From 73af7708a031cd9818765e0978b8f4c597b1997b Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Wed, 28 Nov 2018 18:04:05 +0400 Subject: [PATCH 01/31] Code formatting --- .gitignore | 1 + init-letsencrypt.sh | 35 +++++++++++------------------------ 2 files changed, 12 insertions(+), 24 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..68f5d13 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/data/certbot diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 330c38f..0504433 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -1,10 +1,10 @@ #!/bin/bash -domains=( "example.org" "example.com" ) +domains=( "example.com" "example.org" ) rsa_key_size=4096 data_path="./data/certbot" -email="" #Adding a valid address is strongly recommended -staging=0 #Set to 1 if you're just testing your setup to avoid hitting request limits +email="" # Adding a valid address is strongly recommended +staging=0 # Set to 1 if you're just testing your setup to avoid hitting request limits echo "### Preparing directories in $data_path ..." rm -Rf "$data_path" @@ -15,14 +15,11 @@ mkdir -p "$data_path/conf/live/$domains" echo "### Creating dummy certificate ..." path="/etc/letsencrypt/live/$domains" mkdir -p "$path" -docker-compose run --rm --entrypoint "\ - openssl req -x509 -nodes -newkey rsa:1024 -days 1\ - -keyout '$path/privkey.pem' \ - -out '$path/fullchain.pem' \ - -subj '/CN=localhost'" certbot +docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ + -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot -echo "### Downloading recommended HTTPS parameters ..." +echo "### Downloading recommended TLS parameters ..." curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" @@ -34,35 +31,25 @@ docker-compose up -d nginx echo "### Deleting dummy certificate ..." sudo rm -Rf "$data_path/conf/live" -echo "### Downloading recommended TLS options ..." -curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" -curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" - echo "### Requesting initial certificate ..." -#Join $domains to -d args +# Join $domains to -d args domain_args="" for domain in "${domains[@]}"; do domain_args="$domain_args -d $domain" done -#Select appropriate email arg +# Select appropriate email arg case "$email" in "") email_arg="--register-unsafely-without-email" ;; *) email_arg="--email $email" ;; esac -#Enable staging mode if needed +# Enable staging mode if needed if [ $staging != "0" ]; then staging_arg="--staging"; fi -docker-compose run --rm --entrypoint "\ - certbot certonly --webroot -w /var/www/certbot \ - $staging_arg \ - $email_arg \ - $domain_args \ - --rsa-key-size $rsa_key_size \ - --agree-tos \ - --force-renewal" certbot +docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot $staging_arg $email_arg \ + $domain_args --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot docker-compose stop nginx From 1504f3f899c6694030e7b3fc09a2589c9ab9f2f7 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Wed, 28 Nov 2018 20:01:49 +0400 Subject: [PATCH 02/31] A lot of changes Now you can simply add new domain to the certbot.sh and rerun script, other domains' certificates won't be touched You can now choose what to delete or not delete And other which is needed to be d --- certbot.sh | 69 +++++++++++++++++++++++++++++++++++++++++++++ init-letsencrypt.sh | 55 ------------------------------------ 2 files changed, 69 insertions(+), 55 deletions(-) create mode 100644 certbot.sh delete mode 100644 init-letsencrypt.sh diff --git a/certbot.sh b/certbot.sh new file mode 100644 index 0000000..e365c84 --- /dev/null +++ b/certbot.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +domains=(example.com example.org) +rsa_key_size=4096 +data_path="./data/certbot" +email="" # Adding a valid address is strongly recommended +staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits + +echo "### Preparing directories in $data_path ..." +if [ -d "$data_path" ]; then + read -p "There is already folder with certbot data, do you want to remove it? (WARNING: removing folder will remove all data which is stored in the $data_path) (Y/n) " decision + case $decision in + [Y]* ) rm -rf "$data_path";; + [n]* ) ;; + * ) echo "Please choose the right variant (Y/n).";; + esac +fi +mkdir -p "$data_path/www" +mkdir -p "$data_path/conf" + + +if [ ! -f "$data_path/conf/options-ssl-nginx.conf" && "$data_path/conf/ssl-dhparams.pem"]; then + echo "### Downloading recommended TLS parameters ..." + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" +fi + + +for domain in "${domains[@]}"; do + if [ -d "$data_path/conf/live/$domain" ]; then + path="/etc/letsencrypt/live/$domain" + + read -p "There is already folder with $domain domain data, do you want to remove it? (WARNING: removing folder will remove all certbot data for this domain) (Y/n) " decision + case $decision in + [Y]* ) rm -rf "$data_path/conf/live/$domain" && mkdir -p "$data_path/conf/live/$domain" \ + && docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ + -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot;; + [n]* ) domains=(${domains[@]/$domain});; + * ) echo "Please choose the right variant (Y/n).";; + esac + else + mkdir -p "$data_path/conf/live/$domain" + fi +done + + +echo "### Starting nginx ..." +docker-compose up -d nginx + + +# Select appropriate email arg +case "$email" in + "") email_arg="--register-unsafely-without-email" ;; + *) email_arg="--email $email" ;; +esac + +# Enable staging mode if needed +if [ $staging != "0" ]; then staging_arg="--staging"; fi + +for domain in "${domains[@]}"; do + echo "### Deleting dummy certificate of $domain domain..." + rm -rf "$data_path/conf/live/$domain" + + echo "### Requesting Let's Encrypt certificate for $domain domain ..." + docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot -d $domain \ + $staging_arg $email_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot +done + +docker-compose stop nginx diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh deleted file mode 100644 index 0504433..0000000 --- a/init-letsencrypt.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -domains=( "example.com" "example.org" ) -rsa_key_size=4096 -data_path="./data/certbot" -email="" # Adding a valid address is strongly recommended -staging=0 # Set to 1 if you're just testing your setup to avoid hitting request limits - -echo "### Preparing directories in $data_path ..." -rm -Rf "$data_path" -mkdir -p "$data_path/www" -mkdir -p "$data_path/conf/live/$domains" - - -echo "### Creating dummy certificate ..." -path="/etc/letsencrypt/live/$domains" -mkdir -p "$path" -docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ - -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot - - -echo "### Downloading recommended TLS parameters ..." -curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" -curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" - - -echo "### Starting nginx ..." -docker-compose up -d nginx - - -echo "### Deleting dummy certificate ..." -sudo rm -Rf "$data_path/conf/live" - - -echo "### Requesting initial certificate ..." - -# Join $domains to -d args -domain_args="" -for domain in "${domains[@]}"; do - domain_args="$domain_args -d $domain" -done - -# Select appropriate email arg -case "$email" in - "") email_arg="--register-unsafely-without-email" ;; - *) email_arg="--email $email" ;; -esac - -# Enable staging mode if needed -if [ $staging != "0" ]; then staging_arg="--staging"; fi - -docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot $staging_arg $email_arg \ - $domain_args --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot - -docker-compose stop nginx From a703ce0d43243645288d4244b3c38fd70775df94 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Wed, 28 Nov 2018 20:11:05 +0400 Subject: [PATCH 03/31] Fixes are on the way --- certbot.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certbot.sh b/certbot.sh index e365c84..7d3366c 100644 --- a/certbot.sh +++ b/certbot.sh @@ -19,7 +19,7 @@ mkdir -p "$data_path/www" mkdir -p "$data_path/conf" -if [ ! -f "$data_path/conf/options-ssl-nginx.conf" && "$data_path/conf/ssl-dhparams.pem"]; then +if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] && [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then echo "### Downloading recommended TLS parameters ..." curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" @@ -58,7 +58,7 @@ esac if [ $staging != "0" ]; then staging_arg="--staging"; fi for domain in "${domains[@]}"; do - echo "### Deleting dummy certificate of $domain domain..." + echo "### Deleting dummy certificate for $domain domain ..." rm -rf "$data_path/conf/live/$domain" echo "### Requesting Let's Encrypt certificate for $domain domain ..." From d894c1f38b942d1ee9c466b8f50685f135901ce3 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Wed, 28 Nov 2018 20:33:55 +0400 Subject: [PATCH 04/31] Fixed issue with self-signed certs --- certbot.