From b621ba06edceb7ac7a311d2f3238b9c85291b1da Mon Sep 17 00:00:00 2001 From: Henri Dwyer Date: Sat, 19 Nov 2016 16:22:07 -0500 Subject: [PATCH] add argument to create 1 certificate per domain --- Dockerfile | 1 + README.md | 3 +- docker-compose.yml | 1 + scripts/run_certbot.sh | 76 +++++++++++++++++++++++++----------------- 4 files changed, 49 insertions(+), 32 deletions(-) diff --git a/Dockerfile b/Dockerfile index f195a86..94bedd6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,7 @@ FROM python:2-alpine MAINTAINER Henri Dwyer VOLUME /certs +VOLUME /etc/letsencrypt EXPOSE 80 RUN apk add --no-cache --virtual .build-deps linux-headers gcc musl-dev\ diff --git a/README.md b/README.md index 9f71d29..88a6a9b 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,8 @@ In docker-compose.yml, change the environment variables: - WEBROOT: set this variable to the webroot path if you want to use the webroot plugin. Leave to use the standalone webserver. - DOMAINS: a space separated list of domains for which you want to generate certificates. - EMAIL: where you will receive updates from letsencrypt. -- CONCAT: true or false on whether you want to concatenate the certificate's full chain with the private key (required for e.g. haproxy), or keep the two files separate (required for e.g. nginx or apache). +- CONCAT: true or false, whether you want to concatenate the certificate's full chain with the private key (required for e.g. haproxy), or keep the two files separate (required for e.g. nginx or apache). +- SEPARATE: true or false, whether you want one certificate per domain or one certificate valid for all domains. ## Running diff --git a/docker-compose.yml b/docker-compose.yml index 388cf65..947dd22 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,3 +12,4 @@ services: - DOMAINS=domain1.com domain2.com - EMAIL=webmaster@domain1.com - CONCAT=true + - SEPARATE=true diff --git a/scripts/run_certbot.sh b/scripts/run_certbot.sh index b96cb5e..4287eba 100755 --- a/scripts/run_certbot.sh +++ b/scripts/run_certbot.sh @@ -1,34 +1,23 @@ echo "Running certbot for domains $DOMAINS" -# build arg string -args="" -if [ $WEBROOT ] -then - args=" --webroot -w $WEBROOT" -else - args=" --standalone --standalone-supported-challenges - http-01" -fi +get_certificate() { + # Gets the certificate for the domain(s) CERT_DOMAINS (a comma separated list) + # The certificate will be named after the first domain in the list + # To work, the following variables must be set: + # - CERT_DOMAINS : comma separated list of domains + # - EMAIL + # - CONCAT + # - args -if $DEBUG -then - args=$args" --debug" -fi - -for d in $DOMAINS -do - args=$args" -d $d" -done - -certbot certonly --agree-tos --renew-by-default \ ---text --server https://acme-v01.api.letsencrypt.org/directory \ ---email $EMAIL $args -ec=$? -echo "certbot exit code $ec" -if [ $ec -eq 0 ] -then - for d in $DOMAINS - do + local d=${CERT_DOMAINS//,*/} # read first domain + echo "Getting certificate for $CERT_DOMAINS" + certbot certonly --agree-tos --renew-by-default -n \ + --text --server https://acme-v01.api.letsencrypt.org/directory \ + --email $EMAIL -d $CERT_DOMAINS $args + ec=$? + echo "certbot exit code $ec" + if [ $ec -eq 0 ] + then if $CONCAT then # concat the full chain with the private key (e.g. for haproxy) @@ -38,8 +27,33 @@ then cp /etc/letsencrypt/live/$d/fullchain.pem /certs/$d.pem cp /etc/letsencrypt/live/$d/privkey.pem /certs/$d.key fi - done - echo "Success! Your new certificates are in /certs/" + echo "Certificate obtained for $CERT_DOMAINS! Your new certificate - named $d - is in /certs" + else + echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details." + fi +} + +args="" +if [ $WEBROOT ] +then + args=" --webroot -w $WEBROOT" else - echo "Cerbot failed. Check the logs for details." + args=" --standalone --standalone-supported-challenges http-01" +fi + +if $DEBUG +then + args=$args" --debug" +fi + +if $SEPARATE +then + for d in $DOMAINS + do + CERT_DOMAINS=$d + get_certificate + done +else + CERT_DOMAINS=${DOMAINS// /,} + get_certificate fi