mirror of
https://github.com/wmnnd/nginx-certbot
synced 2023-04-20 18:47:46 +08:00
Initial commit
This commit is contained in:
Philipp
commit
6236b65a8b
21
LICENSE
Normal file
21
LICENSE
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
MIT License
|
||||||
|
|
||||||
|
Copyright (c) 2018 Philipp Schmieder
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all
|
||||||
|
copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
SOFTWARE.
|
||||||
26
data/nginx/app.conf
Normal file
26
data/nginx/app.conf
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name example.org;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
root /var/www/certbot;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name example.org;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
|
||||||
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||||
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://example.org;
|
||||||
|
}
|
||||||
|
}
|
||||||
17
docker-compose.yml
Normal file
17
docker-compose.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
version: '3'
|
||||||
|
services:
|
||||||
|
nginx:
|
||||||
|
image: nginx:1.15-alpine
|
||||||
|
volumes:
|
||||||
|
- ./data/nginx:/etc/nginx/conf.d
|
||||||
|
- ./data/certbot/conf:/etc/letsencrypt
|
||||||
|
- ./data/certbot/www:/var/www/certbot
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
certbot:
|
||||||
|
image: certbot/certbot
|
||||||
|
volumes:
|
||||||
|
- ./data/certbot/conf:/etc/letsencrypt
|
||||||
|
- ./data/certbot/www:/var/www/certbot
|
||||||
|
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
|
||||||
68
init-letsencrypt.sh
Normal file
68
init-letsencrypt.sh
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
domains=( "example.org" "example.com" )
|
||||||
|
rsa_key_size=4096
|
||||||
|
data_path="./data/certbot"
|
||||||
|
email="" #Adding a valid address is strongly recommended
|
||||||
|
staging=0 #Set to 1 if you're just testing your setup to avoid hitting request limits
|
||||||
|
|
||||||
|
echo "### Preparing directories in $data_path ..."
|
||||||
|
rm -Rf "$data_path"
|
||||||
|
mkdir -p "$data_path/www"
|
||||||
|
mkdir -p "$data_path/conf/live/$domains"
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Creating dummy certificate ..."
|
||||||
|
path="/etc/letsencrypt/live/$domains"
|
||||||
|
mkdir -p "$path"
|
||||||
|
docker-compose run --rm --entrypoint "\
|
||||||
|
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
|
||||||
|
-keyout '$path/privkey.pem' \
|
||||||
|
-out '$path/fullchain.pem' \
|
||||||
|
-subj '/CN=localhost'" certbot
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Downloading recommended HTTPS parameters ..."
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Starting nginx ..."
|
||||||
|
docker-compose up -d nginx
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Deleting dummy certificate ..."
|
||||||
|
sudo rm -Rf "$data_path/conf/live"
|
||||||
|
|
||||||
|
echo "### Downloading recommended TLS options ..."
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Requesting initial certificate ..."
|
||||||
|
|
||||||
|
#Join $domains to -d args
|
||||||
|
domain_args=""
|
||||||
|
for domain in "${domains[@]}"; do
|
||||||
|
domain_args="$domain_args -d $domain"
|
||||||
|
done
|
||||||
|
|
||||||
|
#Select appropriate email arg
|
||||||
|
case "$email" in
|
||||||
|
"") email_arg="--register-unsafely-without-email" ;;
|
||||||
|
*) email_arg="--email $email" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
#Enable staging mode if needed
|
||||||
|
if [ $staging != "0" ]; then staging_arg="--staging"; fi
|
||||||
|
|
||||||
|
docker-compose run --rm --entrypoint "\
|
||||||
|
certbot certonly --webroot -w /var/www/certbot \
|
||||||
|
$staging_arg \
|
||||||
|
$email_arg \
|
||||||
|
$domain_args \
|
||||||
|
--rsa-key-size $rsa_key_size \
|
||||||
|
--agree-tos \
|
||||||
|
--force-renewal" certbot
|
||||||
|
|
||||||
|
docker-compose stop nginx
|
||||||
Loading…
x
Reference in New Issue
Block a user