mirror of
https://github.com/linuxserver/docker-swag.git
synced 2026-03-14 14:15:16 +09:00
Compare commits
6 Commits
2.11.0-ls3
...
renewal-ho
| Author | SHA1 | Date | |
|---|---|---|---|
|
732b6d1bf1 | ||
|
|
0c3bc63349 | ||
|
ed0c949267 | ||
|
|
5027f6f7b3 | ||
|
|
502d10303c | ||
|
|
00afe35e21 |
@@ -131,7 +131,7 @@ RUN \
|
|||||||
certbot-dns-transip \
|
certbot-dns-transip \
|
||||||
certbot-dns-vultr \
|
certbot-dns-vultr \
|
||||||
certbot-plugin-gandi \
|
certbot-plugin-gandi \
|
||||||
cryptography \
|
cryptography==42.0.7 \
|
||||||
future \
|
future \
|
||||||
requests && \
|
requests && \
|
||||||
echo "**** enable OCSP stapling from base ****" && \
|
echo "**** enable OCSP stapling from base ****" && \
|
||||||
|
|||||||
@@ -131,7 +131,7 @@ RUN \
|
|||||||
certbot-dns-transip \
|
certbot-dns-transip \
|
||||||
certbot-dns-vultr \
|
certbot-dns-vultr \
|
||||||
certbot-plugin-gandi \
|
certbot-plugin-gandi \
|
||||||
cryptography \
|
cryptography==42.0.7 \
|
||||||
future \
|
future \
|
||||||
requests && \
|
requests && \
|
||||||
echo "**** enable OCSP stapling from base ****" && \
|
echo "**** enable OCSP stapling from base ****" && \
|
||||||
|
|||||||
@@ -400,6 +400,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
|
|||||||
|
|
||||||
## Versions
|
## Versions
|
||||||
|
|
||||||
|
* **30.08.24:** - Fix zerossl cert revocation.
|
||||||
* **24.07.14:** - Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings.
|
* **24.07.14:** - Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings.
|
||||||
* **01.07.24:** - Fall back to iptables-legacy if iptables doesn't work.
|
* **01.07.24:** - Fall back to iptables-legacy if iptables doesn't work.
|
||||||
* **23.03.24:** - Fix perms on the generated `priv-fullchain-bundle.pem`.
|
* **23.03.24:** - Fix perms on the generated `priv-fullchain-bundle.pem`.
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ alpine-release 3.20.2-r0 apk
|
|||||||
aom-libs 3.9.1-r0 apk
|
aom-libs 3.9.1-r0 apk
|
||||||
apache2-utils 2.4.62-r0 apk
|
apache2-utils 2.4.62-r0 apk
|
||||||
apk-tools 2.14.4-r0 apk
|
apk-tools 2.14.4-r0 apk
|
||||||
apr 1.7.4-r0 apk
|
apr 1.7.5-r0 apk
|
||||||
apr-util 1.6.3-r1 apk
|
apr-util 1.6.3-r1 apk
|
||||||
argon2-libs 20190702-r5 apk
|
argon2-libs 20190702-r5 apk
|
||||||
attrs 24.2.0 python
|
attrs 24.2.0 python
|
||||||
@@ -21,8 +21,8 @@ azure-mgmt-dns 8.1.0 python
|
|||||||
backports-tarfile 1.2.0 python
|
backports-tarfile 1.2.0 python
|
||||||
bash 5.2.26-r0 apk
|
bash 5.2.26-r0 apk
|
||||||
beautifulsoup4 4.12.3 python
|
beautifulsoup4 4.12.3 python
|
||||||
boto3 1.35.10 python
|
