116 lines
3.4 KiB
Bash
Executable File
116 lines
3.4 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
if test -z "${NODES}" && test -z "${SINGLE_NODE}"; then
|
|
echo "The env var NODES is empty, if you don't want to synchronize to other servers, set SINGLE_NODE=true" >&2
|
|
exit 1
|
|
fi
|
|
|
|
lock=/tmp/certbot.lck
|
|
updated=/tmp/certbot.updated
|
|
|
|
ensure() {
|
|
test -n "$1" && echo "$1 received, exiting gracefully..."
|
|
|
|
rm -f "${lock}"
|
|
|
|
test -f "${updated}" || exit 0
|
|
|
|
rm -f "${updated}"
|
|
|
|
# Fix permissions, users in group ssl have read access
|
|
find /etc/letsencrypt -type d | xargs -r chmod 2750
|
|
find /etc/letsencrypt -type f | xargs -r chmod 640
|
|
chgrp -R ssl /etc/letsencrypt
|
|
|
|
${SINGLE_NODE:-false} && exit 0
|
|
|
|
# Push certificates to nodes, we use SSH as a secure transport
|
|
# but this means we're synchronizing from container to host which is
|
|
# awkward. A restricted rsync treats / as the remote location for the
|
|
# certificates.
|
|
for NODE in ${NODES}; do
|
|
rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}/
|
|
done
|
|
}
|
|
|
|
for SIG in TERM QUIT INT HUP; do
|
|
trap "ensure ${SIG}" ${SIG}
|
|
done
|
|
|
|
set -e
|
|
|
|
case $1 in
|
|
# Renew certificates, trust in certbot's algorithms
|
|
renew)
|
|
/usr/bin/certbot renew --quiet --agree-tos || true
|
|
touch "${updated}"
|
|
;;
|
|
bootstrap)
|
|
test -d "/etc/letsencrypt/live/${SUTTY}" && exit 0
|
|
|
|
# Get a single certificate for the whole domain
|
|
/usr/bin/certbot \
|
|
certonly \
|
|
--non-interactive \
|
|
--authenticator "dns-standalone" \
|
|
--email "certbot@${SUTTY}" \
|
|
--agree-tos \
|
|
-d "${SUTTY}" \
|
|
-d "*.${SUTTY}" \
|
|
-d "*.testing.${SUTTY}"
|
|
|
|
touch "${updated}"
|
|
|
|
;;
|
|
prune)
|
|
comm -13 <(realpath /etc/letsencrypt/live/*/*.pem | sort) <(find /etc/letsencrypt/archive/ -name "*.pem" | sort) | xargs rm -v
|
|
touch "${updated}"
|
|
;;
|
|
# Generate certificates
|
|
*)
|
|
# Only one instance can run at a time
|
|
if test -f "${lock}" ; then
|
|
echo "There's a certbotd instance already running, doing nothing..." >&2
|
|
echo "If the problem persists, you may need to remove ${lock} manually." >&2
|
|
exit 1
|
|
fi
|
|
|
|
touch "${lock}"
|
|
|
|
# Save headers here
|
|
headers=/tmp/headers
|
|
# Gets ETag from previous headers
|
|
test -f "${headers}" \
|
|
&& etag="$(grep "^ Etag: " "${headers}" | cut -d : -f 2)"
|
|
|
|
# Get site list from the API and transform to a list. Save headers
|
|
# for next run. Use ETag to avoid running when nothing changed
|
|
wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \
|
|
--header="If-None-Match:${etag}" -qSO - \
|
|
"https://api.${SUTTY}/v1/sites.json" \
|
|
2>"${headers}" \
|
|
| jq --raw-output .[] \
|
|
| while read domain; do
|
|
# Skip already existing domains
|
|
test -d "/etc/letsencrypt/live/${domain}" && continue
|
|
|
|
# Ignore non local domains
|
|
if ! nslookup "${domain}" 8.8.8.8 | grep -qE "(${SUTTY_ADDRESSES// /|})" ; then
|
|
echo "${domain} is not configured to any Sutty node or DNS records are still cached, ignoring for now"
|
|
continue
|
|
fi
|
|
|
|
# Get the certificate for the domain, the webserver will need
|
|
# access to this directory
|
|
/usr/bin/certbot certonly --email "certbot@${SUTTY}" \
|
|
-n \
|
|
--webroot \
|
|
--agree-tos \
|
|
--webroot-path /var/lib/letsencrypt \
|
|
-d "${domain}"
|
|
touch "${updated}"
|
|
done
|
|
esac
|
|
|
|
ensure
|