@ -10,17 +10,25 @@ mkdir -p \
# generate keys (maybe)
# generate keys (maybe)
if [[ $DISABLE_HTTPS -ne 1 ]]; then
if [[ $DISABLE_HTTPS -ne 1 ]]; then
if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
if [[ ! -f /config/acme.sh/acme.sh ]]; then
if ! certbot-auto \
mkdir /config/acme.sh
certonly \
pushd /opt
--no-self-upgrade \
sh ./acme.sh --install --home /config/acme.sh --accountemail $LETSENCRYPT_EMAIL
--noninteractive \
popd
--standalone \
fi
--preferred-challenges http \
if [[ ! -f /etc/nginx/acme/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
-d $LETSENCRYPT_DOMAIN \
STAGING=""
--agree-tos \
if [[ $LETSENCRYPT_USE_STAGING -eq 1 ]]; then
--email $LETSENCRYPT_EMAIL ; then
STAGING="--staging"
fi
# TODO: move away from standalone mode to webroot mode.
if ! /config/acme.sh/acme.sh \
$STAGING \
--issue \
--standalone \
--pre-hook "if [[ -f /var/run/s6/services/nginx ]]; then s6-svc -d /var/run/s6/services/nginx; fi" \
--post-hook "if [[ -f /var/run/s6/services/nginx ]]; then s6-svc -u /var/run/s6/services/nginx; fi" \
-d $LETSENCRYPT_DOMAIN ; then
echo "Failed to obtain a certificate from the Let's Encrypt CA."
echo "Failed to obtain a certificate from the Let's Encrypt CA."
# this tries to get the user's attention and to spare the
# this tries to get the user's attention and to spare the
# authority's rate limit:
# authority's rate limit:
@ -28,16 +36,18 @@ if [[ $DISABLE_HTTPS -ne 1 ]]; then
echo "Exiting."
echo "Exiting."
exit 1
exit 1
fi
fi
fi
mkdir -p /etc/nginx/acme/$LETSENCRYPT_DOMAIN
if ! /config/acme.sh/acme.sh \
# remove default certbot renewal
--install-cert -d $LETSENCRYPT_DOMAIN \
if [[ -f /etc/cron.d/certbot ]]; then
--key-file /etc/nginx/acme/$LETSENCRYPT_DOMAIN/key.pem \
rm /etc/cron.d/certbot
--fullchain-file /etc/nginx/acme/$LETSENCRYPT_DOMAIN/fullchain.pem ; then
fi
echo "Failed to install certificate."
# this tries to get the user's attention and to spare the
# setup certbot renewal script
# authority's rate limit:
if [[ ! -f /etc/cron.daily/letencrypt-renew ]]; then
sleep 15
cp /defaults/letsencrypt-renew /etc/cron.daily/
echo "Exiting."
exit 1
fi
fi
fi
else
else
# use self-signed certs
# use self-signed certs