首頁 探索 說明
註冊 登入
cere
/
home
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: c3aa1d3047
分支列表 標籤列表
home
/
ngp_le
/
app
/
letsencrypt_service

letsencrypt_service 4.6 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135 
  1. #!/bin/bash
    2. 

  2. 

  3. DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
    4. 

  4. 

  5. seconds_to_wait=3600
    6. 

  6. ACME_CA_URI="${ACME_CA_URI:-https://acme-v01.api.letsencrypt.org/directory}"
    7. 

  7. 

  8. source /app/functions.sh
    9. 

  9. 

  10. create_link() {
    11. 

  11.     local readonly target=${1?missing target argument}
    12. 

  12.     local readonly source=${2?missing source argument}
    13. 

  13.     [[ -f "$target" ]] && return 1
    14. 

  14.     ln -sf "$source" "$target"
    15. 

  15. }
    16. 

  16. 

  17. create_links() {
    18. 

  18.     local readonly base_domain=${1?missing base_domain argument}
    19. 

  19.     local readonly domain=${2?missing base_domain argument}
    20. 

  20. 

  21.     if [[ ! -f "/etc/nginx/certs/$base_domain"/fullchain.pem || \
    22. 

  22.           ! -f "/etc/nginx/certs/$base_domain"/key.pem ]]; then
    23. 

  23.         return 1
    24. 

  24.     fi
    25. 

  25.     local return_code=1
    26. 

  26.     create_link "/etc/nginx/certs/$domain".crt "./$base_domain"/fullchain.pem
    27. 

  27.     return_code=$(( $return_code & $? ))
    28. 

  28.     create_link "/etc/nginx/certs/$domain".key "./$base_domain"/key.pem
    29. 

  29.     return_code=$(( $return_code & $? ))
    30. 

  30.     if [[ -f "/etc/nginx/certs/dhparam.pem" ]]; then
    31. 

  31.         create_link "/etc/nginx/certs/$domain".dhparam.pem ./dhparam.pem
    32. 

  32.         return_code=$(( $return_code & $? ))
    33. 

  33.     fi
    34. 

  34.     return $return_code
    35. 

  35. }
    36. 

  36. 

  37. update_certs() {
    38. 

  38.     [[ ! -f "$DIR"/letsencrypt_service_data ]] && return
    39. 

  39. 

  40.     # Load relevant container settings
    41. 

  41.     unset LETSENCRYPT_CONTAINERS
    42. 

  42.     source "$DIR"/letsencrypt_service_data
    43. 

  43. 

  44.     reload_nginx='false'
    45. 

  45.     for cid in "${LETSENCRYPT_CONTAINERS[@]}"; do
    46. 

  46.         # Derive host and email variable names
    47. 

  47.         host_varname="LETSENCRYPT_${cid}_HOST"
    48. 

  48.         # Array variable indirection hack: http://stackoverflow.com/a/25880676/350221
    49. 

  49.         hosts_array=$host_varname[@]
    50. 

  50.         email_varname="LETSENCRYPT_${cid}_EMAIL"
    51. 

  51. 

  52.         test_certificate_varname="LETSENCRYPT_${cid}_TEST"
    53. 

  53.         create_test_certificate=false
    54. 

  54.         if [[ $(lc "${!test_certificate_varname:-}") == true ]]; then
    55. 

  55.             create_test_certificate=true
    56. 

  56.         fi
    57. 

  57. 

  58.         params_d_str=""
    59. 

  59.         [[ $DEBUG == true ]] && params_d_str+=" -v"
    60. 

  60. 

  61.         hosts_array_expanded=("${!hosts_array}")
    62. 

  62.         # First domain will be our base domain
    63. 

  63.         base_domain="${hosts_array_expanded[0]}"
    64. 

  64. 

  65.         if [[ "$create_test_certificate" == true ]]; then
    66. 

  66.             # Use staging acme end point
    67. 

  67.             acme_ca_uri="https://acme-staging.api.letsencrypt.org/directory"
    68. 

  68.             if [[ ! -f /etc/nginx/certs/.${base_domain}.test ]]; then
    69. 

  69.                 # Remove old certificates
    70. 

  70.                 rm -rf /etc/nginx/certs/${base_domain}
    71. 

  71.                 for domain in "${!hosts_array}"; do
    72. 

  72.                     rm -f /etc/nginx/certs/$domain.{crt,key,dhparam.pem}
    73. 

  73.                 done
    74. 

  74.                 touch /etc/nginx/certs/.${base_domain}.test
    75. 

  75.             fi
    76. 

  76.         else
    77. 

  77.             acme_ca_uri="$ACME_CA_URI"
    78. 

  78.             if [[ -f /etc/nginx/certs/.${base_domain}.test ]]; then
    79. 

  79.                 # Remove old test certificates
    80. 

  80.                 rm -rf /etc/nginx/certs/${base_domain}
    81. 

  81.                 for domain in "${!hosts_array}"; do
    82. 

  82.                     rm -f /etc/nginx/certs/$domain.{crt,key,dhparam.pem}
    83. 

  83.                 done
    84. 

  84.                 rm -f /etc/nginx/certs/.${base_domain}.test
    85. 

  85.             fi
    86. 

  86.         fi
    87. 

  87. 

  88.         # Create directory for the first domain
    89. 

  89.         mkdir -p /etc/nginx/certs/$base_domain
    90. 

  90.         cd /etc/nginx/certs/$base_domain
    91. 

  91. 

  92.         for domain in "${!hosts_array}"; do
    93. 

  93.             # Add all the domains to certificate
    94. 

  94.             params_d_str+=" -d $domain"
    95. 

  95.             # Add location configuration for the domain
    96. 

  96.             add_location_configuration "$domain" || reload_nginx
    97. 

  97.         done
    98. 

  98. 

  99.         echo "Creating/renewal $base_domain certificates... (${hosts_array_expanded[*]})"
    100. 

  100.         /usr/bin/simp_le \
    101. 

  101.             -f account_key.json -f key.pem -f fullchain.pem -f cert.pem \
    102. 

  102.             --tos_sha256 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221 \
    103. 

  103.             $params_d_str \
    104. 

  104.             --email "${!email_varname}" \
    105. 

  105.             --server=$acme_ca_uri \
    106. 

  106.             --default_root /usr/share/nginx/html/
    107. 

  107. 

  108.         simp_le_return=$?
    109. 

  109. 

  110.         for altnames in ${hosts_array_expanded[@]:1}; do
    111. 

  111.             # Remove old CN domain that now are altnames
    112. 

  112.             rm -rf /etc/nginx/certs/$altnames
    113. 

  113.         done
    114. 

  114. 

  115.         for domain in "${!hosts_array}"; do
    116. 

  116.             create_links $base_domain $domain && reload_nginx='true'
    117. 

  117.             [[ $simp_le_return -eq 0 ]] && reload_nginx='true'
    118. 

  118.         done
    119. 

  119.     done
    120. 

  120. 

  121.     [[ "$reload_nginx" == 'true' ]] && reload_nginx
    122. 

  122. }
    123. 

  123. 

  124. pid=
    125. 

  125. # Service Loop: When this script exits, start it again.
    126. 

  126. trap '[[ $pid ]] && kill $pid; exec $0' EXIT
    127. 

  127. trap 'trap - EXIT' INT TERM
    128. 

  128. 

  129. update_certs
    130. 

  130. 

  131. # Wait some amount of time
    132. 

  132. echo "Sleep for ${seconds_to_wait}s"
    133. 

  133. sleep $seconds_to_wait & pid=$!
    134. 

  134. wait
    135. 

  135. pid=
    136.