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/certbot.sh b/certbot.sh index 7d3366c..1e829ce 100644 --- a/certbot.sh +++ b/certbot.sh @@ -32,9 +32,7 @@ for domain in "${domains[@]}"; do read -p "There is already folder with $domain domain data, do you want to remove it? (WARNING: removing folder will remove all certbot data for this domain) (Y/n) " decision case $decision in - [Y]* ) rm -rf "$data_path/conf/live/$domain" && mkdir -p "$data_path/conf/live/$domain" \ - && docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ - -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot;; + [Y]* ) rm -rf "$data_path/conf/live/$domain" && mkdir -p "$data_path/conf/live/$domain";; [n]* ) domains=(${domains[@]/$domain});; * ) echo "Please choose the right variant (Y/n).";; esac @@ -58,6 +56,13 @@ esac if [ $staging != "0" ]; then staging_arg="--staging"; fi for domain in "${domains[@]}"; do + echo "### Creating dummy certificate for $domain domain..." + + path="/etc/letsencrypt/live/$domain" + mkdir -p "$path" + docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ + -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot + echo "### Deleting dummy certificate for $domain domain ..." rm -rf "$data_path/conf/live/$domain" From 092f47b5676c61ba55b1e6d239d4e6552e7c975f Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Wed, 28 Nov 2018 20:35:59 +0400 Subject: [PATCH 05/31] Some changes --- certbot.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/certbot.sh b/certbot.sh index 1e829ce..57e6a51 100644 --- a/certbot.sh +++ b/certbot.sh @@ -28,8 +28,6 @@ fi for domain in "${domains[@]}"; do if [ -d "$data_path/conf/live/$domain" ]; then - path="/etc/letsencrypt/live/$domain" - read -p "There is already folder with $domain domain data, do you want to remove it? (WARNING: removing folder will remove all certbot data for this domain) (Y/n) " decision case $decision in [Y]* ) rm -rf "$data_path/conf/live/$domain" && mkdir -p "$data_path/conf/live/$domain";; @@ -42,10 +40,6 @@ for domain in "${domains[@]}"; do done -echo "### Starting nginx ..." -docker-compose up -d nginx - - # Select appropriate email arg case "$email" in "") email_arg="--register-unsafely-without-email" ;; @@ -63,6 +57,9 @@ for domain in "${domains[@]}"; do docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot + echo "### Starting nginx ..." + docker-compose up -d nginx + echo "### Deleting dummy certificate for $domain domain ..." rm -rf "$data_path/conf/live/$domain" From 6e3f21d4b09b4a901ef8f7e1cd5f8cd3d52951b6 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Wed, 28 Nov 2018 20:43:17 +0400 Subject: [PATCH 06/31] Final fixes are on the way --- certbot.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/certbot.sh b/certbot.sh index 57e6a51..e18ca0f 100644 --- a/certbot.sh +++ b/certbot.sh @@ -53,7 +53,6 @@ for domain in "${domains[@]}"; do echo "### Creating dummy certificate for $domain domain..." path="/etc/letsencrypt/live/$domain" - mkdir -p "$path" docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot @@ -67,5 +66,3 @@ for domain in "${domains[@]}"; do docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot -d $domain \ $staging_arg $email_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot done - -docker-compose stop nginx From 71470dc0f90c1fed18fbb8c7a3ca1f5698ade07f Mon Sep 17 00:00:00 2001 From: unimariJo Citorijawa <18367979+unimariJo@users.noreply.github.com> Date: Wed, 28 Nov 2018 19:59:46 +0300 Subject: [PATCH 07/31] Code formatting --- certbot.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/certbot.sh b/certbot.sh index e18ca0f..12912ab 100644 --- a/certbot.sh +++ b/certbot.sh @@ -10,17 +10,16 @@ echo "### Preparing directories in $data_path ..." if [ -d "$data_path" ]; then read -p "There is already folder with certbot data, do you want to remove it? (WARNING: removing folder will remove all data which is stored in the $data_path) (Y/n) " decision case $decision in - [Y]* ) rm -rf "$data_path";; + [Y]* ) rm -rf "$data_path" && mkdir -p "$data_path";; [n]* ) ;; * ) echo "Please choose the right variant (Y/n).";; esac fi -mkdir -p "$data_path/www" -mkdir -p "$data_path/conf" if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] && [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then