2019-09-10 23:17:04 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
2022-03-08 17:40:02 +00:00
|
|
|
lock=/tmp/certbot.lck
|
|
|
|
|
|
|
|
|
|
ensure() {
|
|
|
|
|
test -n "$1" && echo "$1 received, exiting gracefully..."
|
|
|
|
|
|
|
|
|
|
rm -f "${lock}"
|
|
|
|
|
|
|
|
|
|
# Fix permissions, users in group ssl have read access
|
|
|
|
|
find /etc/letsencrypt -type d | xargs -r chmod 2750
|
|
|
|
|
find /etc/letsencrypt -type f | xargs -r chmod 640
|
|
|
|
|
chgrp -R ssl /etc/letsencrypt
|
|
|
|
|
|
|
|
|
|
# Push certificates to nodes, we use SSH as a secure transport
|
|
|
|
|
# but this means we're synchronizing from container to host which is
|
|
|
|
|
# awkward. A restricted rsync treats / as the remote location for the
|
|
|
|
|
# certificates.
|
|
|
|
|
for NODE in ${NODES}; do
|
|
|
|
|
rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for SIG in TERM QUIT INT HUP ERR; do
|
|
|
|
|
trap "ensure ${SIG}" ${SIG}
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
2019-09-10 23:17:04 +00:00
|
|
|
case $1 in
|
|
|
|
|
# Renew certificates, trust in certbot's algorithms
|
2019-10-11 15:55:05 +00:00
|
|
|
renew) /usr/bin/certbot renew --quiet --agree-tos ;;
|
2019-09-10 23:17:04 +00:00
|
|
|
bootstrap)
|
2019-09-13 21:33:46 +00:00
|
|
|
for site in ${SUTTY} api.${SUTTY}; do
|
|
|
|
|
test -d "/etc/letsencrypt/live/${site}" && exit 0
|
2019-09-10 23:17:04 +00:00
|
|
|
|
2019-09-13 21:33:46 +00:00
|
|
|
# Get the certificate for the domain, the webserver will need
|
|
|
|
|
# access to this directory
|
|
|
|
|
/usr/bin/certbot certonly --email "certbot@${SUTTY}" \
|
|
|
|
|
--webroot \
|
|
|
|
|
--agree-tos \
|
|
|
|
|
--webroot-path /var/lib/letsencrypt \
|
|
|
|
|
-d "${site}"
|
2019-10-07 18:57:11 +00:00
|
|
|
|
|
|
|
|
cd /etc/letsencrypt/live
|
|
|
|
|
ln -s ${SUTTY} default
|
2019-09-13 21:33:46 +00:00
|
|
|
done ;;
|
2019-09-10 23:17:04 +00:00
|
|
|
# Generate certificates
|
|
|
|
|
*)
|
2022-03-08 17:40:02 +00:00
|
|
|
# Only one instance can run at a time
|
|
|
|
|
test -f "${lock}" && exit 0
|
|
|
|
|
touch "${lock}"
|
|
|
|
|
|
2019-09-10 23:17:04 +00:00
|
|
|
# Save headers here
|
|
|
|
|
headers=/tmp/headers
|
|
|
|
|
# Gets ETag from previous headers
|
|
|
|
|
test -f "${headers}" \
|
|
|
|
|
&& etag="$(grep "^ Etag: " "${headers}" | cut -d : -f 2)"
|
|
|
|
|
|
|
|
|
|
# Get site list from the API and transform to a list. Save headers
|
|
|
|
|
# for next run. Use ETag to avoid running when nothing changed
|
|
|
|
|
wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \
|
|
|
|
|
--header="If-None-Match:${etag}" -qSO - \
|
|
|
|
|
"https://api.${SUTTY}/v1/sites.json" \
|
|
|
|
|
2>"${headers}" \
|
|
|
|
|
| jq --raw-output .[] \
|
2021-08-09 01:18:24 +00:00
|
|
|
| while read domain; do
|
|
|
|
|
# Skip already existing domains
|
|
|
|
|
test -d "/etc/letsencrypt/live/${domain}" && continue
|
2019-09-10 23:17:04 +00:00
|
|
|
|
2021-08-09 01:18:24 +00:00
|
|
|
# Ignore non local domains
|
|
|
|
|
nslookup "${domain}" 8.8.8.8 | grep -q "${SUTTY_ADDRESS}" || continue
|
2019-09-10 23:17:04 +00:00
|
|
|
|
2021-08-09 01:18:24 +00:00
|
|
|
# Get the certificate for the domain, the webserver will need
|
|
|
|
|
# access to this directory
|
|
|
|
|
/usr/bin/certbot certonly --email "certbot@${SUTTY}" \
|
|
|
|
|
--webroot \
|
|
|
|
|
--agree-tos \
|
|
|
|
|
--webroot-path /var/lib/letsencrypt \
|
|
|
|
|
-d "${domain}"
|
2019-09-10 23:17:04 +00:00
|
|
|
done
|
|
|
|
|
esac
|
2020-09-07 21:06:50 +00:00
|
|
|
|
2022-03-08 17:40:02 +00:00
|
|
|
ensure
|
