containers-certbot/certbotd.sh

#!/bin/sh

if test -z "${NODES}" && test -z "${SINGLE_NODE}"; then
  echo "The env var NODES is empty, if you don't want to synchronize to other servers, set SINGLE_NODE=true" >&2
  exit 1
fi

lock=/tmp/certbot.lck
updated=/tmp/certbot.updated

ensure() {
  test -n "$1" && echo "$1 received, exiting gracefully..."

  rm -f "${lock}"

  test -f "${updated}" || exit 0

  rm -f "${updated}"

  # Fix permissions, users in group ssl have read access
  find /etc/letsencrypt -type d | xargs -r chmod 2750
  find /etc/letsencrypt -type f | xargs -r chmod 640
  chgrp -R ssl /etc/letsencrypt

  ${SINGLE_NODE:-false} && exit 0

  # Push certificates to nodes, we use SSH as a secure transport
  # but this means we're synchronizing from container to host which is
  # awkward.  A restricted rsync treats / as the remote location for the
  # certificates.
  for NODE in ${NODES}; do
    rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}/
  done
}

for SIG in TERM QUIT INT HUP; do
  trap "ensure ${SIG}" ${SIG}
done

set -e

case $1 in
  # Renew certificates, trust in certbot's algorithms
  renew)
    /usr/bin/certbot renew --quiet --agree-tos || true
    touch "${updated}"
    ;;
  bootstrap)
    test -d "/etc/letsencrypt/live/${SUTTY}" && exit 0

    # Get a single certificate for the whole domain
    /usr/bin/certbot \
      certonly \
      --non-interactive \
      --authenticator "dns-standalone" \
      --email "certbot@${SUTTY}" \
      --agree-tos \
      -d "${SUTTY}" \
      -d "*.${SUTTY}" \
      -d "*.testing.${SUTTY}"

    touch "${updated}"

    ;;
  prune)
    comm -13 <(realpath /etc/letsencrypt/live/*/*.pem | sort) <(find /etc/letsencrypt/archive/ -name "*.pem" | sort) | xargs rm -v
    touch "${updated}"
    ;;
  # Generate certificates
  *)
    # Only one instance can run at a time
    if test -f "${lock}" ; then
      echo "There's a certbotd instance already running, doing nothing..." >&2
      echo "If the problem persists, you may need to remove ${lock} manually." >&2
      exit 1
    fi

    touch "${lock}"

    # Save headers here
    headers=/tmp/headers
    # Gets ETag from previous headers
    test -f "${headers}" \
      && etag="$(grep "^  Etag: " "${headers}" | cut -d : -f 2)"

    # Get site list from the API and transform to a list.  Save headers
    # for next run.  Use ETag to avoid running when nothing changed
    wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \
         --header="If-None-Match:${etag}" -qSO - \
          "https://api.${SUTTY}/v1/sites.json" \
          2>"${headers}" \
      | jq --raw-output .[] \
      | while read domain; do
          # Skip already existing domains
          test -d "/etc/letsencrypt/live/${domain}" && continue

          # Ignore non local domains
          if ! nslookup "${domain}" 8.8.8.8 | grep -qE "(${SUTTY_ADDRESSES// /|})" ; then
            echo "${domain} is not configured to any Sutty node or DNS records are still cached, ignoring for now"
            continue
          fi