echo "### Downloading recommended TLS parameters ..." + mkdir -p "$data_path/conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" fi @@ -63,6 +62,7 @@ for domain in "${domains[@]}"; do rm -rf "$data_path/conf/live/$domain" echo "### Requesting Let's Encrypt certificate for $domain domain ..." + mkdir -p "$data_path/www" docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot -d $domain \ $staging_arg $email_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot done From d3485b19bb233ea3cf64442b8f0e3bb1e1105bce Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Thu, 29 Nov 2018 18:37:17 +0400 Subject: [PATCH 08/31] Firstly: generate dummy self-signed certs for ALL domains and only then start nginx --- certbot.sh | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/certbot.sh b/certbot.sh index e18ca0f..3bd0705 100644 --- a/certbot.sh +++ b/certbot.sh @@ -40,6 +40,17 @@ for domain in "${domains[@]}"; do done +for domain in "${domains[@]}"; do + echo "### Creating dummy certificate for $domain domain..." + + path="/etc/letsencrypt/live/$domain" + docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ + -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot +done + +echo "### Starting nginx ..." +docker-compose up -d nginx + # Select appropriate email arg case "$email" in "") email_arg="--register-unsafely-without-email" ;; @@ -50,15 +61,6 @@ esac if [ $staging != "0" ]; then staging_arg="--staging"; fi for domain in "${domains[@]}"; do - echo "### Creating dummy certificate for $domain domain..." - - path="/etc/letsencrypt/live/$domain" - docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ - -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot - - echo "### Starting nginx ..." - docker-compose up -d nginx - echo "### Deleting dummy certificate for $domain domain ..." rm -rf "$data_path/conf/live/$domain" From 18fb999c2954563bacd1c720cfd04a90e215e114 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Thu, 29 Nov 2018 18:41:19 +0400 Subject: [PATCH 09/31] Reload nginx after getting new LetsEncrypt certificate --- certbot.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/certbot.sh b/certbot.sh index 537c0c6..7cb7f38 100644 --- a/certbot.sh +++ b/certbot.sh @@ -67,4 +67,5 @@ for domain in "${domains[@]}"; do mkdir -p "$data_path/www" docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot -d $domain \ $staging_arg $email_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot + docker-compose exec nginx "/bin/sh -c 'nginx -s reload'" done From 04786e797e39dc808496678f8d2bf20491221237 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Thu, 29 Nov 2018 18:50:04 +0400 Subject: [PATCH 10/31] Oops.. Fixed the docker-compose command --- certbot.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot.sh b/certbot.sh index 7cb7f38..f80370d 100644 --- a/certbot.sh +++ b/certbot.sh @@ -67,5 +67,5 @@ for domain in "${domains[@]}"; do mkdir -p "$data_path/www" docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot -d $domain \ $staging_arg $email_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot - docker-compose exec nginx "/bin/sh -c 'nginx -s reload'" + docker-compose exec nginx nginx -s reload done From 2c9169d95ec3959219ed0467c950c944c12c2cfb Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Thu, 29 Nov 2018 18:56:59 +0400 Subject: [PATCH 11/31] Executing nginx reload only after everything --- certbot.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/certbot.sh b/certbot.sh index f80370d..f711a95 100644 --- a/certbot.sh +++ b/certbot.sh @@ -67,5 +67,6 @@ for domain in "${domains[@]}"; do mkdir -p "$data_path/www" docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot -d $domain \ $staging_arg $email_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot - docker-compose exec nginx nginx -s reload done + +docker-compose exec nginx nginx -s reload From be72750afaaf6323943f1cd868dec1dd7f58d4a7 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Thu, 29 Nov 2018 19:12:31 +0400 Subject: [PATCH 12/31] Small change --- certbot.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/certbot.sh b/certbot.sh index f711a95..04456b2 100644 --- a/certbot.sh +++ b/certbot.sh @@ -48,7 +48,8 @@ for domain in "${domains[@]}"; do done echo "### Starting nginx ..." -docker-compose up -d nginx +# Restarting for case if nginx container is already started +docker-compose start nginx && docker-compose restart nginx # Select appropriate email arg case "$email" in From 2a0b0c5bf210ca2881c5933e0fe8756427945344 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Thu, 29 Nov 2018 19:15:33 +0400 Subject: [PATCH 13/31] Fixed the issue with up -d --- certbot.