boto3 1.35.14 python
|
||||||
botocore 1.35.10 python
|
botocore 1.35.14 python
|
||||||
brotli-libs 1.1.0-r2 apk
|
brotli-libs 1.1.0-r2 apk
|
||||||
bs4 0.0.2 python
|
bs4 0.0.2 python
|
||||||
busybox 1.36.1-r29 apk
|
busybox 1.36.1-r29 apk
|
||||||
@@ -78,18 +78,18 @@ certbot-dns-transip 0.5.2 python
|
|||||||
certbot-dns-vultr 1.1.0 python
|
certbot-dns-vultr 1.1.0 python
|
||||||
certbot-plugin-gandi 1.5.0 python
|
certbot-plugin-gandi 1.5.0 python
|
||||||
certifi 2024.8.30 python
|
certifi 2024.8.30 python
|
||||||
cffi 1.17.0 python
|
cffi 1.17.1 python
|
||||||
charset-normalizer 3.3.2 python
|
charset-normalizer 3.3.2 python
|
||||||
cloudflare 2.19.4 python
|
cloudflare 2.19.4 python
|
||||||
composer 2.7.8 binary
|
composer 2.7.9 binary
|
||||||
configargparse 1.7 python
|
configargparse 1.7 python
|
||||||
configobj 5.0.8 python
|
configobj 5.0.8 python
|
||||||
coreutils 9.5-r1 apk
|
coreutils 9.5-r1 apk
|
||||||
coreutils-env 9.5-r1 apk
|
coreutils-env 9.5-r1 apk
|
||||||
coreutils-fmt 9.5-r1 apk
|
coreutils-fmt 9.5-r1 apk
|
||||||
coreutils-sha512sum 9.5-r1 apk
|
coreutils-sha512sum 9.5-r1 apk
|
||||||
cryptography 43.0.0 python
|
cryptography 43.0.1 python
|
||||||
curl 8.9.0-r0 apk
|
curl 8.9.1-r1 apk
|
||||||
distro 1.9.0 python
|
distro 1.9.0 python
|
||||||
dns-lexicon 3.18.0 python
|
dns-lexicon 3.18.0 python
|
||||||
dnslib 0.9.25 python
|
dnslib 0.9.25 python
|
||||||
@@ -116,7 +116,7 @@ gnupg-utils 2.4.5-r0 apk
|
|||||||
gnupg-wks-client 2.4.5-r0 apk
|
gnupg-wks-client 2.4.5-r0 apk
|
||||||
gnutls 3.8.5-r0 apk
|
gnutls 3.8.5-r0 apk
|
||||||
google-api-core 2.19.2 python
|
google-api-core 2.19.2 python
|
||||||
google-api-python-client 2.143.0 python
|
google-api-python-client 2.144.0 python
|
||||||
google-auth 2.34.0 python
|
google-auth 2.34.0 python
|
||||||
google-auth-httplib2 0.2.0 python
|
google-auth-httplib2 0.2.0 python
|
||||||
googleapis-common-protos 1.65.0 python
|
googleapis-common-protos 1.65.0 python
|
||||||
@@ -142,19 +142,19 @@ jmespath 1.0.1 python
|
|||||||
josepy 1.14.0 python
|
josepy 1.14.0 python
|
||||||
jq 1.7.1-r0 apk
|
jq 1.7.1-r0 apk
|
||||||
jsonlines 4.0.0 python
|
jsonlines 4.0.0 python
|
||||||
jsonpickle 3.2.2 python
|
jsonpickle 3.3.0 python
|
||||||
libacl 2.3.2-r0 apk
|
libacl 2.3.2-r0 apk
|
||||||
libassuan 2.5.7-r0 apk
|
libassuan 2.5.7-r0 apk
|
||||||
libattr 2.5.2-r0 apk
|
libattr 2.5.2-r0 apk
|
||||||
libavif 1.0.4-r0 apk
|
libavif 1.0.4-r0 apk
|
||||||
libbsd 0.12.2-r0 apk
|
libbsd 0.12.2-r0 apk
|
||||||
libbz2 1.0.8-r6 apk
|
libbz2 1.0.8-r6 apk
|
||||||
libcrypto3 3.3.1-r3 apk
|
libcrypto3 3.3.2-r0 apk
|
