mehdi-mac/certbot-docker-script
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
32 Commits 1 Branch 0 Tags 52 KiB
Shell 100%
main
Go to file
Mehdi 158fc78d2a Updates.
2023-12-11 13:40:52 +05:00
.idea First commit. 2023-11-22 15:17:13 +05:00
.gitattributes First commit. 2023-11-22 15:17:13 +05:00
.gitignore First commit. 2023-11-22 15:17:13 +05:00
config-example.sh New Updates 2023-11-23 12:44:35 +05:00
generate-certs.sh Updates. 2023-12-11 13:40:52 +05:00
README.md New Updates 2023-11-23 12:44:35 +05:00

README.md

Usage:

  1. Create ssl folder to store certificates and this repository.
  2. Clone this repository or use as submodule: 
     git submodule add ssh://git@git.w3goodies.com:17001/mehdi-mac/certbot-docker-script.git
 chmod +x certbot-docker-script/generate-certs.sh
  3. Create certs folder inside ssl folder.
  4. Create config.sh inside ssl folder.
  5. The folder structure would be: 
    /your-project/ssl/
├── certs (Your certificates will be stored here)
├── config.sh (Your config file)
├── certbot-docker-script (this repository)
  6. Run: 
    /your-project/ssl/certbot-docker-script/generate-certs.sh ../config.sh
    • Since we chdir inside the script, therefore you must use config.sh with relative path in the command and also certs_dir in config.sh

Info:

  • It uses certbot's docker to generate LetsEncrypt SSL certificates, and it comes with simple script to generate and renew certificate for single domain.
  • It does not support multiple domains. But it will automatically generate a single certificate for test.com and *.test.com (wildcard).
  1. This script will create SSL certificates based on ${new_ssl_command}.
  2. If the ${live_certs_dir} and ${live_certs_dir}/cert.pem exist then certificate is renewed based on ${renew_command}
  3. Post hook is only executed:
    1. If a new ssl certificate is created.
    2. If certificate is renewed (test is done by comparing ${live_certs_dir}/cert.pem modified time to last one).

Notes:

  • After the certificates are created:
    • Make sure to mount both certs/live/test.com and certs/archive/test.com directory, and use live/test.com/*.pem certificates in your nginx config.
      • Because archive directory has actual files, but live directory has symlink to archive. In archive, certs are stored like this fullchain1.pem, cert1.pem and number is increased based on renewals. But live folder has direct certificates without number like cert.pem, fullchain.pem
  • Also use certbot nginx options file in your nginx config: https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf

Example nginx config:

server {
    listen          443;
    server_name    test.com;

    #SSL - Set  in production.
    ssl_certificate /your-project/ssl/certs/live/test.com/fullchain.pem; #managed by Certbot
    ssl_certificate_key /your-project/ssl/certs/live/test.com/privkey.pem; #managed by Certbot
    include /etc/nginx/commons/letsencrypt-options-ssl-nginx.conf;
}

Important:

  • In case of errors, try clearing certs/* folder and retry.
  • Use dry_run=true to test certbot instead of actually creating/renewing certificates.
    • Remember that if you do build actual certificates (dry_run=false) then do not keep on doing it repeatedly in short interval (more than 5in a day), as otherwise certbot might apply rate limits on further usages.

Cron:

  • Run this file under cron to keep the certificates updated.
  • Certbot generate certificates with expiry of 90days, so run this script every day once.
  • If a certificate is renewed (based on change of last-modified time, to existing certificate) then posthook is executed.
  • You can restart nginx in posthook, to reload used certificates.
  • Example:
    • nano /etc/cron.d/generate-certs-for-test.com
      • 0 1 * * * root /your-project/ssl/certbot-docker-script/generate-certs.sh ../config.sh > /your-project/ssl/generate-certs.log