          # Get the certificate for the domain, the webserver will need
          # access to this directory
          /usr/bin/certbot certonly --email "certbot@${SUTTY}" \
                                    -n \
                                    --webroot \
                                    --agree-tos \
                                    --webroot-path /var/lib/letsencrypt \
                                    -d "${domain}"
          touch "${updated}"
        done
esac

ensure
certbot 2019-09-10 23:17:04 +00:00			`#!/bin/sh`

run normally if SINGLE_NODE is set 2022-09-10 21:04:08 +00:00			`if test -z "${NODES}" && test -z "${SINGLE_NODE}"; then`
fail if NODES is empty 2022-03-19 13:02:18 +00:00			`echo "The env var NODES is empty, if you don't want to synchronize to other servers, set SINGLE_NODE=true" >&2`
			`exit 1`
			`fi`

there can only be one 2022-03-08 17:40:02 +00:00			`lock=/tmp/certbot.lck`
use a lock file to keep track of updates 2022-09-10 19:27:59 +00:00			`updated=/tmp/certbot.updated`
there can only be one 2022-03-08 17:40:02 +00:00
			`ensure() {`
			`test -n "$1" && echo "$1 received, exiting gracefully..."`

			`rm -f "${lock}"`

use a lock file to keep track of updates 2022-09-10 19:27:59 +00:00			`test -f "${updated}" \|\| exit 0`

			`rm -f "${updated}"`
fix permissions only when something changed since certbot doesn't do any pruning, fixing permissions all the time is an IO issue 2022-08-01 20:54:30 +00:00
there can only be one 2022-03-08 17:40:02 +00:00			`# Fix permissions, users in group ssl have read access`
			`find /etc/letsencrypt -type d \| xargs -r chmod 2750`
			`find /etc/letsencrypt -type f \| xargs -r chmod 640`
			`chgrp -R ssl /etc/letsencrypt`

fail if NODES is empty 2022-03-19 13:02:18 +00:00			`${SINGLE_NODE:-false} && exit 0`

there can only be one 2022-03-08 17:40:02 +00:00			`# Push certificates to nodes, we use SSH as a secure transport`
			`# but this means we're synchronizing from container to host which is`
			`# awkward. A restricted rsync treats / as the remote location for the`
			`# certificates.`
			`for NODE in ${NODES}; do`
BREAKING CHANGE: make nodes into full rsync urls 2023-04-22 17:53:33 +00:00			`rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}/`
there can only be one 2022-03-08 17:40:02 +00:00			`done`
			`}`

ash complains about trap in ERR 2022-03-19 12:56:54 +00:00			`for SIG in TERM QUIT INT HUP; do`
there can only be one 2022-03-08 17:40:02 +00:00			`trap "ensure ${SIG}" ${SIG}`
			`done`

			`set -e`

certbot 2019-09-10 23:17:04 +00:00			`case $1 in`
			`# Renew certificates, trust in certbot's algorithms`
format 2022-03-15 21:55:31 +00:00			`renew)`
fix: don't fail if renewal fails it leaves the lock in place 2023-03-15 21:46:01 +00:00			`/usr/bin/certbot renew --quiet --agree-tos \|\| true`
use a lock file to keep track of updates 2022-09-10 19:27:59 +00:00			`touch "${updated}"`
format 2022-03-15 21:55:31 +00:00			`;;`
certbot 2019-09-10 23:17:04 +00:00			`bootstrap)`
BREAKING CHANGE: get a wildcard for the main domain sutty/sutty#13159 2023-04-20 18:20:26 +00:00			`test -d "/etc/letsencrypt/live/${SUTTY}" && exit 0`

