Make certbot better.

4 files changed, 89 insertions, 18 deletions

diff --git a/docker/auto-backup/daemon.bash b/docker/auto-backup/daemon.bash
index 845ad38..9098e94 100755
--- a/docker/auto-backup/daemon.bash
+++ b/docker/auto-backup/daemon.bash
@@ -17,8 +17,8 @@ function backup {
     # Output "Begin backup..." in yellow and restore default
     echo -e "\e[0;103m\e[K\e[1mBegin backup..." "\e[0m"
 
-    # Get current time and convert it to YYYY-MM-DDTHH:MM:SS
-    current_time=$(date +%Y-%m-%dT%H:%M:%S)
+    # Get current time and convert it to YYYY-MM-DDTHH:MM:SSZ
+    current_time=$(date +%Y-%m-%dT%H:%M:%SZ)
     echo "Current time: $current_time"
 
     echo "Create tar.xz for data..."
diff --git a/docker/auto-certbot/Dockerfile b/docker/auto-certbot/Dockerfile
index 2f6833d..5310786 100644
--- a/docker/auto-certbot/Dockerfile
+++ b/docker/auto-certbot/Dockerfile
@@ -1,15 +1,18 @@
 FROM certbot/certbot:latest
 
 ARG CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES=""
-RUN apk add --no-cache tini coreutils bash ${CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES} 
+RUN apk add --no-cache tini coreutils bash ${CRUPEST_AUTO_CERTBOT_ADDITIONAL_PACKAGES} && python -m pip install cryptography
+
 
 ARG CRUPEST_DOMAIN
+ARG CRUPEST_ADDITIONAL_DOMAIN_LIST=""
+ARG CRUPEST_EMAIL
 ARG CRUPEST_AUTO_CERTBOT_POST_HOOK=""
-ARG CRUPEST_AUTO_CERTBOT_RENEW_COMMAND=""
 # install bash
 ENV CRUPEST_DOMAIN=${CRUPEST_DOMAIN}
+ENV CRUPEST_ADDITIONAL_DOMAIN_LIST=${CRUPEST_ADDITIONAL_DOMAIN_LIST}
+ENV CRUPEST_EMAIL=${CRUPEST_EMAIL}
 ENV CRUPEST_AUTO_CERTBOT_POST_HOOK=${CRUPEST_AUTO_CERTBOT_POST_HOOK}
-ENV CRUPEST_AUTO_CERTBOT_RENEW_COMMAND=${CRUPEST_AUTO_CERTBOT_RENEW_COMMAND}
 COPY daemon.bash /daemon.bash
 VOLUME ["/var/www/certbot", "/etc/letsencrypt", "/var/lib/letsencrypt"]
 ENTRYPOINT ["/sbin/tini", "--"]
diff --git a/docker/auto-certbot/daemon.bash b/docker/auto-certbot/daemon.bash
index 0311161..8ec78c0 100755
--- a/docker/auto-certbot/daemon.bash
+++ b/docker/auto-certbot/daemon.bash
@@ -11,13 +11,16 @@ fi
 # Check certbot version.
 certbot --version
 
-# Check CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined.
-if [ -z "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then
-    echo "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is not defined or empty"
-    CRUPEST_AUTO_CERTBOT_RENEW_COMMAND="certbot renew -n --webroot -w /var/www/certbot"
-    printf "Will use:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND"
-else
-    printf "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined as:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND"
+# Check domain
+if [[ -z "$CRUPEST_DOMAIN" ]]; then
+    echo "CRUPEST_DOMAIN can't be empty!" 1>&2
+    exit 1
+fi
+
+# Check email
+if [[ -z "$CRUPEST_EMAIL" ]]; then
+    echo "CRUPEST_EMAIL can't be empty!" 1>&2
+    exit 2
 fi
 
