search

martmaiste / nginx-certbot

Nginx reverse proxy with Let's Encrypt support
9 stars 8 forks source link

feature request: automatic certificate request on first start #4

Open sergey-sobolev opened 5 years ago

sergey-sobolev commented 5 years ago

If I understand the logic correctly, after container starts first time, letsencrypt-setup should be called manually using the command from readme file (docker exec -ti nginx letsencrypt-setup), it makes more difficult automatic deployment as it requires manual intervention.

Would it be possible to add check of certificates and request them if missing on startup? (at the moment only renewing checks are done)

I understand risk of too many certificates request and possible block of domain for a week, so it should be an option passed through environment.

Also would be helpful an option to generate certificates for staging (--staging for certbot) also through environment - just to make sure that deployment works, then staging option could be removed on the next step.

sergey-sobolev commented 5 years ago

here is the proposed patch (the environment variable IS_STAGING if not empty will signal the scripts to obtain fake certificate for configuration check, shall be passed from docker run along with DOMAIN and EMAIL)

diff --git a/letsencrypt-renew b/letsencrypt-renew
index 7a66c09..8339dab 100755
--- a/letsencrypt-renew
+++ b/letsencrypt-renew
@@ -4,9 +4,14 @@
 if [ -z "$DOMAIN" ]; then
  echo "You need to have \$DOMAIN set"
 else
+ echo "Renewing certificate.."
  if [ -f /etc/letsencrypt/live/${DOMAIN}/fullchain.pem ]; then
   certbot renew --post-hook "nginx -s reload" --work-dir /etc/letsencrypt
+  echo "done"
  else
   echo "There is no cert to renew"
+  echo "Setting up new certificate.."
+  /usr/local/bin/letsencrypt-setup
+  echo "done"
  fi
 fi
diff --git a/letsencrypt-setup b/letsencrypt-setup
index 6414f79..079e288 100755
--- a/letsencrypt-setup
+++ b/letsencrypt-setup
@@ -4,7 +4,15 @@
 if [ -z "$EMAIL" ] || [ -z "$DOMAIN" ]; then
  echo "You need the \$EMAIL and the \$DOMAIN Variables"
 else
- certbot certonly --webroot --webroot-path /etc/letsencrypt/webrootauth -d $DOMAIN --email $EMAIL --agree-tos --quiet --renew-by-default
+ if [ -z "$IS_STAGING" ]; then
+  echo "Obtaining certificate for production.."
+  certbot certonly --webroot --webroot-path /etc/letsencrypt/webrootauth -d $DOMAIN --email $EMAIL --agree-tos --quiet --renew-by-default
+  echo "done"
+ else 
+  echo "Obtaining certificate for staging.."
+  certbot certonly --webroot --webroot-path /etc/letsencrypt/webrootauth -d $DOMAIN --email $EMAIL --agree-tos --quiet --renew-by-default --staging
+  echo "done"
+ fi
  chmod +x /etc/letsencrypt/archive
  if [ -e "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then
   # sed -i "s//${DOMAIN}/g" /etc/nginx/nginx.conf