From b64f941d93ba644abdc1b8482db06453951a7338 Mon Sep 17 00:00:00 2001 From: Derek Smith Date: Tue, 24 May 2022 14:20:59 -0400 Subject: [PATCH] Certificate renewal updates. --- deployment/generate_certs.sh | 34 ++++++++++++++++++++-------------- deployment/go_www.sh | 19 +++++-------------- 2 files changed, 25 insertions(+), 28 deletions(-) diff --git a/deployment/generate_certs.sh b/deployment/generate_certs.sh index fcc256c..d5b7590 100755 --- a/deployment/generate_certs.sh +++ b/deployment/generate_certs.sh @@ -2,25 +2,31 @@ set -e +# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time. +docker pull certbot/certbot:latest +# when deploying to AWS, www exists on a separate IP address from btcpay, umbrel, etc. +# thus, we structure the certificate accordingly. if [ "$VPS_HOSTING_TARGET" = aws ]; then - # let's do a refresh of the certificates. Let's Encrypt will not run if it's not time. - docker pull certbot/certbot - docker run -it --rm \ --name certbot \ -p 80:80 \ -p 443:443 \ - -v /etc/letsencrypt:/etc/letsencrypt \ - -v /var/lib/letsencrypt:/var/lib/letsencrypt certbot/certbot \ - certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS" + -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \ + -v /var/lib/letsencrypt:/var/lib/letsencrypt \ + -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \ + certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS" - # backup the certs to our SITE_PATH/certs.tar.gz so we have them handy (for local development) - ssh "$FQDN" sudo tar -zcvf "$REMOTE_HOME/certs.tar.gz" -C /etc ./letsencrypt - ssh "$FQDN" sudo chown ubuntu:ubuntu "$REMOTE_HOME/certs.tar.gz" +elif [ "$VPS_HOSTING_TARGET" = lxd ]; then +# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates +# at a cachehing reverse proxy that runs nginx. + docker run -it --rm \ + --name certbot \ + -p 80:80 \ + -p 443:443 \ + -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \ + -v /var/lib/letsencrypt:/var/lib/letsencrypt \ + -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \ + certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$BTCPAY_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS" - # now pull the tarballs down the local machine. - scp "$FQDN:$REMOTE_HOME/certs.tar.gz" "$SITE_PATH/certs.tar.gz" -else - echo "INFO: Skipping certificate renewal since we're on hosting provider=lxd." -fi \ No newline at end of file +fi diff --git a/deployment/go_www.sh b/deployment/go_www.sh index 7e02e8d..c149568 100755 --- a/deployment/go_www.sh +++ b/deployment/go_www.sh @@ -24,27 +24,18 @@ fi # stop services. if docker stack list --format "{{.Name}}" | grep -q webstack; then docker stack rm webstack - sleep 20 + sleep 15 fi # this will generate letsencrypt certs and pull them down locally. -if [ "$VPS_HOSTING_TARGET" != lxd ]; then +# if [ "$VPS_HOSTING_TARGET" != lxd ]; then + + # really we should change this if clause to some thing like # "if the perimeter firewall allows port 80/443, then go ahead." - if [ "$VPS_HOSTING_TARGET" = aws ] && [ "$RUN_CERT_RENEWAL" = true ]; then +if [ "$RUN_CERT_RENEWAL" = true ]; then ./generate_certs.sh fi -else - # restore the certs. If they don't exist in a backup we restore from SITE_PATH - if [ -f "$SITE_PATH/certs.tar.gz" ]; then - scp "$SITE_PATH/certs.tar.gz" "ubuntu@$FQDN:$REMOTE_HOME/certs.tar.gz" - ssh "$FQDN" "sudo tar -xvf $REMOTE_HOME/certs.tar.gz -C /etc" - else - echo "ERROR: Certificates do not exist locally." - exit 1 - fi -fi - if [ "$RUN_BACKUP" = true ]; then ./backup_www.sh