From 649e390472a767a814795b6eb3a4db9166211e55 Mon Sep 17 00:00:00 2001 From: Jakob Odersky Date: Sat, 13 Jan 2018 16:35:29 -0800 Subject: Move certificate check and copy to script --- debian/nginx-letsencrypt.1 | 2 +- debian/postinst | 8 +------ nginx-letsencrypt | 57 +++++++++++++++++++++++++++++++++++----------- 3 files changed, 46 insertions(+), 21 deletions(-) diff --git a/debian/nginx-letsencrypt.1 b/debian/nginx-letsencrypt.1 index e1bdc66..603c252 100644 --- a/debian/nginx-letsencrypt.1 +++ b/debian/nginx-letsencrypt.1 @@ -21,7 +21,7 @@ nginx-letsencrypt \- certificates for virtual hosts managed by nginx .SH SYNOPSIS .B nginx-letsencrypt -.RI [ --test ] +.RI [ -n|--test ] .SH DESCRIPTION Issue certificates from letsencrypt for virtual hosts managed by nginx. .SH OPTIONS diff --git a/debian/postinst b/debian/postinst index ddd30dc..8f003ea 100644 --- a/debian/postinst +++ b/debian/postinst @@ -20,13 +20,7 @@ set -e case "$1" in configure) - if [ ! -e /etc/letsencrypt/live/nginx/fullchain.pem ]; then - mkdir -p /etc/letsencrypt/live/nginx - cp /etc/ssl/certs/ssl-cert-snakeoil.pem \ - /etc/letsencrypt/live/nginx/fullchain.pem - cp /etc/ssl/private/ssl-cert-snakeoil.key \ - /etc/letsencrypt/live/nginx/privkey.pem - fi + nginx-letsencrypt ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/nginx-letsencrypt b/nginx-letsencrypt index 4bbb88d..a3f05a2 100755 --- a/nginx-letsencrypt +++ b/nginx-letsencrypt @@ -4,19 +4,34 @@ # # A certificate will be issued for all server names defined in server # blocks that contain 'include letsencrypt'. -# -# The pre-hook is used to remove snakeoil certificates that are -# required to bootstrap nginx configurations (nginx fails to start -# without ssl certificates). The hook is required because certbot does -# not overwrite foreign certificates, as described in this issue -# https://github.com/certbot/certbot/issues/3396 set -o errexit +opts=$(getopt -o hn --long help,test -n 'nginx-letsencrypt' -- "$@") +eval set --"$opts" + extra_flags=() -if [ "$1" = --test ]; then - extra_flags+=("--test-cert") -fi +while true; do + case "$1" in + -h|--help) + shift + echo "Usage: $0 [-n|--test]" + exit 0 + ;; + -n|--test) + shift + extra_flags+=("--test-cert") + ;; + --) + shift; + break + ;; + *) echo "Internal error!" + exit 1 + ;; + esac +done +# Any site configuration files that use letsencrypt sites_enabled=($( find /etc/nginx/sites-enabled/ \ -not -type d \ @@ -28,12 +43,15 @@ if [[ ${#sites_enabled[@]} -eq 0 ]]; then exit 0 fi +# Extract server names from enabled sites host_lines=($(sed --quiet \ 's/^[^#]*server_name \([^_].*\);/\1/p' \ "${sites_enabled[@]}")) hosts=$(echo -n "${host_lines[@]}" | tr "[:space:]" ",") -function cleanup() { +# Make sure that *any* certificate exists so that nginx can start. If +# a certificate or key is missing, copy snakeoil certificates instead. +function ensure_certificate() { mkdir --parents /etc/letsencrypt/live/nginx cp --no-clobber \ /etc/ssl/private/ssl-cert-snakeoil.key \ @@ -43,7 +61,21 @@ function cleanup() { /etc/letsencrypt/live/nginx/fullchain.pem service nginx reload } -trap cleanup ERR +# Ensure that a certificate exists if this script is encounters an +# error. +trap ensure_certificate ERR + +# Issue letsencrypt certificates. Snakeoil certificates that are +# required to bootstrap nginx configurations (nginx fails to start +# without ssl certificates) are removed. The explicit removal is +# required because certbot does not overwrite foreign certificates, as +# described in this issue +# https://github.com/certbot/certbot/issues/3396 +ensure_certificate +if ! (openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text \ + | grep --quiet letsencrypt); then + rm -r /etc/letsencrypt/live/nginx +fi mkdir --parents /var/www/letsencrypt certbot certonly "${extra_flags[@]}" \ @@ -51,7 +83,6 @@ certbot certonly "${extra_flags[@]}" \ --agree-tos \ --cert-name nginx \ --webroot --webroot-path /var/www/letsencrypt \ - --pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \ -d "$hosts" -service nginx reload +ensure_certificate -- cgit v1.2.3