diff options
author | Jakob Odersky <jakob@odersky.com> | 2018-01-12 15:35:13 -0800 |
---|---|---|
committer | Jakob Odersky <jakob@odersky.com> | 2018-01-12 15:35:13 -0800 |
commit | 6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b (patch) | |
tree | 3573b3ec83b088e94714306f653075a74d44575d | |
parent | d11c1c4b8d1cda2b4f3546f76e1832bc09492a48 (diff) | |
download | nginx-letsencrypt-6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b.tar.gz nginx-letsencrypt-6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b.tar.bz2 nginx-letsencrypt-6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b.zip |
Make script more robust
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | debian/control | 2 | ||||
-rwxr-xr-x | nginx-letsencrypt | 41 |
3 files changed, 32 insertions, 13 deletions
@@ -26,7 +26,7 @@ environment: - webroot: does not require a server shutdown and offers isolation, however it requires manual intervention to bootstrap a system with an initial certificate, since nginx will not start if the `ssl` - directive is set and there are no certificates. (Therefore one + directive is set and there are no certificates. (Therefore, one would be required to first configure the webroot, run certbot and then add an ssl entry). diff --git a/debian/control b/debian/control index 7079043..05e7178 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Vcs-Git: https://github.com/jodersky/nginx-letsencrypt.git Package: nginx-letsencrypt Architecture: all -Depends: nginx, letsencrypt, ssl-cert, ${misc:Depends} +Depends: nginx, letsencrypt, openssl, ssl-cert, ${misc:Depends} Description: Issue certificates by letsencrypt for nginx virtual hosts. Simplify the process by which letsencrypt certificates are issued for virtual hosts controlled by nginx. diff --git a/nginx-letsencrypt b/nginx-letsencrypt index 9c598ff..cb929c9 100755 --- a/nginx-letsencrypt +++ b/nginx-letsencrypt @@ -10,9 +10,8 @@ # without ssl certificates). The hook is required because certbot does # not overwrite foreign certificates, as described in this issue # https://github.com/certbot/certbot/issues/3396 -set -o exiterr +set -o errexit -# TODO: make email configurable email="jakob@odersky.com" extra_flags=() @@ -21,15 +20,34 @@ if [ "$1" = --test ]; then fi sites_enabled=($( - find /etc/nginx/sites-enabled/ \ - -not -type d -exec \ - grep -q -e '^[[:space:]]*[^#][[:space:]]*include letsencrypt' {} \; \ - -print)) -host_lines=$(sed -n \ - 's/^[[:space:]]*[^#][[:space:]]*server_name \([^_].*\);/\1/p' \ - "${sites_enabled[@]}") -hosts=$(echo "${host_lines[@]}" | tr "[:space:]" ",") + find /etc/nginx/sites-enabled/ \ + -not -type d \ + -exec grep -q -e '^[^#]*include letsencrypt' {} \; \ + -print)) +if [[ ${#sites_enabled[@]} -eq 0 ]]; then + # no sites use ssl, exit immediately + exit 0 +fi + +host_lines=($(sed --quiet \ + 's/^[^#]*server_name \([^_].*\);/\1/p' \ + "${sites_enabled[@]}")) +hosts=$(echo -n "${host_lines[@]}" | tr "[:space:]" ",") + +function cleanup() { + mkdir --parents /etc/letsencrypt/live/nginx + cp --no-clobber \ + /etc/ssl/private/ssl-cert-snakeoil.key \ + /etc/letsencrypt/live/nginx/privkey.pem + cp --no-clobber \ + /etc/ssl/certs/ssl-cert-snakeoil.pem \ + /etc/letsencrypt/live/nginx/fullchain.pem + service nginx reload +} +trap cleanup ERR + +mkdir --parents /var/www/letsencrypt certbot certonly "${extra_flags[@]}" \ --noninteractive \ --agree-tos \ @@ -37,5 +55,6 @@ certbot certonly "${extra_flags[@]}" \ --cert-name nginx \ --webroot --webroot-path /var/www/letsencrypt \ --pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \ - --post-hook "systemctl reload nginx" \ -d "$hosts" + +service nginx reload |