diff --git a/README.md b/README.md index f346637..1ce7e57 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,4 @@ docker run -d \ } ] } -``` - -Note: `certbot/make_letsencrypt_cert` is an alternate method that one could use with the certbot docker image. However dns-01 is not supported. \ No newline at end of file +``` \ No newline at end of file diff --git a/certbot/make_letsencrypt_cert b/certbot/make_letsencrypt_cert deleted file mode 100755 index 7c7f3d7..0000000 --- a/certbot/make_letsencrypt_cert +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash -#set -x - -# ENV -# NGINX_ENV -# NGINX_DOMAIN -# CERTBOT_EMAIL -# CERTBOT_RENEW_PERIOD - -DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -function make { - - CERTBOT_ARGS="--non-interactive \ - --agree-tos \ - --email ${CERTBOT_EMAIL} \ - --no-self-upgrade \ - --domain ${NGINX_DOMAIN} \ - --keep-until-expiring \ - --rsa-key-size 4096 \ - --must-staple \ - --csr /etc/ssl/csr.der \ - --key-path /etc/ssl/privkey.pem \ - --cert-path /etc/ssl/cert.pem \ - --chain-path /etc/ssl/chain.pem \ - --fullchain-path /etc/ssl/fullchain.pem" - - if [ "${NGINX_ENV}" == "production" ]; then - # --quiet - CERTBOT_ARGS="${CERTBOT_ARGS}" - else - CERTBOT_ARGS="${CERTBOT_ARGS} --staging" - fi - - RENEW=1 - - if [ ! -f /etc/ssl/privkey.pem ] || [ ! -f /etc/ssl/csr.der ]; then - echo "Generate new privkey and csr" - openssl ecparam -genkey -name secp384r1 > /etc/ssl/privkey.pem - # w/o --must-staple - #openssl req -new -sha256 -key /etc/ssl/privkey.pem -subj "/CN=${NGINX_DOMAIN}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${NGINX_DOMAIN}")) -outform der -out /etc/ssl/csr.der - # w/ --must-staple https://community.letsencrypt.org/t/improving-revocation-will-lets-encrypt-support-ocsp-must-staple/4334/18 - openssl req -new -sha256 -key /etc/ssl/privkey.pem -subj "/CN=${NGINX_DOMAIN}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${NGINX_DOMAIN}\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05")) -outform der -out /etc/ssl/csr.der - RENEW=0 - fi - - if [ "${RENEW}" == "0" ] || [ ! -f /etc/ssl/cert.pem ]; then - echo "** New Cert **" - certbot-auto certonly ${CERTBOT_ARGS} \ - --standalone - else - echo "** Renew Cert **" - # `certbot-auto renew` will not work with customer *.csr - - # check is cert need renewing - RENEW_PERIOD=${CERTBOT_RENEW_PERIOD:=1296000} # 1296000 = 15*86400 - if [ "$(openssl x509 -checkend ${RENEW_PERIOD} -in /etc/ssl/cert.pem | grep -c not)" -eq "1" ]; then - openssl x509 -enddate -noout -in /etc/ssl/cert.pem - return - fi - - mv /etc/ssl/cert.pem /etc/ssl/cert_old.pem - mv /etc/ssl/chain.pem /etc/ssl/chain_old.pem - mv /etc/ssl/fullchain.pem /etc/ssl/fullchain_old.pem - - certbot-auto certonly ${CERTBOT_ARGS} \ - --webroot --webroot-path /var/www - fi - -} - -make - -${DIR}/make_hpkp - -service nginx reload >/dev/null 2>&1 || echo "nginx reload not needed" \ No newline at end of file