aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakob Odersky <jakob@odersky.com>2018-01-12 15:35:13 -0800
committerJakob Odersky <jakob@odersky.com>2018-01-12 15:35:13 -0800
commit6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b (patch)
tree3573b3ec83b088e94714306f653075a74d44575d
parentd11c1c4b8d1cda2b4f3546f76e1832bc09492a48 (diff)
downloadnginx-letsencrypt-6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b.tar.gz
nginx-letsencrypt-6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b.tar.bz2
nginx-letsencrypt-6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b.zip
Make script more robust
-rw-r--r--README.md2
-rw-r--r--debian/control2
-rwxr-xr-xnginx-letsencrypt41
3 files changed, 32 insertions, 13 deletions
diff --git a/README.md b/README.md
index 7ef3cea..8891655 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ environment:
- webroot: does not require a server shutdown and offers isolation,
however it requires manual intervention to bootstrap a system with
an initial certificate, since nginx will not start if the `ssl`
- directive is set and there are no certificates. (Therefore one
+ directive is set and there are no certificates. (Therefore, one
would be required to first configure the webroot, run certbot and
then add an ssl entry).
diff --git a/debian/control b/debian/control
index 7079043..05e7178 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Vcs-Git: https://github.com/jodersky/nginx-letsencrypt.git
Package: nginx-letsencrypt
Architecture: all
-Depends: nginx, letsencrypt, ssl-cert, ${misc:Depends}
+Depends: nginx, letsencrypt, openssl, ssl-cert, ${misc:Depends}
Description: Issue certificates by letsencrypt for nginx virtual hosts.
Simplify the process by which letsencrypt certificates are issued for virtual
hosts controlled by nginx.
diff --git a/nginx-letsencrypt b/nginx-letsencrypt
index 9c598ff..cb929c9 100755
--- a/nginx-letsencrypt
+++ b/nginx-letsencrypt
@@ -10,9 +10,8 @@
# without ssl certificates). The hook is required because certbot does
# not overwrite foreign certificates, as described in this issue
# https://github.com/certbot/certbot/issues/3396
-set -o exiterr
+set -o errexit
-# TODO: make email configurable
email="jakob@odersky.com"
extra_flags=()
@@ -21,15 +20,34 @@ if [ "$1" = --test ]; then
fi
sites_enabled=($(
- find /etc/nginx/sites-enabled/ \
- -not -type d -exec \
- grep -q -e '^[[:space:]]*[^#][[:space:]]*include letsencrypt' {} \; \
- -print))
-host_lines=$(sed -n \
- 's/^[[:space:]]*[^#][[:space:]]*server_name \([^_].*\);/\1/p' \
- "${sites_enabled[@]}")
-hosts=$(echo "${host_lines[@]}" | tr "[:space:]" ",")
+ find /etc/nginx/sites-enabled/ \
+ -not -type d \
+ -exec grep -q -e '^[^#]*include letsencrypt' {} \; \
+ -print))
+if [[ ${#sites_enabled[@]} -eq 0 ]]; then
+ # no sites use ssl, exit immediately
+ exit 0
+fi
+
+host_lines=($(sed --quiet \
+ 's/^[^#]*server_name \([^_].*\);/\1/p' \
+ "${sites_enabled[@]}"))
+hosts=$(echo -n "${host_lines[@]}" | tr "[:space:]" ",")
+
+function cleanup() {
+ mkdir --parents /etc/letsencrypt/live/nginx
+ cp --no-clobber \
+ /etc/ssl/private/ssl-cert-snakeoil.key \
+ /etc/letsencrypt/live/nginx/privkey.pem
+ cp --no-clobber \
+ /etc/ssl/certs/ssl-cert-snakeoil.pem \
+ /etc/letsencrypt/live/nginx/fullchain.pem
+ service nginx reload
+}
+trap cleanup ERR
+
+mkdir --parents /var/www/letsencrypt
certbot certonly "${extra_flags[@]}" \
--noninteractive \
--agree-tos \
@@ -37,5 +55,6 @@ certbot certonly "${extra_flags[@]}" \
--cert-name nginx \
--webroot --webroot-path /var/www/letsencrypt \
--pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
- --post-hook "systemctl reload nginx" \
-d "$hosts"
+
+service nginx reload