diff options
| author | crupest <crupest@outlook.com> | 2022-11-25 14:12:26 +0800 |
|---|---|---|
| committer | crupest <crupest@outlook.com> | 2022-11-25 14:12:26 +0800 |
| commit | 4d0425a017dd1d9436cef21bea2643f9e3da55aa (patch) | |
| tree | d65f872e549f9a4828462909926b361c23e0563e | |
| parent | 1915ea9f72e8805d552ea013d187c847d8d500d1 (diff) | |
| download | crupest-4d0425a017dd1d9436cef21bea2643f9e3da55aa.tar.gz crupest-4d0425a017dd1d9436cef21bea2643f9e3da55aa.tar.bz2 crupest-4d0425a017dd1d9436cef21bea2643f9e3da55aa.zip | |
Make certbot better.
| -rwxr-xr-x | docker/auto-backup/daemon.bash | 4 | ||||
| -rw-r--r-- | docker/auto-certbot/Dockerfile | 9 | ||||
| -rwxr-xr-x | docker/auto-certbot/daemon.bash | 56 | ||||
| -rwxr-xr-x | docker/auto-certbot/get-cert-domains.py | 38 | ||||
| -rw-r--r-- | template/docker-compose.yaml.template | 1 | ||||
| -rwxr-xr-x | tool/aio.py | 5 |
6 files changed, 92 insertions, 21 deletions
diff --git a/docker/auto-backup/daemon.bash b/docker/auto-backup/daemon.bash index 845ad38..9098e94 100755 --- a/docker/auto-backup/daemon.bash +++ b/docker/auto-backup/daemon.bash @@ -17,8 +17,8 @@ function backup { # Output "Begin backup..." in yellow and restore default echo -e "\e[0;103m\e[K\e[1mBegin backup..." "\e[0m" - # Get current time and convert it to YYYY-MM-DDTHH:MM:SS - current_time=$(date +%Y-%m-%dT%H:%M:%S) + # Get current time and convert it to YYYY-MM-DDTHH:MM:SSZ + current_time=$(date +%Y-%m-%dT%H:%M:%SZ) echo "Current time: $current_time" echo "Create tar.xz for data..." diff --git a/docker/auto-certbot/Dockerfile b/docker/auto-certbot/Dockerfile index 2f6833d..5310786 100644 --- a/docker/auto-certbot/Dockerfile +++ b/docker/auto-certbot/Dockerfile @@ -1,15 +1,18 @@ FROM certbot/certbot:latest ARG CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES="" -RUN apk add --no-cache tini coreutils bash ${CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES} +RUN apk add --no-cache tini coreutils bash ${CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES} && python -m pip install cryptography + ARG CRUPEST_DOMAIN +ARG CRUPEST_ADDITIONAL_DOMAIN_LIST="" +ARG CRUPEST_EMAIL ARG CRUPEST_AUTO_CERTBOT_POST_HOOK="" -ARG CRUPEST_AUTO_CERTBOT_RENEW_COMMAND="" # install bash ENV CRUPEST_DOMAIN=${CRUPEST_DOMAIN} +ENV CRUPEST_ADDITIONAL_DOMAIN_LIST=${CRUPEST_ADDITIONAL_DOMAIN_LIST} +ENV CRUPEST_EMAIL=${CRUPEST_EMAIL} ENV CRUPEST_AUTO_CERTBOT_POST_HOOK=${CRUPEST_AUTO_CERTBOT_POST_HOOK} -ENV CRUPEST_AUTO_CERTBOT_RENEW_COMMAND=${CRUPEST_AUTO_CERTBOT_RENEW_COMMAND} COPY daemon.bash /daemon.bash VOLUME ["/var/www/certbot", "/etc/letsencrypt", "/var/lib/letsencrypt"] ENTRYPOINT ["/sbin/tini", "--"] diff --git a/docker/auto-certbot/daemon.bash b/docker/auto-certbot/daemon.bash index 0311161..8ec78c0 100755 --- a/docker/auto-certbot/daemon.bash +++ b/docker/auto-certbot/daemon.bash @@ -11,13 +11,16 @@ fi # Check certbot version. certbot --version -# Check CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined. -if [ -z "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then - echo "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is not defined or empty" - CRUPEST_AUTO_CERTBOT_RENEW_COMMAND="certbot renew -n --webroot -w /var/www/certbot" - printf "Will use:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" -else - printf "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined as:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" +# Check domain +if [[ -z "$CRUPEST_DOMAIN" ]]; then + echo "CRUPEST_DOMAIN can't be empty!" 1>&2 + exit 1 +fi + +# Check email +if [[ -z "$CRUPEST_EMAIL" ]]; then + echo "CRUPEST_EMAIL can't be empty!" 1>&2 + exit 2 fi # Check CRUPEST_CERT_PATH, default to /etc/letsencrypt/live/$CRUPEST_DOMAIN/fullchain.pem @@ -27,10 +30,36 @@ fi # Check CRUPEST_CERT_PATH exists. if [ ! -f "$CRUPEST_CERT_PATH" ]; then - echo "Cert file does not exist" - exit 1 + echo "Cert file does not exist. You may want to generate it manually with aio script." 