From 43a2b720f67c9385dea9106224bb517f2b47be8d Mon Sep 17 00:00:00 2001 From: Valder Gallo Date: Wed, 27 Jun 2018 17:27:42 -0300 Subject: [PATCH 01/20] add staging url for develop --- scripts/util.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/scripts/util.sh b/scripts/util.sh index d7b60e3..4585fa9 100644 --- a/scripts/util.sh +++ b/scripts/util.sh @@ -59,7 +59,18 @@ auto_enable_configs() { # EMAIL environment variable, to register the proper support email address. get_certificate() { echo "Getting certificate for domain $1 on behalf of user $2" + PRODUCTION_URL='https://acme-v01.api.letsencrypt.org/directory' + STAGING_URL='https://acme-staging.api.letsencrypt.org/directory' + + if [[ ! "${IS_STAGING}" = "1" ]]; then + LETSENCRYPT_URL=STAGING_URL + echo "Staging on" + else + LETSENCRYPT_URL=PRODUCTION_URL + echo "Production on" + fi + certbot certonly --agree-tos --keep -n --text --email $2 --server \ - https://acme-v01.api.letsencrypt.org/directory -d $1 --http-01-port 1337 \ + $LETSENCRYPT_URL -d $1 --http-01-port 1337 \ --standalone --standalone-supported-challenges http-01 --debug } From 91af6eaabc132ccd0f1972f265b412666e40b25d Mon Sep 17 00:00:00 2001 From: Valder Gallo Date: Wed, 27 Jun 2018 20:13:11 -0300 Subject: [PATCH 02/20] update datetime --- scripts/entrypoint.sh | 11 +++++++++++ scripts/util.sh | 6 +++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index b6445bf..0bc1011 100644 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -26,6 +26,17 @@ for f in /scripts/startup/*.sh; do done echo "Done with startup" +now=$(date) +last_sync_file="/etc/letsencrypt/last_sync.txt" + +if [[ ! -e "$last_sync_file" ]]; then + mkdir -p /Scripts + touch "$last_sync_file" +fi + +last_sync=$(stat -c %y "$last_sync_file") +updated_days=$(( ($(date -d now +%s) - $(date -d last_sync +%s) )/(60*60*24) )) + # Instead of trying to run `cron` or something like that, just leep and run `certbot`. while [ true ]; do # Sleep for 1 week diff --git a/scripts/util.sh b/scripts/util.sh index 4585fa9..7e44201 100644 --- a/scripts/util.sh +++ b/scripts/util.sh @@ -63,14 +63,14 @@ get_certificate() { STAGING_URL='https://acme-staging.api.letsencrypt.org/directory' if [[ ! "${IS_STAGING}" = "1" ]]; then - LETSENCRYPT_URL=STAGING_URL + letsencrypt_url=STAGING_URL echo "Staging on" else - LETSENCRYPT_URL=PRODUCTION_URL + letsencrypt_url=PRODUCTION_URL echo "Production on" fi certbot certonly --agree-tos --keep -n --text --email $2 --server \ - $LETSENCRYPT_URL -d $1 --http-01-port 1337 \ + $letsencrypt_url -d $1 --http-01-port 1337 \ --standalone --standalone-supported-challenges http-01 --debug } From cf136e28d8a7b1e97a9b30aaadafc7c493a83cb9 Mon Sep 17 00:00:00 2001 From: Valder Gallo Date: Wed, 27 Jun 2018 21:59:43 -0300 Subject: [PATCH 03/20] stop to reacreate keys on restart --- Dockerfile | 2 +- scripts/entrypoint.sh | 29 ++++++++++++++++++----------- scripts/util.sh | 9 +++++---- 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index a8b431f..9ce7362 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM nginx -MAINTAINER Elliot Saba +LABEL maintainer="Valder Gallo " VOLUME /etc/letsencrypt EXPOSE 80 diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 0bc1011..63105f4 100644 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -14,28 +14,26 @@ auto_enable_configs nginx -g "daemon off;" & export NGINX_PID=$! -# Next, run certbot to request all the ssl certs we can find -/scripts/run_certbot.sh - # Lastly, run startup scripts for f in /scripts/startup/*.sh; do - if [[ -x "$f" ]]; then + if [ -x "$f" ]; then echo "Running startup script $f" $f fi done echo "Done with startup" -now=$(date) last_sync_file="/etc/letsencrypt/last_sync.txt" -if [[ ! -e "$last_sync_file" ]]; then - mkdir -p /Scripts +if [ ! -e "$last_sync_file" ]; then touch "$last_sync_file" + + # run certbot to request all the ssl certs we can find + echo "Run first time certbot" + /scripts/run_certbot.sh fi -last_sync=$(stat -c %y "$last_sync_file") -updated_days=$(( ($(date -d now +%s) - $(date -d last_sync +%s) )/(60*60*24) )) +one_week_sec=604800 # Instead of trying to run `cron` or something like that, just leep and run `certbot`. while [ true ]; do @@ -43,8 +41,17 @@ while [ true ]; do sleep 604800 & SLEEP_PID=$! - # re-run certbot - /scripts/run_certbot.sh + last_sync_sec=$(stat -c %Y "$last_sync_file") + now_sec=$(date -d now +%s) + runned_sec=$(( ($now_sec - $last_sync_sec) )) + is_finshed_week_sec=$(( ($one_week_sec - $runned_sec) )) + + echo "Not run_certbot.sh" + if [ $is_finshed_week_sec -lt 0 ]; then + # re-run certbot + echo "Run certbot" + /scripts/run_certbot.sh + fi # Wait on sleep so that when we get ctrl-c'ed it kills everything due to our trap wait "$SLEEP_PID" diff --git a/scripts/util.sh b/scripts/util.sh index 7e44201..0be52a6 100644 --- a/scripts/util.sh +++ b/scripts/util.sh @@ -62,14 +62,15 @@ get_certificate() { PRODUCTION_URL='https://acme-v01.api.letsencrypt.org/directory' STAGING_URL='https://acme-staging.api.letsencrypt.org/directory' - if [[ ! "${IS_STAGING}" = "1" ]]; then + if [ "${IS_STAGING}" = "1" ]; then letsencrypt_url=STAGING_URL - echo "Staging on" - else + echo "Staging ..." + elses letsencrypt_url=PRODUCTION_URL - echo "Production on" + echo "Production ..." fi + echo "running certbot ... $letsencrypt_url" certbot certonly --agree-tos --keep -n --text --email $2 --server \ $letsencrypt_url -d $1 --http-01-port 1337 \ --standalone --standalone-supported-challenges http-01 --debug From b5b887d8af9e4711baf65f9d457928ffa5f4aeed Mon Sep 17 00:00:00 2001 From: Valder Gallo Date: Wed, 27 Jun 2018 22:05:20 -0300 Subject: [PATCH 04/20] add old manteiner --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9ce7362..93126d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM nginx -LABEL maintainer="Valder Gallo " +LABEL maintainer="Elliot Saba , Valder Gallo " VOLUME /etc/letsencrypt EXPOSE 80 From 418560a7bed4ee188e5678e25b18e6e981ecdab0 Mon Sep 17 00:00:00 2001 From: Valder Gallo Date: Wed, 27 Jun 2018 22:19:19 -0300 Subject: [PATCH 05/20] fix util sh --- scripts/util.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/util.sh b/scripts/util.sh index 0be52a6..68f4a8d 100644 --- a/scripts/util.sh +++ b/scripts/util.sh @@ -63,15 +63,15 @@ get_certificate() { STAGING_URL='https://acme-staging.api.letsencrypt.org/directory' if [ "${IS_STAGING}" = "1" ]; then - letsencrypt_url=STAGING_URL + letsencrypt_url=$STAGING_URL echo "Staging ..." - elses - letsencrypt_url=PRODUCTION_URL + else + letsencrypt_url=$PRODUCTION_URL echo "Production ..." fi - echo "running certbot ... $letsencrypt_url" + echo "running certbot ... $letsencrypt_url $1 $2" certbot certonly --agree-tos --keep -n --text --email $2 --server \ $letsencrypt_url -d $1 --http-01-port 1337 \ - --standalone --standalone-supported-challenges http-01 --debug + --standalone --preferred-challenges http-01 --debug } From d9ba3628330397c65dab50c86cd25050edc539c1 Mon Sep 17 00:00:00 2001 From: Valder Gallo Date: Wed, 27 Jun 2018 23:34:43 -0300 Subject: [PATCH 06/20] add register script bash --- scripts/register.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 scripts/register.sh diff --git a/scripts/register.sh b/scripts/register.sh new file mode 100644 index 0000000..61ab856 --- /dev/null +++ b/scripts/register.