forked from ss/sovereign-stack
Certificate renewal updates.
This commit is contained in:
parent
3b2a3645f8
commit
b64f941d93
@ -2,25 +2,31 @@
|
||||
|
||||
set -e
|
||||
|
||||
# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
|
||||
docker pull certbot/certbot:latest
|
||||
|
||||
# when deploying to AWS, www exists on a separate IP address from btcpay, umbrel, etc.
|
||||
# thus, we structure the certificate accordingly.
|
||||
if [ "$VPS_HOSTING_TARGET" = aws ]; then
|
||||
# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
|
||||
docker pull certbot/certbot
|
||||
|
||||
docker run -it --rm \
|
||||
--name certbot \
|
||||
-p 80:80 \
|
||||
-p 443:443 \
|
||||
-v /etc/letsencrypt:/etc/letsencrypt \
|
||||
-v /var/lib/letsencrypt:/var/lib/letsencrypt certbot/certbot \
|
||||
certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
|
||||
-v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
|
||||
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
|
||||
-v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
|
||||
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
|
||||
|
||||
# backup the certs to our SITE_PATH/certs.tar.gz so we have them handy (for local development)
|
||||
ssh "$FQDN" sudo tar -zcvf "$REMOTE_HOME/certs.tar.gz" -C /etc ./letsencrypt
|
||||
ssh "$FQDN" sudo chown ubuntu:ubuntu "$REMOTE_HOME/certs.tar.gz"
|
||||
elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
|
||||
# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
|
||||
# at a cachehing reverse proxy that runs nginx.
|
||||
docker run -it --rm \
|
||||
--name certbot \
|
||||
-p 80:80 \
|
||||
-p 443:443 \
|
||||
-v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
|
||||
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
|
||||
-v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
|
||||
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$BTCPAY_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
|
||||
|
||||
# now pull the tarballs down the local machine.
|
||||
scp "$FQDN:$REMOTE_HOME/certs.tar.gz" "$SITE_PATH/certs.tar.gz"
|
||||
else
|
||||
echo "INFO: Skipping certificate renewal since we're on hosting provider=lxd."
|
||||
fi
|
||||
fi
|
||||
|
@ -24,27 +24,18 @@ fi
|
||||
# stop services.
|
||||
if docker stack list --format "{{.Name}}" | grep -q webstack; then
|
||||
docker stack rm webstack
|
||||
sleep 20
|
||||
sleep 15
|
||||
fi
|
||||
|
||||
# this will generate letsencrypt certs and pull them down locally.
|
||||
if [ "$VPS_HOSTING_TARGET" != lxd ]; then
|
||||
# if [ "$VPS_HOSTING_TARGET" != lxd ]; then
|
||||
|
||||
|
||||
# really we should change this if clause to some thing like
|
||||
# "if the perimeter firewall allows port 80/443, then go ahead."
|
||||
if [ "$VPS_HOSTING_TARGET" = aws ] && [ "$RUN_CERT_RENEWAL" = true ]; then
|
||||
if [ "$RUN_CERT_RENEWAL" = true ]; then
|
||||
./generate_certs.sh
|
||||
fi
|
||||
else
|
||||
# restore the certs. If they don't exist in a backup we restore from SITE_PATH
|
||||
if [ -f "$SITE_PATH/certs.tar.gz" ]; then
|
||||
scp "$SITE_PATH/certs.tar.gz" "ubuntu@$FQDN:$REMOTE_HOME/certs.tar.gz"
|
||||
ssh "$FQDN" "sudo tar -xvf $REMOTE_HOME/certs.tar.gz -C /etc"
|
||||
else
|
||||
echo "ERROR: Certificates do not exist locally."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ "$RUN_BACKUP" = true ]; then
|
||||
./backup_www.sh
|
||||
|
Loading…
Reference in New Issue
Block a user