Skip to content

Commit

Permalink
Implements custom ACME servers
Browse files Browse the repository at this point in the history 
Code mostly taken from: tashian@564e0d8

Co-authored-by: Carl Tashian <[email protected]>
  • Loading branch information
@andrewmzhang @tashian @bokolob
2 people authored and bokolob committed Jan 31, 2024
1 parent ec6fca9 commit 2314a03
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 3 deletions.
6 changes: 6 additions & 0 deletions readme-vars.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ opt_param_env_vars:
- { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)" }
- { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
- { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `bunny`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dreamhost`, `duckdns`, `freedns`, `gandi`, `gehirn`, `glesys`, `godaddy`, `google`, `google-domains`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `namecheap`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
- { env_var: "ACMESERVER", env_value: "", desc: "The URL of a custom ACME server to use." }
- { env_var: "ACMECABUNDLE", env_value: "", desc: "A base64-encoded PEM file containing a CA bundle to trust, for use with an internal ACME CA. Required for a custom ACME CA." }
- { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
- { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
- { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
Expand Down Expand Up @@ -168,6 +170,7 @@ app_setup_block: |
# changelog
changelogs:
<<<<<<< HEAD
- { date: "23.01.24:", desc: "Rebase to Alpine 3.19 with php 8.3, add root periodic crontabs for logrotate." }
- { date: "01.01.24:", desc: "Add GleSYS DNS plugin." }
- { date: "11.12.23:", desc: "Deprecate certbot-dns-dynu to resolve dependency conflicts with other plugins." }
Expand All @@ -179,6 +182,9 @@ changelogs:
- { date: "07.08.23:", desc: "Add Bunny DNS Configuration." }
- { date: "27.07.23:", desc: "Added support for dreamhost validation." }
- { date: "25.05.23:", desc: "Rebase to Alpine 3.18, deprecate armhf." }
=======
- { date: "21.05.23:", desc: "Allow custom ACME servers. Supply URL and CA bundle" }
>>>>>>> 4d46d70 (Implements custom ACME servers)
- { date: "27.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-location.conf, authelia-server.conf, authentik-location.conf, authentik-server.conf - Simplify auth configs and fix Set-Cookie header bug." }
- { date: "13.04.23:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, authelia-location.conf, authentik-location.conf, and site-confs/default.conf - Move ssl.conf include to default.conf. Remove Authorization headers in authelia. Sort proxy_set_header in authelia and authentik." }
- { date: "25.03.23:", desc: "Fix renewal post hook." }
Expand Down
4 changes: 4 additions & 0 deletions root/app/le-renew.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
#!/usr/bin/with-contenv bash
# shellcheck shell=bash

if [[ -f "/config/cabundle.pem" ]]; then
export REQUESTS_CA_BUNDLE="/config/cabundle.pem"
fi

echo "<------------------------------------------------->"
echo
echo "<------------------------------------------------->"
Expand Down
20 changes: 17 additions & 3 deletions root/etc/s6-overlay/s6-rc.d/init-certbot-config/run
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ EXTRA_DOMAINS=${EXTRA_DOMAINS}\\n\
ONLY_SUBDOMAINS=${ONLY_SUBDOMAINS}\\n\
VALIDATION=${VALIDATION}\\n\
CERTPROVIDER=${CERTPROVIDER}\\n\
ACMESERVER=${ACMESERVER}\\n\
ACMECABUNDLE=${ACMECABUNDLE}\\n\
DNSPLUGIN=${DNSPLUGIN}\\n\
EMAIL=${EMAIL}\\n\
STAGING=${STAGING}\\n"
Expand Down Expand Up @@ -74,7 +76,7 @@ if [[ -f "/config/donoteditthisfile.conf" ]]; then
mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
fi
if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGACMESERVER=\"$ACMESERVER\" ORIGACMECABUNDLE=\"$ACMECABUNDLE\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
echo "Created .donoteditthisfile.conf"
fi

Expand Down Expand Up @@ -207,10 +209,10 @@ if [[ ! "${URL}" = "${ORIGURL}" ]] ||
fi

# saving new variables
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGACMESERVER=\"$ACMESERVER\" ORIGACMECABUNDLE=\"$ACMECABUNDLE\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf

# Check if the cert is using the old LE root cert, revoke and regen if necessary
if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || ([[ "${CERTPROVIDER}" == "" ]] && [[ -z "$ACMECABUNDLE" ]]); } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
REV_ACMESERVER=("https://acme-v02.api.letsencrypt.org/directory")
if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
Expand All @@ -225,12 +227,24 @@ fi
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
fi
if [[ "${CERTPROVIDER}" = "custom" ]] && [[ "${STAGING}" = "true" ]]; then
echo "Custom ACME does not support staging mode, ignoring STAGING variable"
fi
if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
ACMESERVER="https://acme.zerossl.com/v2/DV90"
elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then
echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
sleep infinity
elif [[ "${CERTPROVIDER}" = "custom" ]] && [[ -n "${EMAIL}" ]]; then
echo "Using $ACMESERVER as the cert provider; registering cert with $EMAIL"
if [ -n "$ACMECABUNDLE" ]; then
echo "$ACMECABUNDLE" | base64 -d - > /config/cabundle.pem
export REQUESTS_CA_BUNDLE="/config/cabundle.pem"
fi
elif [[ "${CERTPROVIDER}" = "custom" ]] && [[ -z "${EMAIL}" ]]; then
echo "A custom ACME server is selected as the cert provider, but the e-email address has not been entered."
sleep infinity
elif [[ "${STAGING}" = "true" ]]; then
echo "NOTICE: Staging is active"
echo "Using Let's Encrypt as the cert provider"
Expand Down

0 comments on commit 2314a03

Please sign in to comment.