mirror/ docker-letsencrypt-nginx-proxy-companion
1
0
Fork 0
mirror of https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion synced 2024-05-08 14:56:11 +02:00
Code Issues Releases Activity

Change ACME client to acme.sh

This commit is contained in:
Nicolas Duchon 2018-12-31 12:53:21 +01:00
parent 96c9cbf821
commit c821d809f6
No known key found for this signature in database
GPG Key ID: EA3151C66A4D79E7
21 changed files with 145 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,6 +2,7 @@ certs/
conf.d/ conf.d/
data/ data/
vhost.d/ vhost.d/
.vscode
# tests # tests
go/ go/

3
.travis.yml
View File

@ -28,8 +28,7 @@ before_install:
install: install:
- docker build -t "$IMAGE" . - docker build -t "$IMAGE" .
- docker inspect "$IMAGE" - docker inspect "$IMAGE"
- docker run --rm "$IMAGE" simp_le --version - docker run --rm "$IMAGE" acme.sh --version
- docker run --rm "$IMAGE" simp_le -v --test
- docker images - docker images
before_script: before_script:

17
Dockerfile
View File

@ -21,32 +21,35 @@ FROM alpine:3.11
LABEL maintainer="Yves Blusseau <90z7oey02@sneakemail.com> (@blusseau)" LABEL maintainer="Yves Blusseau <90z7oey02@sneakemail.com> (@blusseau)"
ENV DEBUG=false \ ENV DOCKER_HOST=unix:///var/run/docker.sock \
DOCKER_HOST=unix:///var/run/docker.sock PATH=$PATH:/app
# Install packages required by the image # Install packages required by the image
RUN apk add --update \ RUN apk add --update \
bash \ bash \
ca-certificates \
coreutils \ coreutils \
curl \ curl \
jq \ jq \
netcat-openbsd \
openssl \ openssl \
socat \
&& rm /var/cache/apk/* && rm /var/cache/apk/*
# Install docker-gen from build stage # Install docker-gen from build stage
COPY --from=go-builder /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/ COPY --from=go-builder /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/
# Install simp_le # Install simp_le
COPY /install_simp_le.sh /app/install_simp_le.sh COPY /install_acme.sh /app/install_acme.sh
RUN chmod +rx /app/install_simp_le.sh \ RUN chmod +rx /app/install_acme.sh \
&& sync \ && sync \
&& /app/install_simp_le.sh \ && /app/install_acme.sh \
&& rm -f /app/install_simp_le.sh && rm -f /app/install_acme.sh
COPY /app/ /app/ COPY /app/ /app/
WORKDIR /app WORKDIR /app
VOLUME ["/etc/acme.sh", "/etc/nginx/certs"]
ENTRYPOINT [ "/bin/bash", "/app/entrypoint.sh" ] ENTRYPOINT [ "/bin/bash", "/app/entrypoint.sh" ]
CMD [ "/bin/bash", "/app/start.sh" ] CMD [ "/bin/bash", "/app/start.sh" ]

