Use email-less staging conf for test certificates

2025-03-17 02:09:09 +01:00 · 2020-10-13 21:21:37 +02:00 · 2020-10-13 21:21:37 +02:00 · 195b19d221
commit 195b19d221
parent aa62af0052
3 changed files with 29 additions and 9 deletions
--- a/app/letsencrypt_service
+++ b/app/letsencrypt_service
@ -4,7 +4,7 @@
 source /app/functions.sh

 seconds_to_wait=3600
-ACME_CA_URI="${ACME_CA_URI:-https://acme-v02.api.letsencrypt.org/directory}"
+ACME_CA_URI="${ACME_CA_URI:-"https://acme-v02.api.letsencrypt.org/directory"}"
 ACME_CA_TEST_URI="https://acme-staging-v02.api.letsencrypt.org/directory"
 DEFAULT_KEY_SIZE="${DEFAULT_KEY_SIZE:-4096}"
 RENEW_PRIVATE_KEYS="$(lc "${RENEW_PRIVATE_KEYS:-true}")"
@ -160,22 +160,36 @@ function update_cert {
        # If we did not get any email at all, use the default (empty mail) config
        config_home="/etc/acme.sh/default"
    fi 
-    [[ ! -d "$config_home" ]] && mkdir -p "$config_home"

+    local acme_ca_uri_varname="LETSENCRYPT_${cid}_ACME_CA_URI"
+    local acme_ca_uri="${!acme_ca_uri_varname:-"<no value>"}"
+    if [[ "$acme_ca_uri" == "<no value>" ]]; then
+        # Use default or user provided ACME end point
+        acme_ca_uri="$ACME_CA_URI"
+    fi
+
+    # LETSENCRYPT_TEST overrides LETSENCRYPT_ACME_CA_URI
    local test_certificate_varname="LETSENCRYPT_${cid}_TEST"
-    local acme_ca_uri certificate_dir
-    if [[ $(lc "${!test_certificate_varname:-}") == true ]] || \
-        [[ "$ACME_CA_URI" == "$ACME_CA_TEST_URI" ]]; then
-        # Use staging Let's Encrypt ACME end point
+    if [[ $(lc "${!test_certificate_varname:-}") == true ]]; then
+        # Use Let's Encrypt ACME V2 staging end point
        acme_ca_uri="$ACME_CA_TEST_URI"
+    fi
+
+    local certificate_dir
+    # If we're going to use one of LE stating endpoints ...
+    if [[ "$acme_ca_uri" =~ ^https://acme-staging.* ]]; then
+        # Unset accountemail
+        # force config dir to 'staging'
+        unset accountemail
+        config_home="/etc/acme.sh/staging"
        # Prefix test certificate directory with _test_
        certificate_dir="/etc/nginx/certs/_test_$base_domain"
    else
-        # Use default or user provided ACME end point
-        acme_ca_uri="$ACME_CA_URI"
        certificate_dir="/etc/nginx/certs/$base_domain"
    fi

+    [[ ! -d "$config_home" ]] && mkdir -p "$config_home"
+
    [[ "$DEBUG" == 1 ]] && params_d_arr+=("--debug")
    [[ "$RENEW_PRIVATE_KEYS" == true ]] && params_d_arr+=("--always-force-new-domain-key")
    [[ "${2:-}" == "--force-renew" ]] && params_d_arr+=("--force")
--- a/app/letsencrypt_service_data.tmpl
+++ b/app/letsencrypt_service_data.tmpl
@ -28,6 +28,7 @@ LETSENCRYPT_CONTAINERS=(
                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_ACME_CA_URI="{{ $container.Env.LETSENCRYPT_ACME_CA_URI }}"
                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
            {{ end }}
        {{ else }}
@ -35,6 +36,7 @@ LETSENCRYPT_CONTAINERS=(
            LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
            LETSENCRYPT_{{ $cid }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
            LETSENCRYPT_{{ $cid }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
+            LETSENCRYPT_{{ $cid }}_ACME_CA_URI="{{ $container.Env.LETSENCRYPT_ACME_CA_URI }}"
            LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
        {{ end }}
    {{ end }}
--- a/docs/Let's-Encrypt-and-ACME.md
+++ b/docs/Let's-Encrypt-and-ACME.md
@ -78,4 +78,8 @@ Reusing private keys can help if you intend to use [HPKP](https://developer.mozi

 - Use one `acme.sh` configuration directory (`--config-home`) per account email address.
 - Each `acme.sh` configuration directory can hold several accounts on different ACME service providers. But only one per service provider.
- The `defaut` configuration directory holds the configuration for empty account email address.
+- The `defaut` configuration directory holds the configuration for empty account email address.
+- When in testing mode (`LETSENCRYPT_TEST=true`):
+    1. The container will use the special purpose `staging` configuration directory.
+    1. The directory URI is forced to The Let's Encrypt v2 staging one (`ACME_CA_URI` is ignored)
+    2. The account email address is forced empty (`DEFAULT_EMAIL` and `LETSENCRYPT_EMAIL` are ignored)