search

kchristensen / udm-le

Let's Encrypt support for Ubiquiti UniFi OS
MIT License
572 stars 79 forks source link

[FEATURE] Generate any number of certificates #43

Closed Ulrar closed 1 year ago

Ulrar commented 2 years ago

Hi,

I've just moved my haproxy instance directly on my UDM Pro, using udm-utilities. For now I've copy pasted my certificates directory manually, but I wonder if there's a way to use this udm-le to handle renewing them automatically ?

Basically in addition to generating and installing a certificate for the UDM, it would also need to generate some .pem files in a given directory, and ideally run prodman restart haproxy afterwards.

Thanks

kchristensen commented 2 years ago

Out of the box there's no built in way to do it, but you could hack on the udm-le.sh script to cp the certificates it generates to the place(s) you need and run a restart similar to how we restart unifi-os after a deploy.

Ulrar commented 2 years ago

Hey,

So it's not my best work, especially since any failures generates an invalid file and makes haproxy crash, but it'll do for now : 

# diff /mnt/data/udm-le/udm-le.sh old.sh
--- /mnt/data/udm-le/udm-le.sh
+++ old.sh
@@ -7,8 +7,7 @@

 # Setup variables for later
 DOCKER_VOLUMES="-v ${UDM_LE_PATH}/lego/:/.lego/"
-LEGO_DEF_ARGS="--dns ${DNS_PROVIDER} --email ${CERT_EMAIL} --key-type rsa2048"
-LEGO_ARGS="${LEGO_DEF_ARGS}"
+LEGO_ARGS="--dns ${DNS_PROVIDER} --email ${CERT_EMAIL} --key-type rsa2048"
 NEW_CERT=""

 add_captive() {
@@ -33,26 +32,6 @@
        fi
 }

-haproxy_certs() {
-       for CERT in ${HAPROXY_CERTS}
-       do
-               LEGO_ARGS="${LEGO_DEF_ARGS}"
-               MAIN=""
-               for DOMAIN in $(echo $CERT | tr "," "\n")
-               do
-                       LEGO_ARGS="${LEGO_ARGS} -d ${DOMAIN}"
-                       if [ -z "${MAIN}" ]
-                       then
-                               MAIN=$DOMAIN
-                       fi
-               done
-               ${PODMAN_CMD} ${LEGO_ARGS} $1
-               cat ${UDM_LE_PATH}/lego/certificates/${MAIN}.crt >  ${HAPROXY_PATH}/${MAIN}.pem
-               cat ${UDM_LE_PATH}/lego/certificates/${MAIN}.key >> ${HAPROXY_PATH}/${MAIN}.pem
-       done
-       podman restart haproxy
-}
-
 # Support alternative DNS resolvers
 if [ "${DNS_RESOLVERS}" != "" ]; then
        LEGO_ARGS="${LEGO_ARGS} --dns.resolvers ${DNS_RESOLVERS}"
@@ -100,11 +79,11 @@
        fi

        echo 'Attempting initial certificate generation'
-       ${PODMAN_CMD} ${LEGO_ARGS} --accept-tos run && deploy_cert && haproxy_certs "--accept-tos run" && add_captive && unifi-os restart &>/dev/null
+       ${PODMAN_CMD} ${LEGO_ARGS} --accept-tos run && deploy_cert && add_captive && unifi-os restart &>/dev/null
        ;;
 renew)
        echo 'Attempting certificate renewal'
-       ${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert && haproxy_certs "renew --days 60"
+       ${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert
        if [ "${NEW_CERT}" = "yes" ]; then
                add_captive && unifi-os restart &>/dev/null
        fi

As long as nothing fails this does the trick perfectly, might try to make it a bit cleaner later. Thanks

kchristensen commented 1 year ago

I'm going to close this out -- I don't feel that it really falls within the scope of what I think udm-le is for. If you'd like more certificates for use elsewhere on your network, just use lego to generate as many as you want elsewhere as there's effectively no limit to how many you can make.