|
1 | 1 | #!/bin/bash |
2 | 2 | set -ex |
3 | | -LETSENCRYPT_DOMAIN=${LETSENCRYPT_DOMAIN:-"none"} |
| 3 | + |
| 4 | +LETSENCRYPT_DOMAIN=${LETSENCRYPT_DOMAIN:-} |
4 | 5 | LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL:-"example@local"} |
| 6 | +NGINX_SSL_CERT=${NGINX_SSL_CERT:-} |
| 7 | +NGINX_SSL_KEY=${NGINX_SSL_KEY:-} |
5 | 8 | NGINX_SSL_PORT=${NGINX_SSL_PORT:-443} |
| 9 | +NGINX_CONF="/etc/nginx/http.d/default.conf" |
6 | 10 |
|
7 | | -# If no domain is provided, skip certbot execution and configuration |
8 | | -if [ "${LETSENCRYPT_DOMAIN}-x" == "none-x" ]; then |
9 | | - exit 0 |
10 | | -fi |
| 11 | +remove_ssl_config() { |
| 12 | + sed -i -E "/ssl_certificate /,/^$/d" "${NGINX_CONF}" |
| 13 | + sed -i -E "/ssl_certificate_key /,/^$/d" "${NGINX_CONF}" |
| 14 | +} |
11 | 15 |
|
12 | 16 | # Request a certificate |
13 | 17 | # this also updates the nginx config file with new SSL entries |
14 | | -certbot -n --nginx --agree-tos --email ${LETSENCRYPT_EMAIL} -d ${LETSENCRYPT_DOMAIN} --https-port ${NGINX_SSL_PORT} |
15 | | -# Add cron job file |
16 | | -cat <<EOF >/etc/crontabs/root |
| 18 | +if [[ -n "${LETSENCRYPT_DOMAIN}" ]]; then |
| 19 | + echo "Generating SSL certificate using certbot for ${LETSENCRYPT_DOMAIN} with automatic renewal." |
| 20 | + certbot -n --nginx --agree-tos --email "${LETSENCRYPT_EMAIL}" -d "${LETSENCRYPT_DOMAIN}" --https-port "${NGINX_SSL_PORT}" |
| 21 | + # Add cron job file |
| 22 | + cat <<EOF >/etc/crontabs/root |
17 | 23 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
18 | 24 |
|
19 | | -0 */12 * * * certbot -q renew --nginx --https-port ${NGINX_SSL_PORT} |
| 25 | +0 */12 * * * certbot -q renew --nginx --https-port "${NGINX_SSL_PORT}" |
20 | 26 | EOF |
21 | | -# start cron daemon |
22 | | -supervisorctl start cron |
| 27 | + # start cron daemon |
| 28 | + supervisorctl start cron |
| 29 | +# Update the nginx config file with the provided SSL entries |
| 30 | +elif [[ -n "${NGINX_SSL_CERT}" && -n "${NGINX_SSL_KEY}" ]]; then |
| 31 | + echo "Configuring the provided SSL certificate at ${NGINX_SSL_CERT}" |
| 32 | + remove_ssl_config |
| 33 | + sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl http2);|listen ${NGINX_SSL_PORT} ssl http2;|" "${NGINX_CONF}" |
| 34 | + sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl http2);|listen \[::\]:${NGINX_SSL_PORT} ssl http2;\n\n ssl_certificate ${NGINX_SSL_CERT};\n ssl_certificate_key ${NGINX_SSL_KEY};|" "${NGINX_CONF}" |
| 35 | +# If the nginx port is provided but no other settings are, update the port |
| 36 | +elif [[ "${NGINX_SSL_PORT}" != 443 ]]; then |
| 37 | + echo "Setting nginx listen port." |
| 38 | + remove_ssl_config |
| 39 | + sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl http2);|listen ${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}" |
| 40 | + sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl http2);|listen \[::\]:${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}" |
| 41 | +else |
| 42 | + echo "No certificates or Letsencrypt domain was provided. Exiting." |
| 43 | + exit 0 |
| 44 | +fi |
0 commit comments