LiCMS/init_letsencrypt.sh at master · realJustinLee/LiCMS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#!/bin/bash
set -e

domains=(licms.example.com)           # Specify domains here or use the -d argument
data_path="$HOME/data/certbot"        # Specify data path here or use the --data-path argument
email="your@email.com"              # Specify email here or use the --email argument
staging=0                             # Set to 1 here or use the --staging argument
rsa_key_size=4096

print_help() {
  echo "Usage: $(basename "$0") [-d DOMAIN] [--staging] [-f COMPOSE_FILE] [--data-path PATH]"
  echo ""
  echo "You can either modify $(basename "$0") directly or use the following options to adjust its behavior."
  echo ""
  echo "Options:"
  echo "-h, --help:          Print this help."
  echo "-d, --domain DOMAIN: Request certificates for the given DOMAIN. Can be used multiple times (e.g. -d example.com -d www.example.com)."
  echo "-f, --file PATH:     If given, use specified docker compose configuration file."
  echo "-m, --email EMAIL:   If given, use EMAIL to register Let's Encrypt account"
  echo "--staging:           Use Let's Encrypt in Staging Mode"
  echo "--data-path:         Set path for storing certificate data"
}

while [[ $# -gt 0 ]]; do
  case $1 in
  -h | --help)
    print_help
    exit
    ;;
  -d | --domain)
    if [ "${domains[0]}" == "example.com" ]; then domains=(); fi
    domains+=("$2")
    shift
    shift
    ;;
  --staging)
    staging=1
    shift
    ;;
  -f | --file)
    compose_file="$2"
    shift
    shift
    ;;
  -m | --email)
    email="$2"
    shift
    shift
    ;;
  --data-path)
    data_path="$2"
    shift
    shift
    ;;
  *)
    echo "Unknown argument: $1"
    exit
    ;;
  esac
done

# Make sure at least one domain has been configured
if [ "${domains[0]}" == "example.com" ] || [ "${domains[0]}" == "" ]; then
  echo "Error: You must specify at least one domain."
  exit 1
fi

# Set compose_file_arg if requested
if [ "$compose_file" != "" ]; then
  compose_file_arg="-f $compose_file"
else
  compose_file_arg=""
fi

# Ask for confirmation before replacing existing certificates
if [ -d "$data_path" ]; then
  read -rp "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi

# Download TLS parameters
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$data_path/conf/ssl-dhparams.pem"
  echo
fi

# Create dummy certificate
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/all"
mkdir -p "$data_path/conf/live/all"
docker compose ${compose_file_arg} run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa -days 1 \
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo

# Start docker compose
echo "### Starting docker compose ..."
docker compose ${compose_file_arg} up --force-recreate --no-deps -d
echo

# Delete dummy certificate
echo "### Deleting dummy certificate for $domains ..."
docker compose ${compose_file_arg} run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/all && \
  rm -Rf /etc/letsencrypt/archive/all && \
  rm -Rf /etc/letsencrypt/renewal/all.conf" certbot
echo

echo "### Requesting Let's Encrypt certificate for $domains ..."
# Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac

# Enable staging mode if requested
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker compose ${compose_file_arg} run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    ${staging_arg} \
    ${email_arg} \
    ${domain_args} \
    --cert-name all \
    --rsa-key-size ${rsa_key_size} \
    --agree-tos \
    --force-renewal" certbot
echo

# Reload nginx
echo "### Reloading nginx ..."
docker compose ${compose_file_arg} exec nginx nginx -s reload