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot.sh b/certbot.sh index 04456b2..a6540a1 100644 --- a/certbot.sh +++ b/certbot.sh @@ -49,7 +49,7 @@ done echo "### Starting nginx ..." # Restarting for case if nginx container is already started -docker-compose start nginx && docker-compose restart nginx +docker-compose up -d nginx && docker-compose restart nginx # Select appropriate email arg case "$email" in From 38c07f2fcb1aaa8f3db1f626a2bd89f598ff63c5 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Thu, 29 Nov 2018 20:30:39 +0400 Subject: [PATCH 14/31] Switched back to 1024 RSA & renamed certbot.sh -> init-letsencrypt.sh It is useless to use RSA 4096 self-signed certificate because it will be removed --- certbot.sh => init-letsencrypt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename certbot.sh => init-letsencrypt.sh (95%) diff --git a/certbot.sh b/init-letsencrypt.sh similarity index 95% rename from certbot.sh rename to init-letsencrypt.sh index a6540a1..30cf9ae 100644 --- a/certbot.sh +++ b/init-letsencrypt.sh @@ -43,8 +43,8 @@ for domain in "${domains[@]}"; do echo "### Creating dummy certificate for $domain domain..." path="/etc/letsencrypt/live/$domain" - docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:4096 \ - -days 10 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot + docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:1024 \ + -days 1 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot done echo "### Starting nginx ..." From a85799cfa75acc259be5b08310b76aa0d4fe15f5 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Tue, 18 Dec 2018 00:01:41 +0400 Subject: [PATCH 15/31] Add error when init-letsencrypt.sh runs doesn't run as root --- init-letsencrypt.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 30cf9ae..6cbb67f 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -6,6 +6,11 @@ data_path="./data/certbot" email="" # Adding a valid address is strongly recommended staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits +if [ "$EUID" -ne 0 ]; then + echo "Please run init-letsencrypt.sh as root." && exit +fi + + echo "### Preparing directories in $data_path ..." if [ -d "$data_path" ]; then read -p "There is already folder with certbot data, do you want to remove it? (WARNING: removing folder will remove all data which is stored in the $data_path) (Y/n) " decision From c6959851b5ef0dfc5208bf4e5b5468a54a61a9c3 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Tue, 18 Dec 2018 12:54:17 +0400 Subject: [PATCH 16/31] Add restart policy to containers --- docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index ed189d2..8ca4618 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,6 +2,7 @@ version: '3' services: nginx: image: nginx:1.15-alpine + restart: unless-stopped volumes: - ./data/nginx:/etc/nginx/conf.d - ./data/certbot/conf:/etc/letsencrypt @@ -12,6 +13,7 @@ services: command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" certbot: image: certbot/certbot + restart: unless-stopped volumes: - ./data/certbot/conf:/etc/letsencrypt - ./data/certbot/www:/var/www/certbot From 026ec403df62c4ffb5e0c14e00dd9b53f8eee98f Mon Sep 17 00:00:00 2001 From: unimariJo Citorijawa Date: Sun, 23 Dec 2018 00:10:02 +0400 Subject: [PATCH 17/31] Add some nginx headers Thanks @robsalasco! I added this headers because saw your fork and thought that it will be pretty good to have these headers by default. --- data/nginx/app.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/data/nginx/app.conf b/data/nginx/app.conf index cd90438..f51fcd4 100644 --- a/data/nginx/app.conf +++ b/data/nginx/app.conf @@ -21,6 +21,9 @@ server { ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { - proxy_pass http://example.org; + proxy_pass http://example.org; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } From efad3c0524bb990dc359f78ebd203042ea26c863 Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Sun, 23 Dec 2018 14:34:10 +0400 Subject: [PATCH 18/31] Improved nginx security by default --- data/nginx/app.