 # Check CRUPEST_CERT_PATH, default to /etc/letsencrypt/live/$CRUPEST_DOMAIN/fullchain.pem
@@ -27,10 +30,36 @@ fi
 
 # Check CRUPEST_CERT_PATH exists.
 if [ ! -f "$CRUPEST_CERT_PATH" ]; then
-    echo "Cert file does not exist"
-    exit 1
+    echo "Cert file does not exist. You may want to generate it manually with aio script." 1>&2
+    exit 3
 fi
 
+echo "Root domain:" "$CRUPEST_DOMAIN"
+echo "Email:" "$CRUPEST_EMAIL"
+echo "Cert path: ${CRUPEST_CERT_PATH}"
+
+# Check CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined.
+if [ -z "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then
+    echo "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is not defined or empty. Will use the default one."
+else
+    printf "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined as:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND"
+fi
+
+mapfile -t domains <<< "$(./get-cert-domains.py "${CRUPEST_CERT_PATH}")"
+
+for domain in "${domains[@]}"; do
+    domain_options=("${domain_options[@]}" -d "$domain") 
+done
+
+options=("${domain_options[@]}")
+if [ -n "$CRUPEST_AUTO_CERTBOT_POST_HOOK" ]; then
+    printf "You have defined a post hook:\n%s\n" "$CRUPEST_AUTO_CERTBOT_POST_HOOK"
+    options=("${options[@]}" --post-hook "$CRUPEST_AUTO_CERTBOT_POST_HOOK")
+fi
+
+# Use test server to test.
+certbot certonly  -n --agree-tos --test-cert --dry-run -m "$CRUPEST_EMAIL" --webroot -w /var/www/certbot "${options[@]}"
+
 function check_and_renew_cert {
     expire_info=$(openssl x509 -enddate -noout -in "$CRUPEST_CERT_PATH")
     
@@ -59,11 +88,12 @@ function check_and_renew_cert {
     else
         # No, renew now.
         echo "Renewing now..."
-        # Run CRUPEST_AUTO_CERTBOT_RENEW_COMMAND
-        if [ -n "$CRUPEST_AUTO_CERTBOT_POST_HOOK" ]; then
-            $CRUPEST_AUTO_CERTBOT_RENEW_COMMAND --post-hook "$CRUPEST_AUTO_CERTBOT_POST_HOOK"
-        else
+
+        if [ -n "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then
             $CRUPEST_AUTO_CERTBOT_RENEW_COMMAND
+        else
+
+            certbot renew -n --agree-tos -m "$CRUPEST_EMAIL" --webroot -w /var/www/certbot "${options[@]}"
         fi
     fi
 }
diff --git a/docker/auto-certbot/get-cert-domains.py b/docker/auto-certbot/get-cert-domains.py
new file mode 100755
index 0000000..3ba9462
--- /dev/null
+++ b/docker/auto-certbot/get-cert-domains.py
@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+
+import sys
+import os
+from os.path import *
+from cryptography.x509 import *
+from cryptography.x509.oid import ExtensionOID
+
+# Check only one argument
+if len(sys.argv) != 2:
+    print("You should only specify one argument, aka, the path of cert.",
+          file=sys.stderr)
+    exit(1)
+
+cert_path = sys.argv[1]
+
+if not exists(cert_path):
+    print("Cert file does not exist.", file=sys.stderr)
+    exit(2)
+
+if not isfile(cert_path):
+    print("Cert path is not a file.")
+    exit(3)
+
+if not 'CRUPEST_DOMAIN' in os.environ:
+    print("Please set CRUPEST_DOMAIN environment variable to root domain.", file=sys.stderr)
+    exit(4)
+
+root_domain = os.environ['CRUPEST_DOMAIN']
+
+with open(cert_path) as f:
+    cert = load_pem_x509_certificate(f.read())
+    ext = cert.extensions.get_extension_for_oid(
+        ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
+    domains: list = ext.value.get_values_for_type(DNSName)
+    domains.remove(root_domain)
+    domains = [root_domain, *domains]
+    print('\n'.join(domains))