@@ -47,10 +47,10 @@ cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal
4747chown -R abc:abc /config/etc/letsencrypt/renewal-hooks
4848
4949# create original config file if it doesn't exist, move non-hidden legacy file to hidden
50- if [ -f "/config/donoteditthisfile.conf" ]; then
50+ if [[ -f "/config/donoteditthisfile.conf" ] ]; then
5151 mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
5252fi
53- if [ ! -f "/config/.donoteditthisfile.conf" ]; then
53+ if [[ ! -f "/config/.donoteditthisfile.conf" ] ]; then
5454 echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
5555 echo "Created .donoteditthisfile.conf"
5656fi
6060. /config/.donoteditthisfile.conf
6161
6262# set default validation to http
63- if [ -z "${VALIDATION}" ]; then
63+ if [[ -z "${VALIDATION}" ] ]; then
6464 VALIDATION="http"
6565 echo "VALIDATION parameter not set; setting it to http"
6666fi
6767
6868# set duckdns validation to dns
69- if [ "${VALIDATION}" = "duckdns" ]; then
69+ if [[ "${VALIDATION}" = "duckdns" ] ]; then
7070 VALIDATION="dns"
7171 DNSPLUGIN="duckdns"
72- if [ -n "${DUCKDNSTOKEN}" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then
72+ if [[ -n "${DUCKDNSTOKEN}" ] ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then
7373 sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
7474 fi
7575fi
76- if [ "${VALIDATION}" = "dns" ] && [ "${DNSPLUGIN}" = "duckdns" ]; then
77- if [ "${SUBDOMAINS}" = "wildcard" ]; then
76+ if [[ "${VALIDATION}" = "dns" ]] && [[ "${DNSPLUGIN}" = "duckdns" ] ]; then
77+ if [[ "${SUBDOMAINS}" = "wildcard" ] ]; then
7878 echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
7979 export ONLY_SUBDOMAINS=true
8080 else
@@ -85,16 +85,16 @@ if [ "${VALIDATION}" = "dns" ] && [ "${DNSPLUGIN}" = "duckdns" ]; then
8585fi
8686
8787# if zerossl is selected or staging is set to true, use the relevant server
88- if [ "${CERTPROVIDER}" = "zerossl" ] && [ "${STAGING}" = "true" ]; then
88+ if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ] ]; then
8989 echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
9090fi
91- if [ "${CERTPROVIDER}" = "zerossl" ] && [ -n "${EMAIL}" ]; then
91+ if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ] ]; then
9292 echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
9393 ACMESERVER="https://acme.zerossl.com/v2/DV90"
94- elif [ "${CERTPROVIDER}" = "zerossl" ] && [ -z "${EMAIL}" ]; then
94+ elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ] ]; then
9595 echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
9696 sleep infinity
97- elif [ "${STAGING}" = "true" ]; then
97+ elif [[ "${STAGING}" = "true" ] ]; then
9898 echo "NOTICE: Staging is active"
9999 echo "Using Let's Encrypt as the cert provider"
100100 ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
@@ -104,10 +104,10 @@ else
104104fi
105105
106106# figuring out url only vs url & subdomains vs subdomains only
107- if [ -n "${SUBDOMAINS}" ]; then
107+ if [[ -n "${SUBDOMAINS}" ] ]; then
108108 echo "SUBDOMAINS entered, processing"
109- if [ "${SUBDOMAINS}" = "wildcard" ]; then
110- if [ "${ONLY_SUBDOMAINS}" = true ]; then
109+ if [[ "${SUBDOMAINS}" = "wildcard" ] ]; then
110+ if [[ "${ONLY_SUBDOMAINS}" = true ] ]; then
111111 export URL_REAL="-d *.${URL}"
112112 echo "Wildcard cert for only the subdomains of ${URL} will be requested"
113113 else
@@ -119,7 +119,7 @@ if [ -n "${SUBDOMAINS}" ]; then
119119 for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
120120 export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}"
121121 done
122- if [ "${ONLY_SUBDOMAINS}" = true ]; then
122+ if [[ "${ONLY_SUBDOMAINS}" = true ] ]; then
123123 URL_REAL="${SUBDOMAINS_REAL}"
124124 echo "Only subdomains, no URL in cert"
125125 else
133133fi
134134
135135# add extra domains
136- if [ -n "${EXTRA_DOMAINS}" ]; then
136+ if [[ -n "${EXTRA_DOMAINS}" ] ]; then
137137 echo "EXTRA_DOMAINS entered, processing"
138138 for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
139139 export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}"
@@ -152,34 +152,34 @@ else
152152fi
153153
154154# setting the validation method to use
155- if [ "${VALIDATION}" = "dns" ]; then
156- if [ "${DNSPLUGIN}" = "route53" ]; then
157- if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
155+ if [[ "${VALIDATION}" = "dns" ] ]; then
156+ if [[ "${DNSPLUGIN}" = "route53" ] ]; then
157+ if [[ -n "${PROPAGATION}" ] ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
158158 PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
159159 elif [[ "${DNSPLUGIN}" =~ ^(azure|gandi)$ ]]; then
160- if [ -n "${PROPAGATION}" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
160+ if [[ -n "${PROPAGATION}" ] ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
161161 PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
162162 elif [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
163- if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
163+ if [[ -n "${PROPAGATION}" ] ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
164164 PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini --dns-duckdns-no-txt-restore ${PROPAGATIONPARAM}"
165165 elif [[ "${DNSPLUGIN}" =~ ^(google)$ ]]; then
166- if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
166+ if [[ -n "${PROPAGATION}" ] ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
167167 PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
168168 elif [[ "${DNSPLUGIN}" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then
169- if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
169+ if [[ -n "${PROPAGATION}" ] ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
170170 PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
171171 elif [[ "${DNSPLUGIN}" =~ ^(standalone)$ ]]; then
172- if [ -n "${PROPAGATION}" ]; then echo "standalone dns plugin does not support setting propagation time"; fi
172+ if [[ -n "${PROPAGATION}" ] ]; then echo "standalone dns plugin does not support setting propagation time"; fi
173173 PREFCHAL="-a dns-${DNSPLUGIN}"
174174 elif [[ "${DNSPLUGIN}" =~ ^(directadmin)$ ]]; then
175- if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