			`# Get a single certificate for the whole domain`
			`/usr/bin/certbot \`
BREAKING CHANGE: standalone dns server 2023-12-20 14:21:18 +00:00			`certonly \`
			`--non-interactive \`
			`--authenticator "dns-standalone" \`
BREAKING CHANGE: get a wildcard for the main domain sutty/sutty#13159 2023-04-20 18:20:26 +00:00			`--email "certbot@${SUTTY}" \`
			`--agree-tos \`
			`-d "${SUTTY}" \`
feat: add *.testing.sutty.nl to certificate 2023-04-22 18:01:59 +00:00			`-d "*.${SUTTY}" \`
			`-d "*.testing.${SUTTY}"`
BREAKING CHANGE: get a wildcard for the main domain sutty/sutty#13159 2023-04-20 18:20:26 +00:00
			`touch "${updated}"`
fix permissions only when something changed since certbot doesn't do any pruning, fixing permissions all the time is an IO issue 2022-08-01 20:54:30 +00:00
prune old keys and certificates 2022-09-10 19:53:29 +00:00			`;;`
			`prune)`
			`comm -13 <(realpath /etc/letsencrypt/live//.pem \| sort) <(find /etc/letsencrypt/archive/ -name "*.pem" \| sort) \| xargs rm -v`
			`touch "${updated}"`
fix permissions only when something changed since certbot doesn't do any pruning, fixing permissions all the time is an IO issue 2022-08-01 20:54:30 +00:00			`;;`
certbot 2019-09-10 23:17:04 +00:00			`# Generate certificates`
			`*)`
there can only be one 2022-03-08 17:40:02 +00:00			`# Only one instance can run at a time`
a remaining lock is an error 2022-03-19 13:00:10 +00:00			`if test -f "${lock}" ; then`
			`echo "There's a certbotd instance already running, doing nothing..." >&2`
			`echo "If the problem persists, you may need to remove ${lock} manually." >&2`
			`exit 1`
			`fi`

there can only be one 2022-03-08 17:40:02 +00:00			`touch "${lock}"`

certbot 2019-09-10 23:17:04 +00:00			`# Save headers here`
			`headers=/tmp/headers`
			`# Gets ETag from previous headers`
			`test -f "${headers}" \`
			`&& etag="$(grep "^ Etag: " "${headers}" \| cut -d : -f 2)"`

			`# Get site list from the API and transform to a list. Save headers`
			`# for next run. Use ETag to avoid running when nothing changed`
			`wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \`
			`--header="If-None-Match:${etag}" -qSO - \`
			`"https://api.${SUTTY}/v1/sites.json" \`
			`2>"${headers}" \`
			`\| jq --raw-output .[] \`
sutty sends domains, no need to do conversion https://0xacab.org/sutty/sutty/-/merge_requests/50 2021-08-09 01:18:24 +00:00			`\| while read domain; do`
			`# Skip already existing domains`
			`test -d "/etc/letsencrypt/live/${domain}" && continue`
certbot 2019-09-10 23:17:04 +00:00
sutty sends domains, no need to do conversion https://0xacab.org/sutty/sutty/-/merge_requests/50 2021-08-09 01:18:24 +00:00			`# Ignore non local domains`
fix: look for ip everywhere 2023-04-24 16:35:07 +00:00			`if ! nslookup "${domain}" 8.8.8.8 \| grep -qE "(${SUTTY_ADDRESSES// /\|})" ; then`
fix: log when domains are being ignored 2023-04-22 18:09:28 +00:00			`echo "${domain} is not configured to any Sutty node or DNS records are still cached, ignoring for now"`
			`continue`
			`fi`
certbot 2019-09-10 23:17:04 +00:00
sutty sends domains, no need to do conversion https://0xacab.org/sutty/sutty/-/merge_requests/50 2021-08-09 01:18:24 +00:00			`# Get the certificate for the domain, the webserver will need`
			`# access to this directory`
			`/usr/bin/certbot certonly --email "certbot@${SUTTY}" \`
don't stop for asking questions 2022-03-19 13:03:06 +00:00			`-n \`
sutty sends domains, no need to do conversion https://0xacab.org/sutty/sutty/-/merge_requests/50 2021-08-09 01:18:24 +00:00			`--webroot \`
			`--agree-tos \`
			`--webroot-path /var/lib/letsencrypt \`
			`-d "${domain}"`
use a lock file to keep track of updates 2022-09-10 19:27:59 +00:00			`touch "${updated}"`
certbot 2019-09-10 23:17:04 +00:00			`done`
			`esac`
push certificates and skip non-local domains 2020-09-07 21:06:50 +00:00
there can only be one 2022-03-08 17:40:02 +00:00			`ensure`