there can only be one
This commit is contained in:
parent
6a30aaa5ec
commit
d32a39acfc
1 changed files with 32 additions and 12 deletions
44
certbot.sh
44
certbot.sh
|
@ -1,5 +1,32 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
lock=/tmp/certbot.lck
|
||||||
|
|
||||||
|
ensure() {
|
||||||
|
test -n "$1" && echo "$1 received, exiting gracefully..."
|
||||||
|
|
||||||
|
rm -f "${lock}"
|
||||||
|
|
||||||
|
# Fix permissions, users in group ssl have read access
|
||||||
|
find /etc/letsencrypt -type d | xargs -r chmod 2750
|
||||||
|
find /etc/letsencrypt -type f | xargs -r chmod 640
|
||||||
|
chgrp -R ssl /etc/letsencrypt
|
||||||
|
|
||||||
|
# Push certificates to nodes, we use SSH as a secure transport
|
||||||
|
# but this means we're synchronizing from container to host which is
|
||||||
|
# awkward. A restricted rsync treats / as the remote location for the
|
||||||
|
# certificates.
|
||||||
|
for NODE in ${NODES}; do
|
||||||
|
rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
for SIG in TERM QUIT INT HUP ERR; do
|
||||||
|
trap "ensure ${SIG}" ${SIG}
|
||||||
|
done
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
# Renew certificates, trust in certbot's algorithms
|
# Renew certificates, trust in certbot's algorithms
|
||||||
renew) /usr/bin/certbot renew --quiet --agree-tos ;;
|
renew) /usr/bin/certbot renew --quiet --agree-tos ;;
|
||||||
|
@ -20,6 +47,10 @@ case $1 in
|
||||||
done ;;
|
done ;;
|
||||||
# Generate certificates
|
# Generate certificates
|
||||||
*)
|
*)
|
||||||
|
# Only one instance can run at a time
|
||||||
|
test -f "${lock}" && exit 0
|
||||||
|
touch "${lock}"
|
||||||
|
|
||||||
# Save headers here
|
# Save headers here
|
||||||
headers=/tmp/headers
|
headers=/tmp/headers
|
||||||
# Gets ETag from previous headers
|
# Gets ETag from previous headers
|
||||||
|
@ -50,15 +81,4 @@ case $1 in
|
||||||
done
|
done
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Fix permissions, users in group ssl have read access
|
ensure
|
||||||
find /etc/letsencrypt -type d | xargs -r chmod 2750
|
|
||||||
find /etc/letsencrypt -type f | xargs -r chmod 640
|
|
||||||
chgrp -R ssl /etc/letsencrypt
|
|
||||||
|
|
||||||
# Push certificates to nodes, we use SSH as a secure transport
|
|
||||||
# but this means we're synchronizing from container to host which is
|
|
||||||
# awkward. A restricted rsync treats / as the remote location for the
|
|
||||||
# certificates.
|
|
||||||
for NODE in ${NODES}; do
|
|
||||||
rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/
|
|
||||||
done
|
|
||||||
|
|
Loading…
Reference in a new issue