Skip to content

Commit

Permalink
Run a custom deploy hook script defined in DEPLOY_HOOK environment va…
Browse files Browse the repository at this point in the history
…riable
  • Loading branch information
racbart committed Apr 28, 2019
1 parent a8b2506 commit 7e32948
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 0 deletions.
1 change: 1 addition & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ ENV CERTS_DIRS_MODE 0750
ENV CERTS_FILES_MODE 0640
ENV CERTS_USER_OWNER root
ENV CERTS_GROUP_OWNER root
ENV DEPLOY_HOOK ""

# Install dependencies, certbot, lexicon, prepare for first start and clean
RUN apk --no-cache --update add rsyslog git libffi libxml2 libxslt libstdc++ openssl docker ethtool \
Expand Down
41 changes: 41 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
* [Certificates reconfiguration at runtime](#certificates-reconfiguration-at-runtime)
* [Restart containers when a certificate is renewed](#restart-containers-when-a-certificate-is-renewed)
* [Call a reload command on containers when a certificate is renewed](#call-a-reload-command-on-containers-when-a-certificate-is-renewed)
* [Run a custom deploy hook script](#run-a-custom-deploy-hook-script)
* [Miscellaneous and testing](#miscellaneous-and-testing)
* [Using ACME v1 servers](#using-acme-v1-servers)
* [Activate staging ACME servers](#activating-staging-acme-servers)
Expand Down Expand Up @@ -296,6 +297,46 @@ If the certificate `web.example.com` is renewed, command `apachectl graceful` wi

_(Limitations on invokable commands) The option `autocmd-container` is intended to call a simple executable file with few potential arguments. It is not made to call some advanced bash script, and would likely fail if you do so. In fact, the command is not executed in a shell on the target, and variables will be resolved against the lets-encrypt container environment. If you want to operate advanced scripting, put an executable script in the target container, and use its path in `autocmd-container` option._

### Run a custom deploy hook script

You can specify a script or a command to execute after a certificate is created or renewed, by specifying `DEPLOY_HOOK` environment variable. This is useful if you want to copy certificates someplace else or need to reorganize file structure.

All standard environment variables will be available in your script, as well as two new variables set by certbot:
* `RENEWED_LINEAGE` - directory with certificate files (e.g. `/etc/letsencrypt/live/domain`)
* `RENEWED_DOMAINS` - list of domains for the certificate, separated by space

Example: copying all new or renewed certificates to a single directory with `domain.crt` and `domain.key` filenames, making it easily usable with nginx:

Create deploy-hook.sh file and make it executable.

```bash
#!/bin/sh
mkdir -p "/etc/nginx/certs"
cd "/etc/nginx/certs"
for domain in ${RENEWED_DOMAINS}; do
cp "${RENEWED_LINEAGE}/fullchain.pem" "${domain}.crt"
cp "${RENEWED_LINEAGE}/privkey.pem" "${domain}.key"
done
chown $CERTS_USER_OWNER:$CERTS_GROUP_OWNER "${domain}.*"
chmod $CERTS_FILES_MODE "${domain}.*"
```

Execute:
```bash
docker run \
--name letsencrypt-dns \
--volume /etc/letsencrypt/domains.conf:/etc/letsencrypt/domains.conf \
--volume /etc/letsencrypt/deploy-hook.sh:/usr/local/bin/create-nginx-certs \
--volume /var/docker-data/letsencrypt:/etc/letsencrypt \
--volume /var/docker-data/nginx:/etc/nginx/certs \
--env '[email protected]' \
--env 'LEXICON_PROVIDER=cloudflare' \
--env 'LEXICON_CLOUDFLARE_USERNAME=my_cloudflare_email' \
--env 'LEXICON_CLOUDFLARE_TOKEN=my_cloudflare_global_api_key' \
--env 'DEPLOY_HOOK=create-nginx-certs' \
adferrand/letsencrypt-dns
```

## Miscellaneous and testing

### Using ACME v1 servers
Expand Down
4 changes: 4 additions & 0 deletions files/deploy-hook.sh
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,7 @@ fi
find $RENEWED_LINEAGE ${RENEWED_LINEAGE/live/archive} -type d -exec chmod "$CERTS_DIRS_MODE" {} +
find $RENEWED_LINEAGE ${RENEWED_LINEAGE/live/archive} -type f -exec chmod "$CERTS_FILES_MODE" {} +
chown -R $CERTS_USER_OWNER:$CERTS_GROUP_OWNER $RENEWED_LINEAGE ${RENEWED_LINEAGE/live/archive}

if [ ! -z "$DEPLOY_HOOK" ]; then
sh -c ${DEPLOY_HOOK}
fi

0 comments on commit 7e32948

Please sign in to comment.