-
Notifications
You must be signed in to change notification settings - Fork 7
/
entrypoint.sh
156 lines (138 loc) · 5.28 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/bash
# Inspired from:
# https://github.com/Paldom/docker-nginx-letsencrypt-proxy
# https://raw.githubusercontent.com/wmnnd/nginx-certbot/master/init-letsencrypt.sh
# Define a default key length for the certificate, and use the parameter if set
keyLength=4096
if [ -n "$KEYLENGTH" ]; then
keyLength=$KEYLENGTH
fi
# Should we execute everything on LE's staging platform?
test=""
if [ -n "$DRYRUN" ]; then
test="--test"
fi
# Should we use letsencrpyt servers instead of zerossl?
server=""
if [ -n "$SERVER" ]; then
server="--server letsencrypt"
fi
# Define a default DH params length, and use the parameter if set
# 1024 length is set for test purposes only, please set it to 2048 at least!
dhParamLength=1024
if [ -n "$DHPARAM" ]; then
dhParamLength=$DHPARAM
fi
# Generating self-signed certificates for each host, mandatory for Nginx and LE
# to execute properly
services=$(env | grep SERVICE_HOST_ | cut -d "=" -f1 | sed 's/^SERVICE_HOST_//')
for service in $services
do
host="SERVICE_HOST_$service"
subj="SERVICE_SUBJ_$service"
if [[ ! -d "/certs/${!host}" || ! -s "/certs/${!host}/cert.pem" ]]; then
echo ""
echo "Generating a self-signed certificate for ${!host}..."
certSubj="/C=EU/ST=My State/L=My City/O=My Organization/OU=My Domain/CN=${!host}"
if [ -n "${!subj}" ]; then
certSubj=${!subj}
fi
mkdir -vp /certs/${!host}
/usr/bin/openssl genrsa -out /certs/${!host}/key.pem 1024
/usr/bin/openssl req -new -key /certs/${!host}/key.pem \
-out /certs/${!host}/cert.csr \
-subj "$certSubj"
/usr/bin/openssl x509 -req -days 365 -in /certs/${!host}/cert.csr \
-signkey /certs/${!host}/key.pem \
-out /certs/${!host}/cert.pem
rm /certs/${!host}/cert.csr
cp /certs/${!host}/cert.pem /certs/${!host}/fullchain.pem
echo "Self-signed certificate for ${!host} successfully created."
echo ""
fi
done
# Generate the DH params file if it does not exist
if [ ! -s "/certs/dhparam.pem" ]; then
echo ""
echo "Generating DH Parameters (length: $dhParamLength)..."
echo "It can be quite long (several minutes), and no log will be displayed."
echo "Do not worry, and wait for the generation to be done."
/usr/bin/openssl dhparam -out /certs/dhparam.pem $dhParamLength
echo "DH Parameters generated."
echo ""
fi
# Create nginx configuration
for service in $services
do
host="SERVICE_HOST_$service"
proxy="SERVICE_PROXY_$service"
if [ -z "${!proxy}" ]; then
continue;
fi
echo "Generating nginx configuration for \"${!host}\"."
FILE_NAME=$(echo $service | tr '[:upper:]' '[:lower:]').conf
DOMAIN=${!host} PROXY=${!proxy} envsubst '$PROXY,$DOMAIN' < /tmp/service.conf.template > "/conf/${FILE_NAME}"
done
# Starting Nginx in daemon mode
/usr/sbin/nginx
if [ -n "$EMAIL" ]; then
/root/.acme.sh/acme.sh --register-account -m $EMAIL --server zerossl
fi
# Request and install a Let's Encrypt certificate for each host
for service in $services
do
host="SERVICE_HOST_$service"
certSubject=`/usr/bin/openssl x509 -subject -noout -in /certs/${!host}/cert.pem | /usr/bin/cut -c9-999`
certIssuer=`/usr/bin/openssl x509 -issuer -noout -in /certs/${!host}/cert.pem | /usr/bin/cut -c8-999`
# Checking whether the existent certificate is self-signed or not
# If self-signed: remove the le-ok file
if [[ -e /certs/${!host}/le-ok && "$certSubject" = "$certIssuer" ]]; then
rm /certs/${!host}/le-ok
fi
if [[ -e /certs/${!host}/le-ok ]]; then
EXPIRATION_DATE=$(/usr/bin/openssl x509 -enddate -noout -in "/certs/${!host}/cert.pem" | cut -d= -f2)
EXPIRATION_TIMESTAMP=$(date -d "$EXPIRATION_DATE" +%s)
# Get the current date and add 30 days (in seconds)
CURRENT_TIMESTAMP=$(date +%s)
THIRTY_DAYS_LATER=$(( CURRENT_TIMESTAMP + 30 * 24 * 60 * 60 ))
# Compare timestamps
if [[ $EXPIRATION_TIMESTAMP -lt $THIRTY_DAYS_LATER ]]; then
rm /certs/${!host}/le-ok
fi
fi
ecc=""
eccSuffix=""
keyLengthTest=`echo "$keyLength" | /usr/bin/cut -c1-2`
if [ "$keyLengthTest" = "ec" ]; then
ecc="--ecc"
eccSuffix="_ecc"
fi
if [[ -e /certs/${!host}/le-ok ]]; then
mkdir -p /root/.acme.sh/${!host}$eccSuffix/
cp /certs/${!host}/csr/* /root/.acme.sh/${!host}$eccSuffix/
/root/.acme.sh/acme.sh $test --log --renew -d ${!host} $ecc $server
fi
# Replace the existing self-signed certificate with a LE one
if [ ! -e /certs/${!host}/le-ok ]; then
echo ""
echo "Requesting a certificate from Let's Encrypt certificate for ${!host}..."
/root/.acme.sh/acme.sh $test --log --issue -w /var/www/html/ -d ${!host} -k $keyLength $server
/root/.acme.sh/acme.sh $test --log --installcert $ecc -d ${!host} \
--key-file /certs/${!host}/key.pem \
--fullchain-file /certs/${!host}/fullchain.pem \
--cert-file /certs/${!host}/cert.pem \
--reloadcmd '/usr/sbin/nginx -s stop && /bin/sleep 5s && /usr/sbin/nginx'
touch /certs/${!host}/le-ok
mkdir -p /certs/${!host}/csr/
cp /root/.acme.sh/${!host}$eccSuffix/* /certs/${!host}/csr/
echo "Let's Encrypt certificate for ${!host} installed."
echo ""
fi
done
chmod -R 600 /certs
/usr/sbin/nginx -s stop
/bin/sleep 5s
echo ""
echo "Restarting Nginx, if no errors appear below, it is ready!"
echo ""
exec /usr/sbin/nginx -g 'daemon off;'