisfile.conf" ]]; then
|
||||
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
|
||||
@@ -189,24 +184,15 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
|
||||
[[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
|
||||
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
|
||||
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
|
||||
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
|
||||
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]]; then
|
||||
REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
|
||||
REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
|
||||
REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
|
||||
if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
|
||||
REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
|
||||
REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
|
||||
fi
|
||||
if [[ -n "${REV_ZEROSSL_EAB_KID}" ]] && [[ -n "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
|
||||
REV_ACMESERVER+=("--eab-kid" "${REV_ZEROSSL_EAB_KID}" "--eab-hmac-key" "${REV_ZEROSSL_EAB_HMAC_KEY}")
|
||||
fi
|
||||
elif [[ "${ORIGSTAGING}" = "true" ]]; then
|
||||
REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
|
||||
else
|
||||
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
|
||||
fi
|
||||
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
|
||||
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
|
||||
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --key-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/privkey.pem --server "${REV_ACMESERVER[@]}" || true
|
||||
else
|
||||
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user