add argument to create 1 certificate per domain

This commit is contained in:
Henri Dwyer 2016-11-19 16:22:07 -05:00
parent 50c94dc81f
commit b621ba06ed
4 changed files with 49 additions and 32 deletions

View File

@ -2,6 +2,7 @@ FROM python:2-alpine
MAINTAINER Henri Dwyer <henri@dwyer.io>
VOLUME /certs
VOLUME /etc/letsencrypt
EXPOSE 80
RUN apk add --no-cache --virtual .build-deps linux-headers gcc musl-dev\

View File

@ -11,7 +11,8 @@ In docker-compose.yml, change the environment variables:
- WEBROOT: set this variable to the webroot path if you want to use the webroot plugin. Leave to use the standalone webserver.
- DOMAINS: a space separated list of domains for which you want to generate certificates.
- EMAIL: where you will receive updates from letsencrypt.
- CONCAT: true or false on whether you want to concatenate the certificate's full chain with the private key (required for e.g. haproxy), or keep the two files separate (required for e.g. nginx or apache).
- CONCAT: true or false, whether you want to concatenate the certificate's full chain with the private key (required for e.g. haproxy), or keep the two files separate (required for e.g. nginx or apache).
- SEPARATE: true or false, whether you want one certificate per domain or one certificate valid for all domains.
## Running

View File

@ -12,3 +12,4 @@ services:
- DOMAINS=domain1.com domain2.com
- EMAIL=webmaster@domain1.com
- CONCAT=true
- SEPARATE=true

View File

@ -1,34 +1,23 @@
echo "Running certbot for domains $DOMAINS"
# build arg string
args=""
if [ $WEBROOT ]
then
args=" --webroot -w $WEBROOT"
else
args=" --standalone --standalone-supported-challenges
http-01"
fi
get_certificate() {
# Gets the certificate for the domain(s) CERT_DOMAINS (a comma separated list)
# The certificate will be named after the first domain in the list
# To work, the following variables must be set:
# - CERT_DOMAINS : comma separated list of domains
# - EMAIL
# - CONCAT
# - args
if $DEBUG
then
args=$args" --debug"
fi
for d in $DOMAINS
do
args=$args" -d $d"
done
certbot certonly --agree-tos --renew-by-default \
local d=${CERT_DOMAINS//,*/} # read first domain
echo "Getting certificate for $CERT_DOMAINS"
certbot certonly --agree-tos --renew-by-default -n \
--text --server https://acme-v01.api.letsencrypt.org/directory \
--email $EMAIL $args
--email $EMAIL -d $CERT_DOMAINS $args
ec=$?
echo "certbot exit code $ec"
if [ $ec -eq 0 ]
then
for d in $DOMAINS
do
if $CONCAT
then
# concat the full chain with the private key (e.g. for haproxy)
@ -38,8 +27,33 @@ then
cp /etc/letsencrypt/live/$d/fullchain.pem /certs/$d.pem
cp /etc/letsencrypt/live/$d/privkey.pem /certs/$d.key
fi
done
echo "Success! Your new certificates are in /certs/"
echo "Certificate obtained for $CERT_DOMAINS! Your new certificate - named $d - is in /certs"
else
echo "Cerbot failed. Check the logs for details."
echo "Cerbot failed for $CERT_DOMAINS. Check the logs for details."
fi
}
args=""
if [ $WEBROOT ]
then
args=" --webroot -w $WEBROOT"
else
args=" --standalone --standalone-supported-challenges http-01"
fi
if $DEBUG
then
args=$args" --debug"
fi
if $SEPARATE
then
for d in $DOMAINS
do
CERT_DOMAINS=$d
get_certificate
done
else
CERT_DOMAINS=${DOMAINS// /,}
get_certificate
fi