aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakob Odersky <jakob@odersky.com>2018-01-13 16:35:29 -0800
committerJakob Odersky <jakob@odersky.com>2018-01-13 16:35:29 -0800
commit649e390472a767a814795b6eb3a4db9166211e55 (patch)
tree4b3d07e326fe59df6e4fdcec0c2885fb51eb34be
parentc3a14bb70c9571c411a26d900b1d3883a65fcaa6 (diff)
downloadnginx-letsencrypt-master.tar.gz
nginx-letsencrypt-master.tar.bz2
nginx-letsencrypt-master.zip
Move certificate check and copy to scriptHEADmaster
-rw-r--r--debian/nginx-letsencrypt.12
-rw-r--r--debian/postinst8
-rwxr-xr-xnginx-letsencrypt57
3 files changed, 46 insertions, 21 deletions
diff --git a/debian/nginx-letsencrypt.1 b/debian/nginx-letsencrypt.1
index e1bdc66..603c252 100644
--- a/debian/nginx-letsencrypt.1
+++ b/debian/nginx-letsencrypt.1
@@ -21,7 +21,7 @@
nginx-letsencrypt \- certificates for virtual hosts managed by nginx
.SH SYNOPSIS
.B nginx-letsencrypt
-.RI [ --test ]
+.RI [ -n|--test ]
.SH DESCRIPTION
Issue certificates from letsencrypt for virtual hosts managed by nginx.
.SH OPTIONS
diff --git a/debian/postinst b/debian/postinst
index ddd30dc..8f003ea 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -20,13 +20,7 @@ set -e
case "$1" in
configure)
- if [ ! -e /etc/letsencrypt/live/nginx/fullchain.pem ]; then
- mkdir -p /etc/letsencrypt/live/nginx
- cp /etc/ssl/certs/ssl-cert-snakeoil.pem \
- /etc/letsencrypt/live/nginx/fullchain.pem
- cp /etc/ssl/private/ssl-cert-snakeoil.key \
- /etc/letsencrypt/live/nginx/privkey.pem
- fi
+ nginx-letsencrypt
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/nginx-letsencrypt b/nginx-letsencrypt
index 4bbb88d..a3f05a2 100755
--- a/nginx-letsencrypt
+++ b/nginx-letsencrypt
@@ -4,19 +4,34 @@
#
# A certificate will be issued for all server names defined in server
# blocks that contain 'include letsencrypt'.
-#
-# The pre-hook is used to remove snakeoil certificates that are
-# required to bootstrap nginx configurations (nginx fails to start
-# without ssl certificates). The hook is required because certbot does
-# not overwrite foreign certificates, as described in this issue
-# https://github.com/certbot/certbot/issues/3396
set -o errexit
+opts=$(getopt -o hn --long help,test -n 'nginx-letsencrypt' -- "$@")
+eval set --"$opts"
+
extra_flags=()
-if [ "$1" = --test ]; then
- extra_flags+=("--test-cert")
-fi
+while true; do
+ case "$1" in
+ -h|--help)
+ shift
+ echo "Usage: $0 [-n|--test]"
+ exit 0
+ ;;
+ -n|--test)
+ shift
+ extra_flags+=("--test-cert")
+ ;;
+ --)
+ shift;
+ break
+ ;;
+ *) echo "Internal error!"
+ exit 1
+ ;;
+ esac
+done
+# Any site configuration files that use letsencrypt
sites_enabled=($(
find /etc/nginx/sites-enabled/ \
-not -type d \
@@ -28,12 +43,15 @@ if [[ ${#sites_enabled[@]} -eq 0 ]]; then
exit 0
fi
+# Extract server names from enabled sites
host_lines=($(sed --quiet \
's/^[^#]*server_name \([^_].*\);/\1/p' \
"${sites_enabled[@]}"))
hosts=$(echo -n "${host_lines[@]}" | tr "[:space:]" ",")
-function cleanup() {
+# Make sure that *any* certificate exists so that nginx can start. If
+# a certificate or key is missing, copy snakeoil certificates instead.
+function ensure_certificate() {
mkdir --parents /etc/letsencrypt/live/nginx
cp --no-clobber \
/etc/ssl/private/ssl-cert-snakeoil.key \
@@ -43,7 +61,21 @@ function cleanup() {
/etc/letsencrypt/live/nginx/fullchain.pem
service nginx reload
}
-trap cleanup ERR
+# Ensure that a certificate exists if this script is encounters an
+# error.
+trap ensure_certificate ERR
+
+# Issue letsencrypt certificates. Snakeoil certificates that are
+# required to bootstrap nginx configurations (nginx fails to start
+# without ssl certificates) are removed. The explicit removal is
+# required because certbot does not overwrite foreign certificates, as
+# described in this issue
+# https://github.com/certbot/certbot/issues/3396
+ensure_certificate
+if ! (openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text \
+ | grep --quiet letsencrypt); then
+ rm -r /etc/letsencrypt/live/nginx
+fi
mkdir --parents /var/www/letsencrypt
certbot certonly "${extra_flags[@]}" \
@@ -51,7 +83,6 @@ certbot certonly "${extra_flags[@]}" \
--agree-tos \
--cert-name nginx \
--webroot --webroot-path /var/www/letsencrypt \
- --pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
-d "$hosts"
-service nginx reload
+ensure_certificate