old method

8 years ago · f6e55e3cff
2 changed files with 79 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -82,3 +82,5 @@ docker run -d \

 ## TODO
 - [ ] Update to python 3 (not-supported lexicon#68)
+
+`certbot/make_letsencrypt_cert` is an alternate method that one could use with the certbot docker image. However dns-01 is not supported.
--- a/certbot/make_letsencrypt_cert
+++ b/certbot/make_letsencrypt_cert
@ -0,0 +1,76 @@
+#!/bin/bash
+#set -x
+
+# ENV
+# NGINX_ENV
+# NGINX_DOMAIN
+# CERTBOT_EMAIL
+# CERTBOT_RENEW_PERIOD
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+
+function make {
+
+    CERTBOT_ARGS="--non-interactive \
+            --agree-tos \
+            --email ${CERTBOT_EMAIL} \
+            --no-self-upgrade \
+            --domain ${NGINX_DOMAIN} \
+            --keep-until-expiring \
+            --rsa-key-size 4096 \
+            --must-staple \
+            --csr /etc/ssl/csr.der \
+            --key-path /etc/ssl/privkey.pem \
+            --cert-path /etc/ssl/cert.pem \
+            --chain-path /etc/ssl/chain.pem \
+            --fullchain-path /etc/ssl/fullchain.pem"
+
+    if [ "${NGINX_ENV}" == "production" ]; then
+        # --quiet
+        CERTBOT_ARGS="${CERTBOT_ARGS}"
+    else
+        CERTBOT_ARGS="${CERTBOT_ARGS} --staging"
+    fi
+
+    RENEW=1
+
+    if [ ! -f /etc/ssl/privkey.pem ] || [ ! -f /etc/ssl/csr.der ]; then
+        echo "Generate new privkey and csr"
+        openssl ecparam -genkey -name secp384r1 > /etc/ssl/privkey.pem
+        # w/o --must-staple
+        #openssl req -new -sha256 -key /etc/ssl/privkey.pem -subj "/CN=${NGINX_DOMAIN}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${NGINX_DOMAIN}")) -outform der -out /etc/ssl/csr.der
+        # w/ --must-staple https://community.letsencrypt.org/t/improving-revocation-will-lets-encrypt-support-ocsp-must-staple/4334/18
+        openssl req -new -sha256 -key /etc/ssl/privkey.pem -subj "/CN=${NGINX_DOMAIN}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${NGINX_DOMAIN}\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05")) -outform der -out /etc/ssl/csr.der
+        RENEW=0
+    fi
+
+    if  [ "${RENEW}" == "0" ] || [ ! -f /etc/ssl/cert.pem ]; then
+        echo "** New Cert **"
+        certbot-auto certonly ${CERTBOT_ARGS} \
+            --standalone
+    else
+        echo "** Renew Cert **"
+        # `certbot-auto renew` will not work with customer *.csr
+
+        # check is cert need renewing
+        RENEW_PERIOD=${CERTBOT_RENEW_PERIOD:=1296000} # 1296000 = 15*86400
+        if [ "$(openssl x509 -checkend ${RENEW_PERIOD} -in /etc/ssl/cert.pem | grep -c not)" -eq "1" ]; then
+            openssl x509 -enddate -noout -in /etc/ssl/cert.pem
+            return
+        fi
+
+        mv /etc/ssl/cert.pem /etc/ssl/cert_old.pem
+        mv /etc/ssl/chain.pem /etc/ssl/chain_old.pem
+        mv /etc/ssl/fullchain.pem /etc/ssl/fullchain_old.pem
+
+        certbot-auto certonly ${CERTBOT_ARGS} \
+            --webroot --webroot-path /var/www
+    fi
+
+}
+
+make
+
+${DIR}/make_hpkp
+
+service nginx reload >/dev/null 2>&1 || echo "nginx reload not needed"