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/nginx/app.conf b/data/nginx/app.conf index f51fcd4..52dc0e7 100644 --- a/data/nginx/app.conf +++ b/data/nginx/app.conf @@ -1,6 +1,7 @@ server { listen 80; server_name example.org; + server_tokens off; location /.well-known/acme-challenge/ { root /var/www/certbot; @@ -14,6 +15,7 @@ server { server { listen 443 ssl; server_name example.org; + server_tokens off; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; From d5dd11613ec0d569a1ce245e9b829e34ebc0e89f Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Sun, 23 Dec 2018 14:36:58 +0400 Subject: [PATCH 19/31] Add whitespace to docker-compose LOL --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index 8ca4618..9615cc1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,5 @@ version: '3' + services: nginx: image: nginx:1.15-alpine From cd61ed525548bf9f75fcd36b083b32f9b12b987c Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Sun, 23 Dec 2018 14:47:29 +0400 Subject: [PATCH 20/31] Root privileges are now optional --- init-letsencrypt.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 6cbb67f..106aaf6 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -7,7 +7,12 @@ email="" # Adding a valid address is strongly recommended staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits if [ "$EUID" -ne 0 ]; then - echo "Please run init-letsencrypt.sh as root." && exit + read -p "You executed this script without root privileges, do you want to continue? (WARNING: script won't be able to delete generated Let's Encrypt TLS certificates) (Y/n) " decision + case $decision in + [Y]* ) ;; + [n]* ) exit;; + * ) echo "Please choose the right variant (Y/n).";; + esac fi From 4bba9042d7982f2ac5cfee54632c762724cce2dc Mon Sep 17 00:00:00 2001 From: Yaroslav Date: Sun, 23 Dec 2018 14:50:09 +0400 Subject: [PATCH 21/31] Fix grammar --- init-letsencrypt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 106aaf6..9073664 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -7,7 +7,7 @@ email="" # Adding a valid address is strongly recommended staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits if [ "$EUID" -ne 0 ]; then - read -p "You executed this script without root privileges, do you want to continue? (WARNING: script won't be able to delete generated Let's Encrypt TLS certificates) (Y/n) " decision + read -p "You ran this script without root privileges, do you want to continue? (WARNING: script won't be able to delete generated by Let's Encrypt TLS certificates) (Y/n) " decision case $decision in [Y]* ) ;; [n]* ) exit;; From 4de77dc45da119114aaa469590029a6c75743232 Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 21:58:57 +0100 Subject: [PATCH 22/31] Change default domains to example.com/www.example.com This should make it clearer that init-letsencrypt creates *one* certificate for all domains --- init-letsencrypt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 9073664..79869cf 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -1,6 +1,6 @@ #!/bin/bash -domains=(example.com example.org) +domains=(example.com www.example.com) rsa_key_size=4096 data_path="./data/certbot" email="" # Adding a valid address is strongly recommended From b76f6f7feb5a9e0270ebe6306d2c5a522d5f9889 Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:05:43 +0100 Subject: [PATCH 23/31] Ask for confirmation to replace existing data only once --- init-letsencrypt.sh | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 79869cf..4729015 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -6,24 +6,11 @@ data_path="./data/certbot" email="" # Adding a valid address is strongly recommended staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits -if [ "$EUID" -ne 0 ]; then - read -p "You ran this script without root privileges, do you want to continue? (WARNING: script won't be able to delete generated by Let's Encrypt TLS certificates) (Y/n) " decision - case $decision in - [Y]* ) ;; - [n]* ) exit;; - * ) echo "Please choose the right variant (Y/n).";; - esac -fi - - -echo "### Preparing directories in $data_path ..." if [ -d "$data_path" ]; then - read -p "There is already folder with certbot data, do you want to remove it? (WARNING: removing folder will remove all data which is stored in the $data_path) (Y/n) " decision - case $decision in - [Y]* ) rm -rf "$data_path" && mkdir -p "$data_path";; - [n]* ) ;; - * ) echo "Please choose the right variant (Y/n).";; - esac + read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision + if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then + exit + fi fi From 341ae11626258e8c4cec79f0f594ab399b63dabc Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:06:23 +0100 Subject: [PATCH 24/31] Use || operator to check if *either* TLS parameter file is missing --- init-letsencrypt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 4729015..e59f65f 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -14,7 +14,7 @@ if [ -d "$data_path" ]; then fi -if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] && [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then +if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then echo "### Downloading recommended TLS parameters ..." mkdir -p "$data_path/conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" From 07f113d3d8375b73d313d940002f99273b6f1173 Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:07:00 +0100 Subject: [PATCH 25/31] Add newline for output clarity --- init-letsencrypt.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index e59f65f..0e2ad52 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -19,6 +19,7 @@ if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ mkdir -p "$data_path/conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" + echo fi From 94c73dbf3f1b819feff469595c05eb8d3d3a93d9 Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:10:24 +0100 Subject: [PATCH 26/31] Request only one certificate for all domains --- init-letsencrypt.sh | 58 +++++++++++++++++++++++---------------------- 1 file changed, 30 insertions(+), 28 deletions(-) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 0e2ad52..463edc9 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -22,32 +22,34 @@ if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ echo fi - -for domain in "${domains[@]}"; do - if [ -d "$data_path/conf/live/$domain" ]; then - read -p "There is already folder with $domain domain data, do you want to remove it? (WARNING: removing folder will remove all certbot data for this domain) (Y/n) " decision - case $decision in - [Y]* ) rm -rf "$data_path/conf/live/$domain" && mkdir -p "$data_path/conf/live/$domain";; - [n]* ) domains=(${domains[@]/$domain});; - * ) echo "Please choose the right variant (Y/n).";; - esac - else - mkdir -p "$data_path/conf/live/$domain" - fi -done +echo "### Creating dummy certificate for $domains ..." +path="/etc/letsencrypt/live/$domains" +mkdir -p "$data_path/conf/live/$domains" +docker-compose run --rm --entrypoint "\ + openssl req -x509 -nodes -newkey rsa:1024 -days 1\ + -keyout '$path/privkey.pem' \ + -out '$path/fullchain.pem' \ + -subj '/CN=localhost'" certbot +echo -for domain in "${domains[@]}"; do - echo "### Creating dummy certificate for $domain domain..." - path="/etc/letsencrypt/live/$domain" - docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:1024 \ - -days 1 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot -done +echo "### Deleting dummy certificate for $domains ..." +docker-compose run --rm --entrypoint "\ + rm -Rf /etc/letsencrypt/live/$domains && \ + rm -Rf /etc/letsencrypt/archive/$domains && \ + rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot +echo + echo "### Starting nginx ..." # Restarting for case if nginx container is already started docker-compose up -d nginx && docker-compose restart nginx +echo "### Requesting Let's Encrypt certificate for $domains ..." +#Join $domains to -d args +domain_args="" +for domain in "${domains[@]}"; do + domain_args="$domain_args -d $domain" # Select appropriate email arg case "$email" in @@ -58,14 +60,14 @@ esac # Enable staging mode if needed if [ $staging != "0" ]; then staging_arg="--staging"; fi -for domain in "${domains[@]}"; do - echo "### Deleting dummy certificate for $domain domain ..." - rm -rf "$data_path/conf/live/$domain" - - echo "### Requesting Let's Encrypt certificate for $domain domain ..." - mkdir -p "$data_path/www" - docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot -d $domain \ - $staging_arg $email_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot -done +docker-compose run --rm --entrypoint "\ + certbot certonly --webroot -w /var/www/certbot \ + $staging_arg \ + $email_arg \ + $domain_args \ + --rsa-key-size $rsa_key_size \ + --agree-tos \ + --force-renewal" certbot +echo docker-compose exec nginx nginx -s reload From 5be706be5f7209c43546547f9e4ec22fe19ad75f Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:12:12 +0100 Subject: [PATCH 27/31] Use --force-recreate to restart nginx --- init-letsencrypt.