175+ if [[ -n "${PROPAGATION}" ] ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
176176 PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
177177 else
178- if [ -n "${PROPAGATION}" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
178+ if [[ -n "${PROPAGATION}" ] ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
179179 PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
180180 fi
181181 echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
182- elif [ "${VALIDATION}" = "tls-sni" ]; then
182+ elif [[ "${VALIDATION}" = "tls-sni" ] ]; then
183183 PREFCHAL="--standalone --preferred-challenges http"
184184 echo "*****tls-sni validation has been deprecated, attempting http validation instead"
185185else
189189
190190# setting the symlink for key location
191191rm -rf /config/keys/letsencrypt
192- if [ "${ONLY_SUBDOMAINS}" = "true" ] && [ ! "${SUBDOMAINS}" = "wildcard" ]; then
192+ if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ] ]; then
193193 DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
194194 ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
195195else
196196 ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
197197fi
198198
199199# checking for changes in cert variables, revoking certs if necessary
200- if [ ! "${URL}" = "${ORIGURL}" ] || [ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ] || [ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ] || [ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ] || [ ! "${VALIDATION}" = "${ORIGVALIDATION}" ] || [ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ] || [ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ] || [ ! "${STAGING}" = "${ORIGSTAGING}" ] || [ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]; then
200+ if [[ ! "${URL}" = "${ORIGURL}" ]] || [[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] || [[ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ]] || [[ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ]] || [[ ! "${VALIDATION}" = "${ORIGVALIDATION}" ]] || [[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] || [[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] || [[ ! "${STAGING}" = "${ORIGSTAGING}" ]] || [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ] ]; then
201201 echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
202- if [ "${ORIGONLY_SUBDOMAINS}" = "true" ] && [ ! "${ORIGSUBDOMAINS}" = "wildcard" ]; then
202+ if [[ "${ORIGONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${ORIGSUBDOMAINS}" = "wildcard" ] ]; then
203203 ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
204204 else
205205 ORIGDOMAIN="${ORIGURL}"
206206 fi
207- if [ "${ORIGCERTPROVIDER}" = "zerossl" ] && [ -n "${ORIGEMAIL}" ]; then
207+ if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ] ]; then
208208 REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}")
209209 REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
210210 REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
211- if [ -z "${REV_ZEROSSL_EAB_KID}" ] || [ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]; then
211+ if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ] ]; then
212212 echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
213213 sleep infinity
214214 fi
215215 REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
216- elif [ "${ORIGSTAGING}" = "true" ]; then
216+ elif [[ "${ORIGSTAGING}" = "true" ] ]; then
217217 REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
218218 else
219219 REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
228228echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
229229
230230# alter extension for error message
231- if [ "${DNSPLUGIN}" = "google" ]; then
231+ if [[ "${DNSPLUGIN}" = "google" ] ]; then
232232 FILENAME="${DNSPLUGIN}.json"
233233else
234234 FILENAME="${DNSPLUGIN}.ini"
235235fi
236236
237237# Check if the cert is using the old LE root cert, revoke and regen if necessary
238- if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
238+ if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]] ; } && [[ "${STAGING}" != "true" ] ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
239239 echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
240240 REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
241241 if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
@@ -245,13 +245,13 @@ if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "lets
245245fi
246246
247247# generating certs if necessary
248- if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
249- if [ "${CERTPROVIDER}" = "zerossl" ] && [ -n "${EMAIL}" ]; then
248+ if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ] ]; then
249+ if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ] ]; then
250250 echo "Retrieving EAB from ZeroSSL"
251251 EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
252252 ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
253253 ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
254- if [ -z "${ZEROSSL_EAB_KID}" ] || [ -z "${ZEROSSL_EAB_HMAC_KEY}" ]; then
254+ if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ] ]; then
255255 echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
256256 sleep infinity
257257 fi
@@ -260,8 +260,8 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
260260 echo "Generating new certificate"
261261 # shellcheck disable=SC2086
262262 certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL}
263- if [ ! -d /config/keys/letsencrypt ]; then
264- if [ "${VALIDATION}" = "dns" ]; then
263+ if [[ ! -d /config/keys/letsencrypt ] ]; then
264+ if [[ "${VALIDATION}" = "dns" ] ]; then
265265 echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
266266 else
267267 echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
275275fi
276276
277277# if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert
278- if [ -d /config/keys/letsencrypt ]; then
278+ if [[ -d /config/keys/letsencrypt ] ]; then
279279 rm -rf /config/keys/cert.crt
280280 ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
281281 rm -rf /config/keys/cert.key
0 commit comments