||||||
libcurl 8.9.0-r0 apk
|
libcurl 8.9.1-r1 apk
|
||||||
libdav1d 1.4.2-r0 apk
|
libdav1d 1.4.2-r0 apk
|
||||||
libedit 20240517.3.1-r0 apk
|
libedit 20240517.3.1-r0 apk
|
||||||
libevent 2.1.12-r7 apk
|
libevent 2.1.12-r7 apk
|
||||||
libexpat 2.6.2-r0 apk
|
libexpat 2.6.3-r0 apk
|
||||||
libffi 3.4.6-r0 apk
|
libffi 3.4.6-r0 apk
|
||||||
libgcc 13.2.1_git20240309-r0 apk
|
libgcc 13.2.1_git20240309-r0 apk
|
||||||
libgcrypt 1.10.3-r0 apk
|
libgcrypt 1.10.3-r0 apk
|
||||||
@@ -185,7 +185,7 @@ libseccomp 2.5.5-r1 apk
|
|||||||
libsharpyuv 1.3.2-r0 apk
|
libsharpyuv 1.3.2-r0 apk
|
||||||
libsm 1.2.4-r4 apk
|
libsm 1.2.4-r4 apk
|
||||||
libsodium 1.0.19-r0 apk
|
libsodium 1.0.19-r0 apk
|
||||||
libssl3 3.3.1-r3 apk
|
libssl3 3.3.2-r0 apk
|
||||||
libstdc++ 13.2.1_git20240309-r0 apk
|
libstdc++ 13.2.1_git20240309-r0 apk
|
||||||
libtasn1 4.19.0-r2 apk
|
libtasn1 4.19.0-r2 apk
|
||||||
libunistring 1.2-r0 apk
|
libunistring 1.2-r0 apk
|
||||||
@@ -211,7 +211,7 @@ memcached 1.6.27-r0 apk
|
|||||||
mock 5.1.0 python
|
mock 5.1.0 python
|
||||||
more-itertools 10.3.0 python
|
more-itertools 10.3.0 python
|
||||||
mpdecimal 4.0.0-r0 apk
|
mpdecimal 4.0.0-r0 apk
|
||||||
msal 1.30.0 python
|
msal 1.31.0 python
|
||||||
msal-extensions 1.2.0 python
|
msal-extensions 1.2.0 python
|
||||||
musl 1.2.5-r0 apk
|
musl 1.2.5-r0 apk
|
||||||
musl-utils 1.2.5-r0 apk
|
musl-utils 1.2.5-r0 apk
|
||||||
@@ -242,7 +242,7 @@ nginx-mod-stream-geoip2 1.26.2-r0 apk
|
|||||||
nginx-vim 1.26.2-r0 apk
|
nginx-vim 1.26.2-r0 apk
|
||||||
npth 1.6-r4 apk
|
npth 1.6-r4 apk
|
||||||
oniguruma 6.9.9-r0 apk
|
oniguruma 6.9.9-r0 apk
|
||||||
openssl 3.3.1-r3 apk
|
openssl 3.3.2-r0 apk
|
||||||
p11-kit 0.25.3-r0 apk
|
p11-kit 0.25.3-r0 apk
|
||||||
packaging 24.1 python
|
packaging 24.1 python
|
||||||
parsedatetime 2.6 python
|
parsedatetime 2.6 python
|
||||||
@@ -335,7 +335,7 @@ requests-mock 1.12.1 python
|
|||||||
rsa 4.9 python
|
rsa 4.9 python
|
||||||
s3transfer 0.10.2 python
|
s3transfer 0.10.2 python
|
||||||
scanelf 1.3.7-r2 apk
|
scanelf 1.3.7-r2 apk
|
||||||
setuptools 74.0.0 python
|
setuptools 74.1.2 python
|
||||||
shadow 4.15.1-r0 apk
|
shadow 4.15.1-r0 apk
|
||||||
six 1.16.0 python
|
six 1.16.0 python
|
||||||
skalibs 2.14.1.1-r0 apk
|
skalibs 2.14.1.1-r0 apk
|
||||||
|
|||||||
@@ -140,6 +140,7 @@ app_setup_block: |
|
|||||||
|
|
||||||
# changelog
|
# changelog
|
||||||
changelogs:
|
changelogs:
|
||||||
|
- { date: "30.08.24:", desc: "Fix zerossl cert revocation." }
|
||||||
- { date: "24.07.14:", desc: "Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
|
