Certificate renewal updates.

deployment/generate_certs.sh

@@ -2,25 +2,31 @@
 
 set -e
 
-
-if [ "$VPS_HOSTING_TARGET" = aws ]; then
 # let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
-    docker pull certbot/certbot
+docker pull certbot/certbot:latest
 
+# when deploying to AWS, www exists on a separate IP address from btcpay, umbrel, etc.
+# thus, we structure the certificate accordingly.
+if [ "$VPS_HOSTING_TARGET" = aws ]; then
     docker run -it --rm \
         --name certbot \
         -p 80:80 \
         -p 443:443 \
-        -v /etc/letsencrypt:/etc/letsencrypt \
+        -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
-        -v /var/lib/letsencrypt:/var/lib/letsencrypt certbot/certbot \
+        -v /var/lib/letsencrypt:/var/lib/letsencrypt \
-        certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
+        -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
+        certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
 
-    # backup the certs to our SITE_PATH/certs.tar.gz so we have them handy (for local development)
+elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
-    ssh "$FQDN" sudo tar -zcvf "$REMOTE_HOME/certs.tar.gz" -C /etc ./letsencrypt
+# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
-    ssh "$FQDN" sudo chown ubuntu:ubuntu "$REMOTE_HOME/certs.tar.gz"
+# at a cachehing reverse proxy that runs nginx.
+    docker run -it --rm \
+        --name certbot \
+        -p 80:80 \
+        -p 443:443 \
+        -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
+        -v /var/lib/letsencrypt:/var/lib/letsencrypt \
+        -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
+        certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$BTCPAY_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
 
-    # now pull the tarballs down the local machine.
-    scp "$FQDN:$REMOTE_HOME/certs.tar.gz" "$SITE_PATH/certs.tar.gz"
-else
-    echo "INFO: Skipping certificate renewal since we're on hosting provider=lxd."
 fi

deployment/go_www.sh

@@ -24,27 +24,18 @@ fi
 # stop services.
 if docker stack list --format "{{.Name}}" | grep -q webstack; then
     docker stack rm webstack
-    sleep 20
+    sleep 15
 fi
 
 # this will generate letsencrypt certs and pull them down locally.
-if [ "$VPS_HOSTING_TARGET" != lxd ]; then
+# if [ "$VPS_HOSTING_TARGET" != lxd ]; then
+
+
     # really we should change this if clause to some thing like
     # "if the perimeter firewall allows port 80/443, then go ahead."
-    if [ "$VPS_HOSTING_TARGET" = aws ] && [ "$RUN_CERT_RENEWAL" = true ]; then
+if [ "$RUN_CERT_RENEWAL" = true ]; then
         ./generate_certs.sh
     fi
-else
-    # restore the certs. If they don't exist in a backup we restore from SITE_PATH
-    if [ -f "$SITE_PATH/certs.tar.gz" ]; then
-        scp "$SITE_PATH/certs.tar.gz" "ubuntu@$FQDN:$REMOTE_HOME/certs.tar.gz"
-        ssh "$FQDN" "sudo tar -xvf $REMOTE_HOME/certs.tar.gz -C /etc"
-    else
-        echo "ERROR: Certificates do not exist locally."
-        exit 1
-    fi
-fi
-
 
 if [ "$RUN_BACKUP"  = true ]; then
     ./backup_www.sh