36
app/entrypoint.sh
View File

@ -4,7 +4,6 @@ set -u
# shellcheck source=functions.sh # shellcheck source=functions.sh
source /app/functions.sh source /app/functions.sh
DEBUG="$(lc "$DEBUG")"
function check_deprecated_env_var { function check_deprecated_env_var {
if [[ -n "${ACME_TOS_HASH:-}" ]]; then if [[ -n "${ACME_TOS_HASH:-}" ]]; then
@ -109,7 +108,7 @@ function check_default_cert_key {
# than 3 months / 7776000 seconds (60 x 60 x 24 x 30 x 3). # than 3 months / 7776000 seconds (60 x 60 x 24 x 30 x 3).
check_cert_min_validity /etc/nginx/certs/default.crt 7776000 check_cert_min_validity /etc/nginx/certs/default.crt 7776000
cert_validity=$? cert_validity=$?
[[ "$DEBUG" == true ]] && echo "Debug: a default certificate with $default_cert_cn is present." [[ "$DEBUG" == 1 ]] && echo "Debug: a default certificate with $default_cert_cn is present."
fi fi
# Create a default cert and private key if: # Create a default cert and private key if:
@ -126,23 +125,35 @@ function check_default_cert_key {
&& mv /etc/nginx/certs/default.key.new /etc/nginx/certs/default.key \ && mv /etc/nginx/certs/default.key.new /etc/nginx/certs/default.key \
&& mv /etc/nginx/certs/default.crt.new /etc/nginx/certs/default.crt && mv /etc/nginx/certs/default.crt.new /etc/nginx/certs/default.crt
echo "Info: a default key and certificate have been created at /etc/nginx/certs/default.key and /etc/nginx/certs/default.crt." echo "Info: a default key and certificate have been created at /etc/nginx/certs/default.key and /etc/nginx/certs/default.crt."
elif [[ "$DEBUG" == true && "${default_cert_cn:-}" =~ $cn ]]; then elif [[ "$DEBUG" == 1 && "${default_cert_cn:-}" =~ $cn ]]; then
echo "Debug: the self generated default certificate is still valid for more than three months. Skipping default certificate creation." echo "Debug: the self generated default certificate is still valid for more than three months. Skipping default certificate creation."
elif [[ "$DEBUG" == true ]]; then elif [[ "$DEBUG" == 1 ]]; then
echo "Debug: the default certificate is user provided. Skipping default certificate creation." echo "Debug: the default certificate is user provided. Skipping default certificate creation."
fi fi
set_ownership_and_permissions "/etc/nginx/certs/default.key" set_ownership_and_permissions "/etc/nginx/certs/default.key"
set_ownership_and_permissions "/etc/nginx/certs/default.crt" set_ownership_and_permissions "/etc/nginx/certs/default.crt"
} }
if [[ "$*" == "/bin/bash /app/start.sh" ]]; then function configure_default_email {
acmev1_r='acme-(v01\|staging)\.api\.letsencrypt\.org' # Configure the email used by the default config
if [[ "${ACME_CA_URI:-}" =~ $acmev1_r ]]; then [[ -d /etc/acme.sh/default ]] || mkdir -p /etc/acme.sh/default
echo "Error: the ACME v1 API is no longer supported by simp_le." if [[ -f /etc/acme.sh/default/account.conf ]]; then
echo "See https://github.com/zenhack/simp_le/pull/119" if [[ -f /etc/acme.sh/default/ca/acme-v01.api.letsencrypt.org/account.json ]]; then
echo "Please use one of Let's Encrypt ACME v2 endpoints instead." acme.sh --update-account --accountemail "${DEFAULT_EMAIL:-}"
exit 1 return 0
elif grep -q ACCOUNT_EMAIL /etc/acme.sh/default/account.conf; then
if grep -q "${DEFAULT_EMAIL:-}" /etc/acme.sh/default/account.conf; then
return 0
else
sed -i "s/^ACCOUNT_EMAIL=.*$/ACCOUNT_EMAIL='${DEFAULT_EMAIL:-}'/g" /etc/acme.sh/default/account.conf
return 0
fi
fi
fi fi
echo "ACCOUNT_EMAIL='${DEFAULT_EMAIL:-}'" >> /etc/acme.sh/default/account.conf
}
if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
check_docker_socket check_docker_socket
if [[ -z "$(get_nginx_proxy_container)" ]]; then if [[ -z "$(get_nginx_proxy_container)" ]]; then
echo "Error: can't get nginx-proxy container ID !" >&2 echo "Error: can't get nginx-proxy container ID !" >&2
@ -160,12 +171,13 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
fi fi
check_writable_directory '/etc/nginx/certs' check_writable_directory '/etc/nginx/certs'
check_writable_directory '/etc/nginx/vhost.d' check_writable_directory '/etc/nginx/vhost.d'
check_writable_directory '/etc/acme.sh'
check_writable_directory '/usr/share/nginx/html' check_writable_directory '/usr/share/nginx/html'
[[ -f /app/letsencrypt_user_data ]] && check_writable_directory '/etc/nginx/conf.d' [[ -f /app/letsencrypt_user_data ]] && check_writable_directory '/etc/nginx/conf.d'
check_deprecated_env_var
check_default_cert_key check_default_cert_key
check_dh_group check_dh_group
reload_nginx reload_nginx
[[ -n ${DEFAULT_EMAIL:-} ]] && configure_default_email
fi fi
exec "$@" exec "$@"

