From 2e377986cfccdbb04ea05216e98dd90e16ae499d Mon Sep 17 00:00:00 2001 From: Arnaud Schaeffer Date: Mon, 15 Mar 2021 09:40:37 +0100 Subject: [PATCH] WIP --- Dockerfile | 2 ++ app/cleanup_test_artifacts | 4 ++-- app/entrypoint.sh | 32 ++++++++++++++++---------------- app/functions.sh | 6 +++--- app/letsencrypt_service | 18 +++++++++--------- install_acme.sh | 5 ++++- 6 files changed, 36 insertions(+), 31 deletions(-) diff --git a/Dockerfile b/Dockerfile index 19bc8f6a..46ecbd7b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,6 +26,8 @@ LABEL maintainer="Nicolas Duchon (@buchdag)" ARG GIT_DESCRIBE ARG ACMESH_VERSION=2.8.8 +ARG ACMESH_PATH=/home/acme.sh + ENV COMPANION_VERSION=$GIT_DESCRIBE \ DOCKER_HOST=unix:///var/run/docker.sock \ PATH=$PATH:/app diff --git a/app/cleanup_test_artifacts b/app/cleanup_test_artifacts index 801021e1..4991688d 100755 --- a/app/cleanup_test_artifacts +++ b/app/cleanup_test_artifacts @@ -31,9 +31,9 @@ done for domain in le1.wtf le2.wtf le3.wtf le4.wtf lim.it; do folder="/etc/nginx/certs/$domain" [[ -d "$folder" ]] && rm -rf "$folder" - folder="/etc/acme.sh/default/$domain" + folder="${ACMESH_PATH}/default/$domain" [[ -d "$folder" ]] && rm -rf "$folder" - folder="/etc/acme.sh/default/${domain}_ecc" + folder="${ACMESH_PATH}/default/${domain}_ecc" [[ -d "$folder" ]] && rm -rf "$folder" location_file="/etc/nginx/vhost.d/$domain" [[ -f "$location_file" ]] && rm -rf "$location_file" 2> /dev/null diff --git a/app/entrypoint.sh b/app/entrypoint.sh index 2d94a8ae..bb742f7f 100755 --- a/app/entrypoint.sh +++ b/app/entrypoint.sh @@ -24,18 +24,18 @@ function check_docker_socket { function check_writable_directory { local dir="$1" - if [[ $(get_self_cid) ]]; then - if ! docker_api "/containers/$(get_self_cid)/json" | jq ".Mounts[].Destination" | grep -q "^\"$dir\"$"; then - echo "Warning: '$dir' does not appear to be a mounted volume." - fi - else - echo "Warning: can't check if '$dir' is a mounted volume without self container ID." - fi - if [[ ! -d "$dir" ]]; then - echo "Error: can't access to '$dir' directory !" >&2 - echo "Check that '$dir' directory is declared as a writable volume." >&2 - exit 1 - fi +# if [[ $(get_self_cid) ]]; then +# if ! docker_api "/containers/$(get_self_cid)/json" | jq ".Mounts[].Destination" | grep -q "^\"$dir\"$"; then +# echo "Warning: '$dir' does not appear to be a mounted volume." +# fi +# else +# echo "Warning: can't check if '$dir' is a mounted volume without self container ID." +# fi +# if [[ ! -d "$dir" ]]; then +# echo "Error: can't access to '$dir' directory !" >&2 +# echo "Check that '$dir' directory is declared as a writable volume." >&2 +# exit 1 +# fi if ! touch "$dir/.check_writable" 2>/dev/null ; then echo "Error: can't write to the '$dir' directory !" >&2 echo "Check that '$dir' directory is export as a writable volume." >&2 @@ -135,9 +135,9 @@ function check_default_cert_key { function check_default_account { # The default account is now for empty account email - if [[ -f /etc/acme.sh/default/account.conf ]]; then - if grep -q ACCOUNT_EMAIL /etc/acme.sh/default/account.conf; then - sed -i '/ACCOUNT_EMAIL/d' /etc/acme.sh/default/account.conf + if [[ -f "${ACMESH_PATH}/default/account.conf" ]]; then + if grep -q ACCOUNT_EMAIL "${ACMESH_PATH}/default/account.conf"; then + sed -i '/ACCOUNT_EMAIL/d' "${ACMESH_PATH}/default/account.conf" fi fi } @@ -161,7 +161,7 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then fi check_writable_directory '/etc/nginx/certs' check_writable_directory '/etc/nginx/vhost.d' - check_writable_directory '/etc/acme.sh' + check_writable_directory "${ACMESH_PATH}" check_writable_directory '/usr/share/nginx/html' [[ -f /app/letsencrypt_user_data ]] && check_writable_directory '/etc/nginx/conf.d' check_default_cert_key diff --git a/app/functions.sh