Sutty/containers-certbot
5
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages 1 Wiki Activity

feat: prune uneeded certificates

Browse source
This commit is contained in:
f 2024-12-28 17:09:07 -03:00
parent f6b6fe87b4
commit 0f15423d4f
No known key found for this signature in database
2 changed files with 32 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Dockerfile
View file

@ -5,7 +5,7 @@ LABEL org.opencontainers.image.authors="f@sutty.nl"
RUN addgroup -S -g 777 ssl RUN addgroup -S -g 777 ssl
RUN install -dm 2700 -o root -g root /root/.ssh RUN install -dm 2700 -o root -g root /root/.ssh
RUN apk add --no-cache certbot jq wget openssh-client rsync certbot-dns-standalone RUN apk add --no-cache certbot jq wget openssh-client rsync certbot-dns-standalone gnutls-utils
COPY ./monit.conf /etc/monit.d/certbot.conf COPY ./monit.conf /etc/monit.d/certbot.conf
COPY ./certbotd.sh /usr/local/bin/certbotd COPY ./certbotd.sh /usr/local/bin/certbotd

31
certbotd.sh
View file

@ -8,6 +8,10 @@ not_ok() {
echo "not ok - $@" >&2 echo "not ok - $@" >&2
} }
remove_certificate() {
rm -rf "/etc/letsencrypt/renewal/${1}.conf" "/etc/letsencrypt/live/${1}" "/etc/letsencrypt/archive/${1}"
}
if test -z "${NODES}" && test -z "${SINGLE_NODE}"; then if test -z "${NODES}" && test -z "${SINGLE_NODE}"; then
not_ok "The env var NODES is empty, if you don't want to synchronize to other servers, set SINGLE_NODE=true" not_ok "The env var NODES is empty, if you don't want to synchronize to other servers, set SINGLE_NODE=true"
exit 1 exit 1
@ -15,6 +19,7 @@ fi
lock=/tmp/certbot.lck lock=/tmp/certbot.lck
updated=/tmp/certbot.updated updated=/tmp/certbot.updated
domains=/tmp/domains
ensure() { ensure() {
test -n "$1" && ok "$1 received, exiting gracefully..." test -n "$1" && ok "$1 received, exiting gracefully..."
@ -75,7 +80,32 @@ case $1 in
;; ;;
prune) prune)
# Prune certificates that are not needed anymore
if test -s "${domains}"; then
grep "^authenticator\s*=\s*webroot$" -m 1 -r /etc/letsencrypt/renewal -l | while read renewal; do
cert="`grep "^cert\s*=" -m 1 "${renewal}" | cut -d = -f 2 | tr -d " "`"
dir="${renewal##*/}"
dir="${dir%.conf}"
# If the certificate exists and is non-empty
if test -s "${cert}"; then
domain="`certtool -i < "${cert}" | grep Subject: | cut -d = -f 2 | tr -d " "`"
if grep -q "^${subject}$" "${domains}"; then
echo "ok - ${domain} certificate correctly set"
else
not_ok "${domain} certificate is not needed anymore, removing"
remove_certificate "${domain}"
fi
else
not_ok "${domain} certificate doesn't exist, removing"
remove_certificate "${domain}"
fi
done
fi
comm -13 <(realpath /etc/letsencrypt/live/*/*.pem | sort) <(find /etc/letsencrypt/archive/ -name "*.pem" | sort) | xargs rm -v comm -13 <(realpath /etc/letsencrypt/live/*/*.pem | sort) <(find /etc/letsencrypt/archive/ -name "*.pem" | sort) | xargs rm -v
touch "${updated}" touch "${updated}"
;; ;;
# Generate certificates # Generate certificates
@ -102,6 +132,7 @@ case $1 in
"https://api.${SUTTY}/v1/sites.json" \ "https://api.${SUTTY}/v1/sites.json" \
2>"${headers}" \ 2>"${headers}" \
| jq --raw-output .[] \ | jq --raw-output .[] \
| tee "${domains}" \
| while read domain; do | while read domain; do
if test -z "${domain}"; then if test -z "${domain}"; then
not_ok "domain is empty" not_ok "domain is empty"