diff --git a/Config/ReverseProxy/config/nginx.conf b/Config/ReverseProxy/config/nginx.conf index 3ca84e2..67af638 100644 --- a/Config/ReverseProxy/config/nginx.conf +++ b/Config/ReverseProxy/config/nginx.conf @@ -33,7 +33,7 @@ http { # Allow nginx to fulfill LetsEncrypt Certbot challenges. server { location /.well-known/acme-challenge/ { - root /etc/nginx/certs-letsencrypt; + root /etc/nginx/letsencrypt; } } diff --git a/Config/ReverseProxy/create_letsencrypt_certs.sh b/Config/ReverseProxy/create_letsencrypt_certs.sh new file mode 100755 index 0000000..339779d --- /dev/null +++ b/Config/ReverseProxy/create_letsencrypt_certs.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# Create a real cert for each file in config/conf.d/. + +DIR=`dirname $0` +if [[ $DIR == \.* ]]; then + DIR=`pwd` +fi + +# Where the files need to live. +CERT_DIR=$DIR/../../Volumes/ReverseProxy/letsencrypt-certs +echo "CERT_DIR=$CERT_DIR" + +# Ensure that fake certs were created at some point, or that the system has been run at least once. +if [[ ! -d $DIR/../../Volumes/ReverseProxy/letsencrypt-certs ]]; then + echo "ERROR: Certificate directory does not exist yet. Run the placeholder script first." >&2 + exit 1 +fi + +# The container needs to be running in order to use the certbot command. +certbot_running=`docker ps | grep -c reverseproxy-certbot-1` +if [[ $certbot_running != 1 ]]; then + echo "ERROR: Certbot container does not appear to be running, cannot continue." >&2 + exit 1 +fi + +# Gather information from the user. +echo -n "Please provide the email address you would like the certs bound to: " +read email +if [[ -z $email ]]; then + echo "ERROR: Email address is mandatory. $email" >&2 + exit 1 +fi + +echo -n "Please double check that '$email' looks correct and provide Yes if so: " +typeset -u confirm +read confirm +if [[ $confirm != "Y"* ]]; then + echo "Email address was not confirmed, received '$confirm', aborting." + exit 0 +fi + +# Loop over the proxy configuration files and ensure they have certs. +ls $DIR/config/conf.d/*.* | while read file; do + filename=`basename $file` + + if [[ $filename == "example.com" ]]; then + echo "Skipping $filename since it is only for testing." + continue + fi + + echo "*** Checking $filename ***" + if [[ -d $CERT_DIR/$filename ]]; then + echo "Getting the domains which need the cert." + domains=`grep server_name $file` + + # Clean up the data by removing the directive and semi-colon, changing + # spaces to commas, and making sure there are no gaps. + domains=${domains//server_name/} + domains=${domains//;/} + domains=`echo $domains` + domains=${domains// /,} + echo "Domains='$domains'" + + echo "Attempting to create real certs at $CERT_DIR/$filename." + docker exec reverseproxy-certbot-1 certbot certonly -n --standalone \ + --agree-tos -m $email -d $filename + + ls -lh $CERT_DIR/$filename/* + else + echo "Website's certificate folder does not exist, skipping." + continue + fi +done diff --git a/Config/ReverseProxy/docker-compose.yml b/Config/ReverseProxy/docker-compose.yml index 6b97cc1..5b30a93 100644 --- a/Config/ReverseProxy/docker-compose.yml +++ b/Config/ReverseProxy/docker-compose.yml @@ -15,11 +15,12 @@ services: - "80:80" - "443:443" volumes: + - ../../Volumes/ReverseProxy/letsencrypt:/etc/nginx/letsencrypt - ../../Volumes/ReverseProxy/letsencrypt-certs:/etc/nginx/certs command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" certbot: image: certbot/certbot volumes: - - ../../Volumes/ReverseProxy/letsencrypt-etc:/etc/letsencrypt + - ../../Volumes/ReverseProxy/letsencrypt:/etc/letsencrypt - ../../Volumes/ReverseProxy/letsencrypt-certs:/var/www/certbot entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"