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +PRODUCTION_URL='https://acme-v01.api.letsencrypt.org/directory' +STAGING_URL='https://acme-staging.api.letsencrypt.org/directory' + +if [ "${IS_STAGING}" = "1" ]; then + letsencrypt_url=$STAGING_URL + echo "Staging ..." +else + letsencrypt_url=$PRODUCTION_URL + echo "Production ..." +fi + +echo "running certbot ... $letsencrypt_url $1 $2" +certbot certonly --agree-tos --keep -n --text --email $2 --server \ + $letsencrypt_url -d $1 --http-01-port 1337 \ + --standalone --preferred-challenges http-01 --debug From b120666a600a683bbf423fabc914d9804447b9e7 Mon Sep 17 00:00:00 2001 From: Valder Gallo Date: Thu, 28 Jun 2018 08:28:40 -0300 Subject: [PATCH 07/20] missing recreate the file for the next week --- scripts/entrypoint.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 63105f4..5f4aa6a 100644 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -48,6 +48,9 @@ while [ true ]; do echo "Not run_certbot.sh" if [ $is_finshed_week_sec -lt 0 ]; then + # recreate the file + touch "$last_sync_file" + # re-run certbot echo "Run certbot" /scripts/run_certbot.sh From 87730d6a2db93bf6749c19fcc2d5ab33cc38eaf5 Mon Sep 17 00:00:00 2001 From: Valder Gallo Date: Thu, 28 Jun 2018 12:19:02 -0300 Subject: [PATCH 08/20] sleep for more 10 sec --- scripts/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 5f4aa6a..ba6f2c1 100644 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -38,7 +38,7 @@ one_week_sec=604800 # Instead of trying to run `cron` or something like that, just leep and run `certbot`. while [ true ]; do # Sleep for 1 week - sleep 604800 & + sleep 604810 & SLEEP_PID=$! last_sync_sec=$(stat -c %Y "$last_sync_file") From 5aa7438c46cd996043ab6ed494cd624a4dfabf3f Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Fri, 28 Sep 2018 14:53:48 +0200 Subject: [PATCH 09/20] create src folder --- {nginx_conf.d => src/nginx_conf.d}/certbot.conf | 0 {scripts => src/scripts}/entrypoint.sh | 0 {scripts => src/scripts}/register.sh | 0 {scripts => src/scripts}/run_certbot.sh | 0 {scripts => src/scripts}/util.sh | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename {nginx_conf.d => src/nginx_conf.d}/certbot.conf (100%) rename {scripts => src/scripts}/entrypoint.sh (100%) rename {scripts => src/scripts}/register.sh (100%) rename {scripts => src/scripts}/run_certbot.sh (100%) mode change 100755 => 100644 rename {scripts => src/scripts}/util.sh (100%) diff --git a/nginx_conf.d/certbot.conf b/src/nginx_conf.d/certbot.conf similarity index 100% rename from nginx_conf.d/certbot.conf rename to src/nginx_conf.d/certbot.conf diff --git a/scripts/entrypoint.sh b/src/scripts/entrypoint.sh similarity index 100% rename from scripts/entrypoint.sh rename to src/scripts/entrypoint.sh diff --git a/scripts/register.sh b/src/scripts/register.sh similarity index 100% rename from scripts/register.sh rename to src/scripts/register.sh diff --git a/scripts/run_certbot.sh b/src/scripts/run_certbot.sh old mode 100755 new mode 100644 similarity index 100% rename from scripts/run_certbot.sh rename to src/scripts/run_certbot.sh diff --git a/scripts/util.sh b/src/scripts/util.sh similarity index 100% rename from scripts/util.sh rename to src/scripts/util.sh From 00d0b9b8031869fdc57e086da6ef6ccbc76e6dcd Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Fri, 28 Sep 2018 15:50:12 +0200 Subject: [PATCH 10/20] remove register.sh --- src/scripts/register.sh | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 src/scripts/register.sh diff --git a/src/scripts/register.sh b/src/scripts/register.sh deleted file mode 100644 index 61ab856..0000000 --- a/src/scripts/register.