- { date: "24.07.14:", desc: "Rebase to Alpine 3.20. Remove deprecated Google Domains certbot plugin. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
|
||||||
- { date: "01.07.24:", desc: "Fall back to iptables-legacy if iptables doesn't work." }
|
- { date: "01.07.24:", desc: "Fall back to iptables-legacy if iptables doesn't work." }
|
||||||
- { date: "23.03.24:", desc: "Fix perms on the generated `priv-fullchain-bundle.pem`." }
|
- { date: "23.03.24:", desc: "Fix perms on the generated `priv-fullchain-bundle.pem`." }
|
||||||
|
|||||||
0
root/app/le-renew.sh
Normal file → Executable file
0
root/app/le-renew.sh
Normal file → Executable file
2
root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default
Normal file → Executable file
2
root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default
Normal file → Executable file
@@ -1,7 +1,9 @@
|
|||||||
#!/usr/bin/with-contenv bash
|
#!/usr/bin/with-contenv bash
|
||||||
# shellcheck shell=bash
|
# shellcheck shell=bash
|
||||||
|
# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
|
||||||
|
|
||||||
cd /config/keys/letsencrypt || exit 1
|
cd /config/keys/letsencrypt || exit 1
|
||||||
|
echo "**** Generating pfx and fullchain bundle certs ****"
|
||||||
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
|
openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
|
||||||
sleep 1
|
sleep 1
|
||||||
cat {privkey,fullchain}.pem >priv-fullchain-bundle.pem
|
cat {privkey,fullchain}.pem >priv-fullchain-bundle.pem
|
||||||
|
|||||||
3
root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx
Normal file → Executable file
3
root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx
Normal file → Executable file
@@ -1,15 +1,18 @@
|
|||||||
#!/usr/bin/with-contenv bash
|
#!/usr/bin/with-contenv bash
|
||||||
# shellcheck shell=bash
|
# shellcheck shell=bash
|
||||||
|
# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
|
||||||
|
|
||||||
# shellcheck source=/dev/null
|
# shellcheck source=/dev/null
|
||||||
. /config/.donoteditthisfile.conf
|
. /config/.donoteditthisfile.conf
|
||||||
|
|
||||||
if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
|
if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
|
||||||
if pgrep -f "s6-supervise svc-nginx" >/dev/null; then
|
if pgrep -f "s6-supervise svc-nginx" >/dev/null; then
|
||||||
|
echo "**** Starting Nginx ****"
|
||||||
s6-svc -u /run/service/svc-nginx
|
s6-svc -u /run/service/svc-nginx
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if pgrep -f "nginx:" >/dev/null; then
|
if pgrep -f "nginx:" >/dev/null; then
|
||||||
|
echo "**** Reloading Nginx to load the new cert ****"
