From f6e55e3cffd0de1f188999f7f015fb0bf8266d2c Mon Sep 17 00:00:00 2001 From: will Farrell Date: Fri, 13 Jan 2017 14:35:55 -0700 Subject: [PATCH] old method --- README.md | 4 +- certbot/make_letsencrypt_cert | 76 +++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100755 certbot/make_letsencrypt_cert diff --git a/README.md b/README.md index 6c83c41..9745b54 100644 --- a/README.md +++ b/README.md @@ -81,4 +81,6 @@ docker run -d \ ``` ## TODO -- [ ] Update to python 3 (not-supported lexicon#68) \ No newline at end of file +- [ ] Update to python 3 (not-supported lexicon#68) + +`certbot/make_letsencrypt_cert` is an alternate method that one could use with the certbot docker image. However dns-01 is not supported. \ No newline at end of file diff --git a/certbot/make_letsencrypt_cert b/certbot/make_letsencrypt_cert new file mode 100755 index 0000000..7c7f3d7 --- /dev/null +++ b/certbot/make_letsencrypt_cert @@ -0,0 +1,76 @@ +#!/bin/bash +#set -x + +# ENV +# NGINX_ENV +# NGINX_DOMAIN +# CERTBOT_EMAIL +# CERTBOT_RENEW_PERIOD + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +function make { + + CERTBOT_ARGS="--non-interactive \ + --agree-tos \ + --email ${CERTBOT_EMAIL} \ + --no-self-upgrade \ + --domain ${NGINX_DOMAIN} \ + --keep-until-expiring \ + --rsa-key-size 4096 \ + --must-staple \ + --csr /etc/ssl/csr.der \ + --key-path /etc/ssl/privkey.pem \ + --cert-path /etc/ssl/cert.pem \ + --chain-path /etc/ssl/chain.pem \ + --fullchain-path /etc/ssl/fullchain.pem" + + if [ "${NGINX_ENV}" == "production" ]; then + # --quiet + CERTBOT_ARGS="${CERTBOT_ARGS}" + else + CERTBOT_ARGS="${CERTBOT_ARGS} --staging" + fi + + RENEW=1 + + if [ ! -f /etc/ssl/privkey.pem ] || [ ! -f /etc/ssl/csr.der ]; then + echo "Generate new privkey and csr" + openssl ecparam -genkey -name secp384r1 > /etc/ssl/privkey.pem + # w/o --must-staple + #openssl req -new -sha256 -key /etc/ssl/privkey.pem -subj "/CN=${NGINX_DOMAIN}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${NGINX_DOMAIN}")) -outform der -out /etc/ssl/csr.der + # w/ --must-staple https://community.letsencrypt.org/t/improving-revocation-will-lets-encrypt-support-ocsp-must-staple/4334/18 + openssl req -new -sha256 -key /etc/ssl/privkey.pem -subj "/CN=${NGINX_DOMAIN}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${NGINX_DOMAIN}\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05")) -outform der -out /etc/ssl/csr.der + RENEW=0 + fi + + if [ "${RENEW}" == "0" ] || [ ! -f /etc/ssl/cert.pem ]; then + echo "** New Cert **" + certbot-auto certonly ${CERTBOT_ARGS} \ + --standalone + else + echo "** Renew Cert **" + # `certbot-auto renew` will not work with customer *.csr + + # check is cert need renewing + RENEW_PERIOD=${CERTBOT_RENEW_PERIOD:=1296000} # 1296000 = 15*86400 + if [ "$(openssl x509 -checkend ${RENEW_PERIOD} -in /etc/ssl/cert.pem | grep -c not)" -eq "1" ]; then + openssl x509 -enddate -noout -in /etc/ssl/cert.pem + return + fi + + mv /etc/ssl/cert.pem /etc/ssl/cert_old.pem + mv /etc/ssl/chain.pem /etc/ssl/chain_old.pem + mv /etc/ssl/fullchain.pem /etc/ssl/fullchain_old.pem + + certbot-auto certonly ${CERTBOT_ARGS} \ + --webroot --webroot-path /var/www + fi + +} + +make + +${DIR}/make_hpkp + +service nginx reload >/dev/null 2>&1 || echo "nginx reload not needed" \ No newline at end of file