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -PRODUCTION_URL='https://acme-v01.api.letsencrypt.org/directory' -STAGING_URL='https://acme-staging.api.letsencrypt.org/directory' - -if [ "${IS_STAGING}" = "1" ]; then - letsencrypt_url=$STAGING_URL - echo "Staging ..." -else - letsencrypt_url=$PRODUCTION_URL - echo "Production ..." -fi - -echo "running certbot ... $letsencrypt_url $1 $2" -certbot certonly --agree-tos --keep -n --text --email $2 --server \ - $letsencrypt_url -d $1 --http-01-port 1337 \ - --standalone --preferred-challenges http-01 --debug From f7668d4347c545d26334a3e7fdcafddde2c90eab Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Fri, 28 Sep 2018 15:58:30 +0200 Subject: [PATCH 11/20] call certbot only once --- src/scripts/entrypoint.sh | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/src/scripts/entrypoint.sh b/src/scripts/entrypoint.sh index ba6f2c1..8885434 100644 --- a/src/scripts/entrypoint.sh +++ b/src/scripts/entrypoint.sh @@ -24,38 +24,29 @@ done echo "Done with startup" last_sync_file="/etc/letsencrypt/last_sync.txt" - -if [ ! -e "$last_sync_file" ]; then - touch "$last_sync_file" - - # run certbot to request all the ssl certs we can find - echo "Run first time certbot" - /scripts/run_certbot.sh -fi - one_week_sec=604800 -# Instead of trying to run `cron` or something like that, just leep and run `certbot`. +# Instead of trying to run `cron` or something like that, just sleep and run `certbot`. while [ true ]; do - # Sleep for 1 week - sleep 604810 & - SLEEP_PID=$! - last_sync_sec=$(stat -c %Y "$last_sync_file") now_sec=$(date -d now +%s) runned_sec=$(( ($now_sec - $last_sync_sec) )) is_finshed_week_sec=$(( ($one_week_sec - $runned_sec) )) echo "Not run_certbot.sh" - if [ $is_finshed_week_sec -lt 0 ]; then + if [ ! -e "$last_sync_file" ] || [ $is_finshed_week_sec -lt 0 ]; then # recreate the file touch "$last_sync_file" - # re-run certbot + # run certbot to request all the ssl certs we can find echo "Run certbot" /scripts/run_certbot.sh fi + # Sleep for 1 week + sleep 604810 & + SLEEP_PID=$! + # Wait on sleep so that when we get ctrl-c'ed it kills everything due to our trap wait "$SLEEP_PID" done From 1aa799bb70cbc000b24b4a31c504466b5ce839e4 Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Fri, 28 Sep 2018 16:00:02 +0200 Subject: [PATCH 12/20] add maintainer --- src/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Dockerfile b/src/Dockerfile index 93126d9..be8a4bc 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -1,5 +1,5 @@ FROM nginx -LABEL maintainer="Elliot Saba , Valder Gallo " +LABEL maintainer="Elliot Saba , Valder Gallo , Bruno Zell " VOLUME /etc/letsencrypt EXPOSE 80 From 96897f8e37ce062e085d30710c5525bc0e991d96 Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Fri, 28 Sep 2018 17:07:33 +0200 Subject: [PATCH 13/20] move interval management to a util funcion --- src/scripts/entrypoint.sh | 13 ++++--------- src/scripts/util.sh | 13 +++++++++++++ 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/src/scripts/entrypoint.sh b/src/scripts/entrypoint.sh index 8885434..6d9d712 100644 --- a/src/scripts/entrypoint.sh +++ b/src/scripts/entrypoint.sh @@ -24,23 +24,18 @@ done echo "Done with startup" last_sync_file="/etc/letsencrypt/last_sync.txt" -one_week_sec=604800 # Instead of trying to run `cron` or something like that, just sleep and run `certbot`. while [ true ]; do - last_sync_sec=$(stat -c %Y "$last_sync_file") - now_sec=$(date -d now +%s) - runned_sec=$(( ($now_sec - $last_sync_sec) )) - is_finshed_week_sec=$(( ($one_week_sec - $runned_sec) )) - - echo "Not run_certbot.sh" - if [ ! -e "$last_sync_file" ] || [ $is_finshed_week_sec -lt 0 ]; then - # recreate the file + if [ is_sync_required $last_sync_file ]; then + # recreate the file to persist the last sync timestamp touch "$last_sync_file" # run certbot to request all the ssl certs we can find echo "Run certbot" /scripts/run_certbot.sh + else + echo "Not run certbot" fi # Sleep for 1 week diff --git