Skip to content

Commit 1b97dee

Browse files
sandrogaucisandrogauci
committed
Fix certificate init scripts for public repo
1 parent 769a514 commit 1b97dee

2 files changed

Lines changed: 98 additions & 35 deletions

File tree

scripts/init-letsencrypt.sh

Lines changed: 54 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,61 +1,98 @@
11
#!/bin/bash
22

3+
set -euo pipefail
4+
35
if ! [ -x "$(command -v docker)" ]; then
46
echo 'Error: docker is not installed.' >&2
57
exit 1
68
fi
79

8-
source .env
10+
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
11+
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
12+
ENV_FILE="$REPO_ROOT/.env"
13+
CERTSTORE="$REPO_ROOT/data/certs"
14+
TMP_COMPOSE="$(mktemp "${TMPDIR:-/tmp}/dvrtc-certbot.XXXXXX.yml")"
15+
16+
cleanup() {
17+
rm -f "$TMP_COMPOSE"
18+
}
19+
trap cleanup EXIT INT TERM
20+
21+
if [ ! -f "$ENV_FILE" ]; then
22+
echo "Please create $ENV_FILE first"
23+
exit 1
24+
fi
25+
26+
set -a
27+
. "$ENV_FILE"
28+
set +a
929

10-
if [ -z "${DOMAIN:-}" ]; then
30+
DOMAIN="${DOMAIN:-}"
31+
EMAIL="${EMAIL:-}"
32+
33+
if [ -z "$DOMAIN" ]; then
1134
echo "Please set the DOMAIN env variable in .env"
1235
exit 1
1336
fi
1437

15-
if [ -z "${EMAIL:-}" ]; then
38+
if [ -z "$EMAIL" ]; then
1639
echo "Please set the EMAIL env variable in .env"
1740
exit 1
1841
fi
1942

2043
domains=($DOMAIN)
2144
rsa_key_size=4096
2245
email=$EMAIL
23-
2446
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
25-
certstore="data/certs"
26-
mkdir -p "$certstore"
47+
48+
mkdir -p "$CERTSTORE"
2749

2850
host_uid=$(id -u)
2951
host_gid=$(id -g)
3052

53+
cat > "$TMP_COMPOSE" <<EOF
54+
services:
55+
certbot:
56+
image: certbot/certbot:v5.4.0
57+
volumes:
58+
- type: bind
59+
source: $CERTSTORE
60+
target: /etc/certstore
61+
EOF
62+
3163
set_runtime_cert_permissions() {
3264
# Some scenario services (notably FreeSWITCH and OpenSIPS in pbx2) run as
3365
# non-root users and read the bind-mounted cert files directly. Keep the
3466
# generated PEM files readable on these dedicated lab hosts so all runtime
3567
# services can start consistently.
36-
chmod 644 "$certstore/fullchain.pem" "$certstore/privkey.pem"
37-
if [ -f "$certstore/ssl-dhparams.pem" ]; then
38-
chmod 644 "$certstore/ssl-dhparams.pem"
68+
chmod 644 "$CERTSTORE/fullchain.pem" "$CERTSTORE/privkey.pem"
69+
if [ -f "$CERTSTORE/ssl-dhparams.pem" ]; then
70+
chmod 644 "$CERTSTORE/ssl-dhparams.pem"
3971
fi
4072
}
4173

74+
compose_cmd=(docker compose -f "$TMP_COMPOSE" --project-directory "$REPO_ROOT")
75+
4276
echo "### Requesting Let's Encrypt certificate for $domains ..."
43-
#Join $domains to -d args
77+
# Join $domains to -d args.
4478
domain_args=""
4579
for domain in "${domains[@]}"; do
4680
domain_args="$domain_args -d $domain"
4781
done
4882

49-
# Select appropriate email arg
83+
# Select appropriate email arg.
5084
case "$email" in
5185
"") email_arg="--register-unsafely-without-email" ;;
5286
*) email_arg="--email $email" ;;
5387
esac
5488

55-
# Enable staging mode if needed
56-
if [ $staging != "0" ]; then staging_arg="--staging"; fi
89+
# Enable staging mode if needed.
90+
staging_arg=""
91+
if [ "$staging" != "0" ]; then
92+
staging_arg="--staging"
93+
fi
5794

58-
docker compose run -p80:80 --rm --entrypoint "\
95+
"${compose_cmd[@]}" run -p80:80 --rm --entrypoint "\
5996
/bin/sh -ec '
6097
certbot certonly --standalone \
6198
$staging_arg \
@@ -68,11 +105,11 @@ docker compose run -p80:80 --rm --entrypoint "\
68105
'" certbot
69106
set_runtime_cert_permissions
70107

71-
# Generate DH parameters for nginx TLS if not present
72-
dhparams="$certstore/ssl-dhparams.pem"
108+
# Generate DH parameters for nginx TLS if not present.
109+
dhparams="$CERTSTORE/ssl-dhparams.pem"
73110
if [ ! -f "$dhparams" ]; then
74111
echo "### Generating DH parameters ..."
75-
docker compose run --rm --entrypoint "\
112+
"${compose_cmd[@]}" run --rm --entrypoint "\
76113
/bin/sh -ec '
77114
openssl dhparam -out /etc/certstore/ssl-dhparams.pem 2048
78115
chown ${host_uid}:${host_gid} /etc/certstore/ssl-dhparams.pem

scripts/init-selfsigned.sh

Lines changed: 44 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,29 @@
11
#!/bin/bash
22