b/app/functions.sh index 836c16c0..39fd0d40 100644 --- a/app/functions.sh +++ b/app/functions.sh @@ -203,9 +203,9 @@ function docker_api { scheme='http://localhost' else scheme="${LE_DOCKER_HOST}" - curl_opts+=(--cacert /home/ubuntu/.docker/ca.pem) - curl_opts+=(--key /home/ubuntu/.docker/key.pem) - curl_opts+=( --cert /home/ubuntu/.docker/cert.pem) + curl_opts+=(--cacert '/home/ubuntu/.docker/ca.pem') + curl_opts+=(--key '/home/ubuntu/.docker/key.pem') + curl_opts+=( --cert '/home/ubuntu/.docker/cert.pem') fi [[ $method = "POST" ]] && curl_opts+=(-H 'Content-Type: application/json') echo "${curl_opts[@]}" -X "${method}" "${scheme}$1" diff --git a/app/letsencrypt_service b/app/letsencrypt_service index bd53cc06..b94ca3ae 100755 --- a/app/letsencrypt_service +++ b/app/letsencrypt_service @@ -177,10 +177,10 @@ function update_cert { fi if [[ -n "${accountemail// }" ]]; then # If we got an email, use it with the corresponding config home - config_home="/etc/acme.sh/$accountemail" + config_home="${ACMESH_PATH}/$accountemail" else # If we did not get any email at all, use the default (empty mail) config - config_home="/etc/acme.sh/default" + config_home="${ACMESH_PATH}/default" fi local -n acme_ca_uri="ACME_${cid}_CA_URI" @@ -207,7 +207,7 @@ function update_cert { # Unset accountemail # force config dir to 'staging' unset accountemail - config_home="/etc/acme.sh/staging" + config_home="${ACMESH_PATH}/staging" # Prefix test certificate directory with _test_ certificate_dir="/etc/nginx/certs/_test_$base_domain" else @@ -277,13 +277,13 @@ function update_cert { # Account registration and update if required if [[ ! -f "$account_file" ]]; then params_register_arr=("${params_base_arr[@]}" "${params_register_arr[@]}") - [[ "$DEBUG" == 1 ]] && echo "Calling acme.sh --register-account with the following parameters : ${params_register_arr[*]}" - acme.sh --register-account "${params_register_arr[@]}" + [[ "$DEBUG" == 1 ]] && echo "Calling ${ACMESH_PATH}/acme.sh --register-account with the following parameters : ${params_register_arr[*]}" + . ${ACMESH_PATH}/acme.sh --register-account "${params_register_arr[@]}" fi if [[ -n "${accountemail// }" ]] && ! grep -q "mailto:$accountemail" "$account_file"; then local -a params_update_arr=("${params_base_arr[@]}" --accountemail "$accountemail") - [[ "$DEBUG" == 1 ]] && echo "Calling acme.sh --update-account with the following parameters : ${params_update_arr[*]}" - acme.sh --update-account "${params_update_arr[@]}" + [[ "$DEBUG" == 1 ]] && echo "Calling ${ACMESH_PATH}/acme.sh --update-account with the following parameters : ${params_update_arr[*]}" + . ${ACMESH_PATH}/acme.sh --update-account "${params_update_arr[@]}" fi # If we still don't have an account.json file by this point, we've got an issue @@ -314,9 +314,9 @@ function update_cert { done params_issue_arr=("${params_base_arr[@]}" "${params_issue_arr[@]}") - [[ "$DEBUG" == 1 ]] && echo "Calling acme.sh --issue with the following parameters : ${params_issue_arr[*]}" + [[ "$DEBUG" == 1 ]] && echo "Calling ${ACMESH_PATH}/acme.sh --issue with the following parameters : ${params_issue_arr[*]}" echo "Creating/renewal $base_domain certificates... (${hosts_array[*]})" - acme.sh --issue "${params_issue_arr[@]}" + . ${ACMESH_PATH}/acme.sh --issue "${params_issue_arr[@]}" local acmesh_return=$? diff --git a/install_acme.sh b/install_acme.sh index 89276abb..825ca363 100755 --- a/install_acme.sh +++ b/install_acme.sh @@ -13,12 +13,15 @@ if [[ "$ACMESH_VERSION" != "master" ]]; then git -c advice.detachedHead=false checkout "$ACMESH_VERSION" fi + +mkdir "${ACMESH_PATH}" + # Install acme.sh in /app ./acme.sh --install \ --nocron \ --auto-upgrade 0 \ --home /app \ - --config-home /etc/acme.sh/default + --config-home "${ACMESH_PATH}/default" # Make house cleaning cd /