Container para emitir Certificados Let's Encrypt, com o Dehydrated
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

76 lines
2.6 KiB

8 years ago
#!/bin/bash
#set -x
# ENV
# NGINX_ENV
# NGINX_DOMAIN
# CERTBOT_EMAIL
# CERTBOT_RENEW_PERIOD
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
function make {
CERTBOT_ARGS="--non-interactive \
--agree-tos \
--email ${CERTBOT_EMAIL} \
--no-self-upgrade \
--domain ${NGINX_DOMAIN} \
--keep-until-expiring \
--rsa-key-size 4096 \
--must-staple \
--csr /etc/ssl/csr.der \
--key-path /etc/ssl/privkey.pem \
--cert-path /etc/ssl/cert.pem \
--chain-path /etc/ssl/chain.pem \
--fullchain-path /etc/ssl/fullchain.pem"
if [ "${NGINX_ENV}" == "production" ]; then
# --quiet
CERTBOT_ARGS="${CERTBOT_ARGS}"
else
CERTBOT_ARGS="${CERTBOT_ARGS} --staging"
fi
RENEW=1
if [ ! -f /etc/ssl/privkey.pem ] || [ ! -f /etc/ssl/csr.der ]; then
echo "Generate new privkey and csr"
openssl ecparam -genkey -name secp384r1 > /etc/ssl/privkey.pem
# w/o --must-staple
#openssl req -new -sha256 -key /etc/ssl/privkey.pem -subj "/CN=${NGINX_DOMAIN}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${NGINX_DOMAIN}")) -outform der -out /etc/ssl/csr.der
# w/ --must-staple https://community.letsencrypt.org/t/improving-revocation-will-lets-encrypt-support-ocsp-must-staple/4334/18
openssl req -new -sha256 -key /etc/ssl/privkey.pem -subj "/CN=${NGINX_DOMAIN}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${NGINX_DOMAIN}\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05")) -outform der -out /etc/ssl/csr.der
RENEW=0
fi
if [ "${RENEW}" == "0" ] || [ ! -f /etc/ssl/cert.pem ]; then
echo "** New Cert **"
certbot-auto certonly ${CERTBOT_ARGS} \
--standalone
else
echo "** Renew Cert **"
# `certbot-auto renew` will not work with customer *.csr
# check is cert need renewing
RENEW_PERIOD=${CERTBOT_RENEW_PERIOD:=1296000} # 1296000 = 15*86400
if [ "$(openssl x509 -checkend ${RENEW_PERIOD} -in /etc/ssl/cert.pem | grep -c not)" -eq "1" ]; then
openssl x509 -enddate -noout -in /etc/ssl/cert.pem
return
fi
mv /etc/ssl/cert.pem /etc/ssl/cert_old.pem
mv /etc/ssl/chain.pem /etc/ssl/chain_old.pem
mv /etc/ssl/fullchain.pem /etc/ssl/fullchain_old.pem
certbot-auto certonly ${CERTBOT_ARGS} \
--webroot --webroot-path /var/www
fi
}
make
${DIR}/make_hpkp
service nginx reload >/dev/null 2>&1 || echo "nginx reload not needed"