1>&2 + exit 3 fi +echo "Root domain:" "$CRUPEST_DOMAIN" +echo "Email:" "$CRUPEST_EMAIL" +echo "Cert path: ${CRUPEST_CERT_PATH}" + +# Check CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined. +if [ -z "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then + echo "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is not defined or empty. Will use the default one." +else + printf "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined as:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" +fi + +mapfile -t domains <<< "$(./get-cert-domains.py "${CRUPEST_CERT_PATH}")" + +for domain in "${domains[@]}"; do + domain_options=("${domain_options[@]}" -d "$domain") +done + +options=("${domain_options[@]}") +if [ -n "$CRUPEST_AUTO_CERTBOT_POST_HOOK" ]; then + printf "You have defined a post hook:\n%s\n" "$CRUPEST_AUTO_CERTBOT_POST_HOOK" + options=("${options[@]}" --post-hook "$CRUPEST_AUTO_CERTBOT_POST_HOOK") +fi + +# Use test server to test. +certbot certonly -n --agree-tos --test-cert --dry-run -m "$CRUPEST_EMAIL" --webroot -w /var/www/certbot "${options[@]}" + function check_and_renew_cert { expire_info=$(openssl x509 -enddate -noout -in "$CRUPEST_CERT_PATH") @@ -59,11 +88,12 @@ function check_and_renew_cert { else # No, renew now. echo "Renewing now..." - # Run CRUPEST_AUTO_CERTBOT_RENEW_COMMAND - if [ -n "$CRUPEST_AUTO_CERTBOT_POST_HOOK" ]; then - $CRUPEST_AUTO_CERTBOT_RENEW_COMMAND --post-hook "$CRUPEST_AUTO_CERTBOT_POST_HOOK" - else + + if [ -n "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then $CRUPEST_AUTO_CERTBOT_RENEW_COMMAND + else + + certbot renew -n --agree-tos -m "$CRUPEST_EMAIL" --webroot -w /var/www/certbot "${options[@]}" fi fi } diff --git a/docker/auto-certbot/get-cert-domains.py b/docker/auto-certbot/get-cert-domains.py new file mode 100755 index 0000000..3ba9462 --- /dev/null +++ b/docker/auto-certbot/get-cert-domains.py @@ -0,0 +1,38 @@ +#!/usr/bin/env python3 + +import sys +import os +from os.path import * +from cryptography.x509 import * +from cryptography.x509.oid import ExtensionOID + +# Check only one argument +if len(sys.argv) != 2: + print("You should only specify one argument, aka, the path of cert.", + file=sys.stderr) + exit(1) + +cert_path = sys.argv[1] + +if not exists(cert_path): + print("Cert file does not exist.", file=sys.stderr) + exit(2) + +if not isfile(cert_path): + print("Cert path is not a file.") + exit(3) + +if not 'CRUPEST_DOMAIN' in os.environ: + print("Please set CRUPEST_DOMAIN environment variable to root domain.", file=sys.stderr) + exit(4) + +root_domain = os.environ['CRUPEST_DOMAIN'] + +with open(cert_path) as f: + cert = load_pem_x509_certificate(f.read()) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME) + domains: list = ext.value.get_values_for_type(DNSName) + domains.remove(root_domain) + domains = [root_domain, *domains] + print('\n'.join(domains)) diff --git a/template/docker-compose.yaml.template b/template/docker-compose.yaml.template index caa2e66..50bc8bf 100644 --- a/template/docker-compose.yaml.template +++ b/template/docker-compose.yaml.template @@ -81,6 +81,7 @@ services: pull: true args: - CRUPEST_DOMAIN=$CRUPEST_DOMAIN + - CRUPEST_EMAIL=$CRUPEST_EMAIL - CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES=docker-cli - CRUPEST_AUTO_CERTBOT_POST_HOOK=docker restart nginx tags: diff --git a/tool/aio.py b/tool/aio.py index 00ae596..b238735 100755 --- a/tool/aio.py +++ b/tool/aio.py @@ -7,7 +7,6 @@ import grp import sys import argparse import shutil -import json import urllib.request from rich.console import Console from rich.prompt import Prompt, Confirm @@ -274,8 +273,8 @@ class ConfigVar: config_var_list: list = [ ConfigVar("CRUPEST_DOMAIN", "domain name", "Please input your domain name:"), - # ConfigVar("CRUPEST_EMAIL", "admin email address", - # "Please input your email address:"), + ConfigVar("CRUPEST_EMAIL", "admin email address", + "Please input your email address:"), ConfigVar("CRUPEST_USER", "your system account username", lambda: pwd.getpwuid(os.getuid()).pw_name), ConfigVar("CRUPEST_GROUP", "your system account group name", |