a/src/scripts/util.sh b/src/scripts/util.sh index d2446ce..9bc775b 100644 --- a/src/scripts/util.sh +++ b/src/scripts/util.sh @@ -75,3 +75,16 @@ get_certificate() { $letsencrypt_url -d $1 --http-01-port 1337 \ --standalone --preferred-challenges http-01 --debug } + +is_sync_required() { + if [ ! -e "$1" ]; then + return true + fi + + one_week_sec=604800 + last_sync_sec=$(stat -c %Y "$1") + now_sec=$(date -d now +%s) + last_sync_delta_sec=$(( ($now_sec - $last_sync_sec) )) + is_finshed_week_sec=$(( ($one_week_sec - $last_sync_delta_sec) )) + return $is_finshed_week_sec -lt 0 +} From 73851752f790dcc26443e263339782a9c29bda5c Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Fri, 28 Sep 2018 17:11:05 +0200 Subject: [PATCH 14/20] renaming --- src/scripts/entrypoint.sh | 10 +++++----- src/scripts/util.sh | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/scripts/entrypoint.sh b/src/scripts/entrypoint.sh index 6d9d712..1235b54 100644 --- a/src/scripts/entrypoint.sh +++ b/src/scripts/entrypoint.sh @@ -23,15 +23,15 @@ for f in /scripts/startup/*.sh; do done echo "Done with startup" -last_sync_file="/etc/letsencrypt/last_sync.txt" +last_renewal_file="/etc/letsencrypt/last_renewal.txt" # Instead of trying to run `cron` or something like that, just sleep and run `certbot`. while [ true ]; do - if [ is_sync_required $last_sync_file ]; then - # recreate the file to persist the last sync timestamp - touch "$last_sync_file" + if [ is_renewal_required $last_renewal_file ]; then + # Recreate the file to persist the last renewal timestamp + touch "$last_renewal_file" - # run certbot to request all the ssl certs we can find + # Run certbot to request all the ssl certs we can find echo "Run certbot" /scripts/run_certbot.sh else diff --git a/src/scripts/util.sh b/src/scripts/util.sh index 9bc775b..59c89c8 100644 --- a/src/scripts/util.sh +++ b/src/scripts/util.sh @@ -76,15 +76,15 @@ get_certificate() { --standalone --preferred-challenges http-01 --debug } -is_sync_required() { +is_renewal_required() { if [ ! -e "$1" ]; then return true fi one_week_sec=604800 - last_sync_sec=$(stat -c %Y "$1") now_sec=$(date -d now +%s) - last_sync_delta_sec=$(( ($now_sec - $last_sync_sec) )) - is_finshed_week_sec=$(( ($one_week_sec - $last_sync_delta_sec) )) + last_renewal_sec=$(stat -c %Y "$1") + last_renewal_delta_sec=$(( ($now_sec - $last_renewal_sec) )) + is_finshed_week_sec=$(( ($one_week_sec - $last_renewal_delta_sec) )) return $is_finshed_week_sec -lt 0 } From 16e052dc8c56e633ecc6ce651afc82e88c15c495 Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Fri, 28 Sep 2018 17:14:41 +0200 Subject: [PATCH 15/20] comments and documentation --- src/scripts/util.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/scripts/util.sh b/src/scripts/util.sh index 59c89c8..693107d 100644 --- a/src/scripts/util.sh +++ b/src/scripts/util.sh @@ -76,11 +76,15 @@ get_certificate() { --standalone --preferred-challenges http-01 --debug } +# Given a last renewal file with timestamp, return true if a renewal is +# required (last renewal ran over a week ago), return false otherwise is_renewal_required() { + # If the file does not exist assume a renewal is required if [ ! -e "$1" ]; then return true fi + # If the file exists, check if the last renewal was more than a week ago one_week_sec=604800 now_sec=$(date -d now +%s) last_renewal_sec=$(stat -c %Y "$1") From a89ebd176f9ed06221abc232ec4afe1c3d0ad504 Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Fri, 28 Sep 2018 17:48:31 +0200 Subject: [PATCH 16/20] fix function return --- src/scripts/entrypoint.sh | 2 +- src/scripts/util.sh | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/scripts/entrypoint.sh b/src/scripts/entrypoint.sh index 1235b54..3317d39 100644 --- a/src/scripts/entrypoint.sh +++ b/src/scripts/entrypoint.sh @@ -27,7 +27,7 @@ last_renewal_file="/etc/letsencrypt/last_renewal.txt" # Instead of trying to run `cron` or something like that, just sleep and run `certbot`. while [ true ]; do - if [ is_renewal_required $last_renewal_file ]; then + if is_renewal_required $last_renewal_file; then # Recreate the file to persist the last renewal timestamp touch "$last_renewal_file" diff --git a/src/scripts/util.sh b/src/scripts/util.sh index 693107d..d03a0d2 100644 --- a/src/scripts/util.sh +++ b/src/scripts/util.sh @@ -80,9 +80,7 @@ get_certificate() { # required (last renewal ran over a week ago), return false otherwise is_renewal_required() { # If the file does not exist assume a renewal is required - if [ ! -e "$1" ]; then - return true - fi + [[ ! -e "$1" ]] && return; # If the file exists, check if the last renewal was more than a week ago one_week_sec=604800 @@ -90,5 +88,5 @@ is_renewal_required() { last_renewal_sec=$(stat -c %Y "$1") last_renewal_delta_sec=$(( ($now_sec - $last_renewal_sec) )) is_finshed_week_sec=$(( ($one_week_sec - $last_renewal_delta_sec) )) - return $is_finshed_week_sec -lt 0 + [[ $is_finshed_week_sec -lt 0 ]] } From 57c429078ced20a0496d323527fd676552efa395 Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Wed, 3 Oct 2018 05:04:44 +0200 Subject: [PATCH 17/20] move more renewal logic to util.sh --- src/scripts/entrypoint.sh | 14 ++------------ src/scripts/util.sh | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/src/scripts/entrypoint.sh b/src/scripts/entrypoint.sh index 3317d39..71d433e 100644 --- a/src/scripts/entrypoint.sh +++ b/src/scripts/entrypoint.sh @@ -23,20 +23,10 @@ for f in /scripts/startup/*.sh; do done echo "Done with startup" -last_renewal_file="/etc/letsencrypt/last_renewal.txt" - # Instead of trying to run `cron` or something like that, just sleep and run `certbot`. while [ true ]; do - if is_renewal_required $last_renewal_file; then - # Recreate the file to persist the last renewal timestamp - touch "$last_renewal_file" - - # Run certbot to request all the ssl certs we can find - echo "Run certbot" - /scripts/run_certbot.sh - else - echo "Not run certbot" - fi + echo "Run certbot" + /scripts/run_certbot.sh # Sleep for 1 week sleep 604810 & diff --git a/src/scripts/util.sh b/src/scripts/util.sh index d03a0d2..eb0243b 100644 --- a/src/scripts/util.sh +++ b/src/scripts/util.sh @@ -76,17 +76,25 @@ get_certificate() { --standalone --preferred-challenges http-01 --debug } -# Given a last renewal file with timestamp, return true if a renewal is -# required (last renewal ran over a week ago), return false otherwise +# Given a domain name, return true if a renewal is required (last renewal +# ran over a week ago or never happened yet), otherwise return false. is_renewal_required() { # If the file does not exist assume a renewal is required - [[ ! -e "$1" ]] && return; + last_renewal_file="/etc/letsencrypt/$1_last_renewal.txt" + [[ ! -e "$last_renewal_file" ]] && return; # If the file exists, check if the last renewal was more than a week ago one_week_sec=604800 now_sec=$(date -d now +%s) - last_renewal_sec=$(stat -c %Y "$1") + last_renewal_sec=$(stat -c %Y "$last_renewal_file") last_renewal_delta_sec=$(( ($now_sec - $last_renewal_sec) )) is_finshed_week_sec=$(( ($one_week_sec - $last_renewal_delta_sec) )) [[ $is_finshed_week_sec -lt 0 ]] } + +# Given a domain name, set the current time as the last renewal timestamp +# as read by is_renewal_required(). +update_renewal_timestamp() { + last_renewal_file="/etc/letsencrypt/$1_last_renewal.txt" + touch "$last_renewal_file" +} From 66585d9765ff01f851f1c98cac031b3b2caeafcd Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Wed, 3 Oct 2018 05:09:42 +0200 Subject: [PATCH 18/20] put conditional renewal logic into certbot loop --- src/scripts/run_certbot.