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 463edc9..6460a03 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -33,6 +33,9 @@ docker-compose run --rm --entrypoint "\ echo +echo "### Starting nginx ..." +docker-compose up --force-recreate -d nginx +echo echo "### Deleting dummy certificate for $domains ..." docker-compose run --rm --entrypoint "\ @@ -42,9 +45,6 @@ docker-compose run --rm --entrypoint "\ echo -echo "### Starting nginx ..." -# Restarting for case if nginx container is already started -docker-compose up -d nginx && docker-compose restart nginx echo "### Requesting Let's Encrypt certificate for $domains ..." #Join $domains to -d args domain_args="" From 4fcc3a3565297bcf8468f54867e514bb6b27c796 Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:12:42 +0100 Subject: [PATCH 28/31] Add reloading echo --- init-letsencrypt.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 6460a03..7755dec 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -70,4 +70,5 @@ docker-compose run --rm --entrypoint "\ --force-renewal" certbot echo +echo "### Reloading nginx ..." docker-compose exec nginx nginx -s reload From f321682f1f9ffe5303ad3586b8e0ee4f06d8a13c Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:30:57 +0100 Subject: [PATCH 29/31] Add missing done after domain_args for loop --- init-letsencrypt.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 7755dec..0f15e68 100644 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -50,6 +50,7 @@ echo "### Requesting Let's Encrypt certificate for $domains ..." domain_args="" for domain in "${domains[@]}"; do domain_args="$domain_args -d $domain" +done # Select appropriate email arg case "$email" in From 3ce9a291b96136cf7ccc9351593c95c453587b33 Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:40:20 +0100 Subject: [PATCH 30/31] Add purpose of this script to README --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fdf9b1b..909086f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,13 @@ # Boilerplate for nginx with Let’s Encrypt on docker-compose -This repository is accompanied by a [step-by-step guide](https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71). +> This repository is accompanied by a [step-by-step guide on how to +set up nginx and Let’s Encrypt with Docker](https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71). + +`init-letsencrypt.sh` fetches ensures renewal of a Let’s Encrypt +certificate for one or multiple domains in a docker-compose setup with +nginx. +This is useful when you need to set up nginx as a reverse proxy for an +application. ## Installation 1. [Install docker-compose](https://docs.docker.com/compose/install/#install-compose) From a939c9f5de1f4b30d327104e09fe9197968f2563 Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 1 Jan 2019 22:42:32 +0100 Subject: [PATCH 31/31] Improve punctuation and grammar in README --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 909086f..9beaffc 100644 --- a/README.md +++ b/README.md @@ -3,14 +3,14 @@ > This repository is accompanied by a [step-by-step guide on how to set up nginx and Let’s Encrypt with Docker](https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71). -`init-letsencrypt.sh` fetches ensures renewal of a Let’s Encrypt -certificate for one or multiple domains in a docker-compose setup with -nginx. +`init-letsencrypt.sh` fetches and ensures the renewal of a Let’s +Encrypt certificate for one or multiple domains in a docker-compose +setup with nginx. This is useful when you need to set up nginx as a reverse proxy for an application. ## Installation -1. [Install docker-compose](https://docs.docker.com/compose/install/#install-compose) +1. [Install docker-compose](https://docs.docker.com/compose/install/#install-compose). 2. Clone this repository: `git clone https://github.com/wmnnd/nginx-certbot.git .` @@ -18,13 +18,13 @@ application. - Add domains and email addresses to init-letsencrypt.sh - Replace all occurrences of example.org with primary domain (the first one you added to init-letsencrypt.sh) in data/nginx/app.conf -4. Run init the script +4. Run init the script: ``` chmod +x ./init-letsencrypt.sh -sudo ./init-letsencrypt.sh +./init-letsencrypt.sh ``` -5. Run server +5. Run server: `docker-compose up` ## Got questions?