|
||||||
s6-svc -h /run/service/svc-nginx
|
s6-svc -h /run/service/svc-nginx
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|||||||
2
root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx
Normal file → Executable file
2
root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx
Normal file → Executable file
@@ -1,11 +1,13 @@
|
|||||||
#!/usr/bin/with-contenv bash
|
#!/usr/bin/with-contenv bash
|
||||||
# shellcheck shell=bash
|
# shellcheck shell=bash
|
||||||
|
# Notice: This file will be overwritten when updated by lsio. Add your custom scripts into a new file in this folder.
|
||||||
|
|
||||||
# shellcheck source=/dev/null
|
# shellcheck source=/dev/null
|
||||||
. /config/.donoteditthisfile.conf
|
. /config/.donoteditthisfile.conf
|
||||||
|
|
||||||
if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
|
if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
|
||||||
if pgrep -f "nginx:" >/dev/null; then
|
if pgrep -f "nginx:" >/dev/null; then
|
||||||
|
echo "**** Stopping Nginx in preparation of cert generation/renewal ****"
|
||||||
s6-svc -d /run/service/svc-nginx
|
s6-svc -d /run/service/svc-nginx
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -68,14 +68,9 @@ lsiown -R abc:abc /config/dns-conf
|
|||||||
|
|
||||||
# copy default renewal hooks
|
# copy default renewal hooks
|
||||||
chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
|
chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
|
||||||
cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
|
cp -Rf /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal-hooks/ 2> >(grep -v 'cp: not replacing')
|
||||||
lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
|
lsiown -R abc:abc /config/etc/letsencrypt/renewal-hooks
|
||||||
|
|
||||||
# replace nginx service location in renewal hooks
|
|
||||||
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/run/service/nginx|/run/service/svc-nginx|g' {} \;
|
|
||||||
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|/var/run/s6/services/nginx|/run/service/svc-nginx|g' {} \;
|
|
||||||
find /config/etc/letsencrypt/renewal-hooks/ -type f -exec sed -i 's|s6-supervise nginx|s6-supervise svc-nginx|g' {} \;
|
|
||||||
|
|
||||||
# create original config file if it doesn't exist, move non-hidden legacy file to hidden
|
# create original config file if it doesn't exist, move non-hidden legacy file to hidden
|
||||||
if [[ -f "/config/donoteditthisfile.conf" ]]; then
|
if [[ -f "/config/donoteditthisfile.conf" ]]; then
|
||||||
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
|
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
|
||||||
@@ -189,24 +184,15 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
|
|||||||
[[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
|
[[ ! "${STAGING}" = "${ORIGSTAGING}" ]] ||
|
||||||
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
|
[[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
|
||||||
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
|
echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
|
||||||
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
|
if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]]; then
|
||||||
REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
|
REV_ACMESERVER=("https://acme.zerossl.com/v2/DV90")
|
||||||
REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
|
|
||||||
REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' "/config/etc/letsencrypt/renewal/${ORIGDOMAIN}.conf" | tr -d ' ')
|
|
||||||
if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
|
|
||||||
REV_ZEROSSL_EAB_KID=$(awk -F "=" '/eab-kid/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
|
|
||||||
REV_ZEROSSL_EAB_HMAC_KEY=$(awk -F "=" '/eab-hmac-key/ {print $2}' /config/etc/letsencrypt/cli.ini | tr -d ' ')
|
|
||||||
fi
|
|
||||||
if [[ -n "${REV_ZEROSSL_EAB_KID}" ]] && [[ -n "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
|
|
||||||
REV_ACMESERVER+=("--eab-kid" "${REV_ZEROSSL_EAB_KID}" "--eab-hmac-key" "${REV_ZEROSSL_EAB_HMAC_KEY}")
|
|
||||||
fi
|
|
||||||
elif [[ "${ORIGSTAGING}" = "true" ]]; then
|
elif [[ "${ORIGSTAGING}" = "true" ]]; then
|
||||||
REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
|
REV_ACMESERVER=("https://acme-staging-v02.api.letsencrypt.org/directory")
|
||||||
else
|
else
|
||||||
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
|
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
|
||||||
fi
|
fi
|
||||||
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
|
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
|
||||||
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server "${REV_ACMESERVER[@]}" || true
|
certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --key-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/privkey.pem --server "${REV_ACMESERVER[@]}" || true
|
||||||
else
|
else
|
||||||
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
|
certbot revoke --non-interactive --cert-name "${ORIGDOMAIN}" --server "${REV_ACMESERVER[@]}" || true
|
||||||
fi
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user