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/scripts/run_certbot.sh b/src/scripts/run_certbot.sh index 3a68623..7be3067 100644 --- a/src/scripts/run_certbot.sh +++ b/src/scripts/run_certbot.sh @@ -13,9 +13,15 @@ exit_code=0 set -x # Loop over every domain we can find for domain in $(parse_domains); do - if ! get_certificate $domain $CERTBOT_EMAIL; then - error "Cerbot failed for $domain. Check the logs for details." - exit_code=1 + if is_renewal_required $domain; then + if get_certificate $domain $CERTBOT_EMAIL; then + update_renewal_timestamp $domain + else + error "Cerbot failed for $domain. Check the logs for details." + exit_code=1 + fi + else + echo "Not run certbot for $domain; last renewal happened just recently." fi done From a1104ffceb42b3151a864948cbc0d0a4fe98280a Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Wed, 3 Oct 2018 05:11:59 +0200 Subject: [PATCH 19/20] comments --- src/scripts/run_certbot.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/scripts/run_certbot.sh b/src/scripts/run_certbot.sh index 7be3067..066799b 100644 --- a/src/scripts/run_certbot.sh +++ b/src/scripts/run_certbot.sh @@ -14,7 +14,10 @@ set -x # Loop over every domain we can find for domain in $(parse_domains); do if is_renewal_required $domain; then + # Renewal required for this doman. + # Last one happened over a week ago (or never) if get_certificate $domain $CERTBOT_EMAIL; then + # Renewal successful. Update timestamp... update_renewal_timestamp $domain else error "Cerbot failed for $domain. Check the logs for details." From 642614cdad5f8f954c3eadf79f2c9e7db53d867e Mon Sep 17 00:00:00 2001 From: Bruno Zell Date: Wed, 3 Oct 2018 05:31:43 +0200 Subject: [PATCH 20/20] use domains private key file as timestamp --- src/scripts/run_certbot.sh | 5 +---- src/scripts/util.sh | 13 +++---------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/src/scripts/run_certbot.sh b/src/scripts/run_certbot.sh index 066799b..346589d 100644 --- a/src/scripts/run_certbot.sh +++ b/src/scripts/run_certbot.sh @@ -16,10 +16,7 @@ for domain in $(parse_domains); do if is_renewal_required $domain; then # Renewal required for this doman. # Last one happened over a week ago (or never) - if get_certificate $domain $CERTBOT_EMAIL; then - # Renewal successful. Update timestamp... - update_renewal_timestamp $domain - else + if ! get_certificate $domain $CERTBOT_EMAIL; then error "Cerbot failed for $domain. Check the logs for details." exit_code=1 fi diff --git a/src/scripts/util.sh b/src/scripts/util.sh index eb0243b..2c47c7d 100644 --- a/src/scripts/util.sh +++ b/src/scripts/util.sh @@ -80,8 +80,8 @@ get_certificate() { # ran over a week ago or never happened yet), otherwise return false. is_renewal_required() { # If the file does not exist assume a renewal is required - last_renewal_file="/etc/letsencrypt/$1_last_renewal.txt" - [[ ! -e "$last_renewal_file" ]] && return; + last_renewal_file="/etc/letsencrypt/live/$1/privkey.pem" + [ ! -e "$last_renewal_file" ] && return; # If the file exists, check if the last renewal was more than a week ago one_week_sec=604800 @@ -89,12 +89,5 @@ is_renewal_required() { last_renewal_sec=$(stat -c %Y "$last_renewal_file") last_renewal_delta_sec=$(( ($now_sec - $last_renewal_sec) )) is_finshed_week_sec=$(( ($one_week_sec - $last_renewal_delta_sec) )) - [[ $is_finshed_week_sec -lt 0 ]] -} - -# Given a domain name, set the current time as the last renewal timestamp -# as read by is_renewal_required(). -update_renewal_timestamp() { - last_renewal_file="/etc/letsencrypt/$1_last_renewal.txt" - touch "$last_renewal_file" + [ $is_finshed_week_sec -lt 0 ] }