Open sergey-sobolev opened 5 years ago
here is the proposed patch (the environment variable IS_STAGING if not empty will signal the scripts to obtain fake certificate for configuration check, shall be passed from docker run along with DOMAIN and EMAIL)
diff --git a/letsencrypt-renew b/letsencrypt-renew index 7a66c09..8339dab 100755 --- a/letsencrypt-renew +++ b/letsencrypt-renew @@ -4,9 +4,14 @@ if [ -z "$DOMAIN" ]; then echo "You need to have \$DOMAIN set" else + echo "Renewing certificate.." if [ -f /etc/letsencrypt/live/${DOMAIN}/fullchain.pem ]; then certbot renew --post-hook "nginx -s reload" --work-dir /etc/letsencrypt + echo "done" else echo "There is no cert to renew" + echo "Setting up new certificate.." + /usr/local/bin/letsencrypt-setup + echo "done" fi fi diff --git a/letsencrypt-setup b/letsencrypt-setup index 6414f79..079e288 100755 --- a/letsencrypt-setup +++ b/letsencrypt-setup @@ -4,7 +4,15 @@ if [ -z "$EMAIL" ] || [ -z "$DOMAIN" ]; then echo "You need the \$EMAIL and the \$DOMAIN Variables" else - certbot certonly --webroot --webroot-path /etc/letsencrypt/webrootauth -d $DOMAIN --email $EMAIL --agree-tos --quiet --renew-by-default + if [ -z "$IS_STAGING" ]; then + echo "Obtaining certificate for production.." + certbot certonly --webroot --webroot-path /etc/letsencrypt/webrootauth -d $DOMAIN --email $EMAIL --agree-tos --quiet --renew-by-default + echo "done" + else + echo "Obtaining certificate for staging.." + certbot certonly --webroot --webroot-path /etc/letsencrypt/webrootauth -d $DOMAIN --email $EMAIL --agree-tos --quiet --renew-by-default --staging + echo "done" + fi chmod +x /etc/letsencrypt/archive if [ -e "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then # sed -i "s//${DOMAIN}/g" /etc/nginx/nginx.conf
If I understand the logic correctly, after container starts first time, letsencrypt-setup should be called manually using the command from readme file (docker exec -ti nginx letsencrypt-setup), it makes more difficult automatic deployment as it requires manual intervention.
Would it be possible to add check of certificates and request them if missing on startup? (at the moment only renewing checks are done)
I understand risk of too many certificates request and possible block of domain for a week, so it should be an option passed through environment.
Also would be helpful an option to generate certificates for staging (--staging for certbot) also through environment - just to make sure that deployment works, then staging option could be removed on the next step.