diff --git a/src/Dockerfile b/src/Dockerfile index a8b431f..be8a4bc 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -1,5 +1,5 @@ FROM nginx -MAINTAINER Elliot Saba +LABEL maintainer="Elliot Saba , Valder Gallo , Bruno Zell " VOLUME /etc/letsencrypt EXPOSE 80 diff --git a/src/scripts/entrypoint.sh b/src/scripts/entrypoint.sh index b6445bf..71d433e 100644 --- a/src/scripts/entrypoint.sh +++ b/src/scripts/entrypoint.sh @@ -14,27 +14,24 @@ auto_enable_configs nginx -g "daemon off;" & export NGINX_PID=$! -# Next, run certbot to request all the ssl certs we can find -/scripts/run_certbot.sh - # Lastly, run startup scripts for f in /scripts/startup/*.sh; do - if [[ -x "$f" ]]; then + if [ -x "$f" ]; then echo "Running startup script $f" $f fi done echo "Done with startup" -# Instead of trying to run `cron` or something like that, just leep and run `certbot`. +# Instead of trying to run `cron` or something like that, just sleep and run `certbot`. while [ true ]; do - # Sleep for 1 week - sleep 604800 & - SLEEP_PID=$! - - # re-run certbot + echo "Run certbot" /scripts/run_certbot.sh + # Sleep for 1 week + sleep 604810 & + SLEEP_PID=$! + # Wait on sleep so that when we get ctrl-c'ed it kills everything due to our trap wait "$SLEEP_PID" done diff --git a/src/scripts/run_certbot.sh b/src/scripts/run_certbot.sh index 3a68623..346589d 100644 --- a/src/scripts/run_certbot.sh +++ b/src/scripts/run_certbot.sh @@ -13,9 +13,15 @@ exit_code=0 set -x # Loop over every domain we can find for domain in $(parse_domains); do - if ! get_certificate $domain $CERTBOT_EMAIL; then - error "Cerbot failed for $domain. Check the logs for details." - exit_code=1 + if is_renewal_required $domain; then + # Renewal required for this doman. + # Last one happened over a week ago (or never) + if ! get_certificate $domain $CERTBOT_EMAIL; then + error "Cerbot failed for $domain. Check the logs for details." + exit_code=1 + fi + else + echo "Not run certbot for $domain; last renewal happened just recently." fi done diff --git a/src/scripts/util.sh b/src/scripts/util.sh index afe376e..2c47c7d 100644 --- a/src/scripts/util.sh +++ b/src/scripts/util.sh @@ -59,7 +59,35 @@ auto_enable_configs() { # EMAIL environment variable, to register the proper support email address. get_certificate() { echo "Getting certificate for domain $1 on behalf of user $2" + PRODUCTION_URL='https://acme-v01.api.letsencrypt.org/directory' + STAGING_URL='https://acme-staging.api.letsencrypt.org/directory' + + if [ "${IS_STAGING}" = "1" ]; then + letsencrypt_url=$STAGING_URL + echo "Staging ..." + else + letsencrypt_url=$PRODUCTION_URL + echo "Production ..." + fi + + echo "running certbot ... $letsencrypt_url $1 $2" certbot certonly --agree-tos --keep -n --text --email $2 --server \ - https://acme-v02.api.letsencrypt.org/directory -d $1 --http-01-port 1337 \ - --standalone --standalone-supported-challenges http-01 --debug + $letsencrypt_url -d $1 --http-01-port 1337 \ + --standalone --preferred-challenges http-01 --debug +} + +# Given a domain name, return true if a renewal is required (last renewal +# ran over a week ago or never happened yet), otherwise return false. +is_renewal_required() { + # If the file does not exist assume a renewal is required + last_renewal_file="/etc/letsencrypt/live/$1/privkey.pem" + [ ! -e "$last_renewal_file" ] && return; + + # If the file exists, check if the last renewal was more than a week ago + one_week_sec=604800 + now_sec=$(date -d now +%s) + last_renewal_sec=$(stat -c %Y "$last_renewal_file") + last_renewal_delta_sec=$(( ($now_sec - $last_renewal_sec) )) + is_finshed_week_sec=$(( ($one_week_sec - $last_renewal_delta_sec) )) + [ $is_finshed_week_sec -lt 0 ] }