3+
set -euo pipefail
4+
5+
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
6+
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
7+
ENV_FILE="$REPO_ROOT/.env"
8+
CERTSTORE="$REPO_ROOT/data/certs"
9+
TMP_COMPOSE="$(mktemp "${TMPDIR:-/tmp}/dvrtc-certbot.XXXXXX.yml")"
10+
11+
cleanup() {
12+
rm -f "$TMP_COMPOSE"
13+
}
14+
trap cleanup EXIT INT TERM
15+
316
# Load public IPs from .env if it exists. Treat the file as shell syntax
417
# instead of trying to parse it with grep/xargs.
5-
if [ -f .env ]; then
18+
if [ -f "$ENV_FILE" ]; then
619
set -a
7-
. ./.env
20+
. "$ENV_FILE"
821
set +a
922
fi
1023

24+
PUBLIC_IPV4="${PUBLIC_IPV4:-}"
25+
PUBLIC_IPV6="${PUBLIC_IPV6:-}"
26+
1127
SAN_ENTRIES="DNS:localhost,IP:127.0.0.1"
1228
if [ -n "$PUBLIC_IPV4" ]; then
1329
SAN_ENTRIES="$SAN_ENTRIES,IP:${PUBLIC_IPV4}"
@@ -16,46 +32,56 @@ if [ -n "$PUBLIC_IPV6" ]; then
1632
SAN_ENTRIES="$SAN_ENTRIES,IP:${PUBLIC_IPV6}"
1733
fi
1834

19-
certstore="data/certs"
20-
mkdir -p "$certstore"
35+
mkdir -p "$CERTSTORE"
2136

2237
host_uid=$(id -u)
2338
host_gid=$(id -g)
2439

40+
cat > "$TMP_COMPOSE" <<EOF
41+
services:
42+
certbot:
43+
image: certbot/certbot:v5.4.0
44+
volumes:
45+
- type: bind
46+
source: $CERTSTORE
47+
target: /etc/certstore
48+
EOF
49+
2550
set_runtime_cert_permissions() {
2651
# Some scenario services (notably FreeSWITCH and OpenSIPS in pbx2) run as
2752
# non-root users and read the bind-mounted cert files directly. Keep the
2853
# generated PEM files readable on these dedicated lab hosts so all runtime
2954
# services can start consistently.
30-
chmod 644 "$certstore/fullchain.pem" "$certstore/privkey.pem"
31-
if [ -f "$certstore/ssl-dhparams.pem" ]; then
32-
chmod 644 "$certstore/ssl-dhparams.pem"
55+
chmod 644 "$CERTSTORE/fullchain.pem" "$CERTSTORE/privkey.pem"
56+
if [ -f "$CERTSTORE/ssl-dhparams.pem" ]; then
57+
chmod 644 "$CERTSTORE/ssl-dhparams.pem"
3358
fi
3459
}
3560

61+
compose_cmd=(docker compose -f "$TMP_COMPOSE" --project-directory "$REPO_ROOT")
62+
3663
echo "### Creating self-signed certificate for localhost${PUBLIC_IPV4:+, ${PUBLIC_IPV4}}${PUBLIC_IPV6:+, ${PUBLIC_IPV6}}"
37-
path="/etc/certstore"
3864

39-
# Create certificate with both localhost and IP address as Subject Alternative Names
40-
docker compose run --rm --entrypoint "\
65+
# Create certificate with both localhost and IP address as Subject Alternative Names.
66+
"${compose_cmd[@]}" run --rm --entrypoint "\
4167
/bin/sh -ec '
4268
openssl req -x509 -nodes -newkey rsa:4096 -days 365 \
43-
-keyout \"$path/privkey.pem\" \
44-
-out \"$path/fullchain.pem\" \
69+
-keyout /etc/certstore/privkey.pem \
70+
-out /etc/certstore/fullchain.pem \
4571
-subj \"/CN=localhost\" \
4672
-addext \"subjectAltName=${SAN_ENTRIES}\"
47-
chown ${host_uid}:${host_gid} \"$path/privkey.pem\" \"$path/fullchain.pem\"
73+
chown ${host_uid}:${host_gid} /etc/certstore/privkey.pem /etc/certstore/fullchain.pem
4874
'" certbot
4975
set_runtime_cert_permissions
5076

51-
# Generate DH parameters for nginx TLS if not present
52-
dhparams="$certstore/ssl-dhparams.pem"
77+
# Generate DH parameters for nginx TLS if not present.
78+
dhparams="$CERTSTORE/ssl-dhparams.pem"
5379
if [ ! -f "$dhparams" ]; then
5480
echo "### Generating DH parameters ..."
55-
docker compose run --rm --entrypoint "\
81+
"${compose_cmd[@]}" run --rm --entrypoint "\
5682
/bin/sh -ec '
57-
openssl dhparam -out \"$path/ssl-dhparams.pem\" 2048
58-
chown ${host_uid}:${host_gid} \"$path/ssl-dhparams.pem\"
83+
openssl dhparam -out /etc/certstore/ssl-dhparams.pem 2048
84+
chown ${host_uid}:${host_gid} /etc/certstore/ssl-dhparams.pem
5985
'" certbot
6086
else
6187
echo "### DH parameters already exist"

0 commit comments

Comments
 (0)