19
app/functions.sh
View File

@ -5,7 +5,10 @@ function lc {
echo "${@,,}" echo "${@,,}"
} }
DEBUG="$(lc "$DEBUG")" DEBUG="$(lc "${DEBUG:-}")"
if [[ "$DEBUG" == true ]]; then
DEBUG=1 && export DEBUG
fi
[[ -z "${VHOST_DIR:-}" ]] && \ [[ -z "${VHOST_DIR:-}" ]] && \
declare -r VHOST_DIR=/etc/nginx/vhost.d declare -r VHOST_DIR=/etc/nginx/vhost.d
@ -325,7 +328,7 @@ function set_ownership_and_permissions {
return 1 return 1
fi fi
[[ "$DEBUG" == true ]] && echo "Debug: checking $path ownership and permissions." [[ "$DEBUG" == 1 ]] && echo "Debug: checking $path ownership and permissions."
# Find the user numeric ID if the FILES_UID environment variable isn't numeric. # Find the user numeric ID if the FILES_UID environment variable isn't numeric.
if [[ "$user" =~ ^[0-9]+$ ]]; then if [[ "$user" =~ ^[0-9]+$ ]]; then
@ -334,7 +337,7 @@ function set_ownership_and_permissions {
elif id -u "$user" > /dev/null 2>&1; then elif id -u "$user" > /dev/null 2>&1; then
# Convert the user name to numeric ID # Convert the user name to numeric ID
local user_num; user_num="$(id -u "$user")" local user_num; user_num="$(id -u "$user")"
[[ "$DEBUG" == true ]] && echo "Debug: numeric ID of user $user is $user_num." [[ "$DEBUG" == 1 ]] && echo "Debug: numeric ID of user $user is $user_num."
else else
echo "Warning: user $user not found in the container, please use a numeric user ID instead of a user name. Skipping ownership and permissions check." echo "Warning: user $user not found in the container, please use a numeric user ID instead of a user name. Skipping ownership and permissions check."
return 1 return 1
@ -347,7 +350,7 @@ function set_ownership_and_permissions {
elif getent group "$group" > /dev/null 2>&1; then elif getent group "$group" > /dev/null 2>&1; then
# Convert the group name to numeric ID # Convert the group name to numeric ID
local group_num; group_num="$(getent group "$group" | awk -F ':' '{print $3}')" local group_num; group_num="$(getent group "$group" | awk -F ':' '{print $3}')"
[[ "$DEBUG" == true ]] && echo "Debug: numeric ID of group $group is $group_num." [[ "$DEBUG" == 1 ]] && echo "Debug: numeric ID of group $group is $group_num."
else else
echo "Warning: group $group not found in the container, please use a numeric group ID instead of a group name. Skipping ownership and permissions check." echo "Warning: group $group not found in the container, please use a numeric group ID instead of a group name. Skipping ownership and permissions check."
return 1 return 1
@ -356,7 +359,7 @@ function set_ownership_and_permissions {
# Check and modify ownership if required. # Check and modify ownership if required.
if [[ -e "$path" ]]; then if [[ -e "$path" ]]; then
if [[ "$(stat -c %u:%g "$path" )" != "$user_num:$group_num" ]]; then if [[ "$(stat -c %u:%g "$path" )" != "$user_num:$group_num" ]]; then
[[ "$DEBUG" == true ]] && echo "Debug: setting $path ownership to $user:$group." [[ "$DEBUG" == 1 ]] && echo "Debug: setting $path ownership to $user:$group."
if [[ -L "$path" ]]; then if [[ -L "$path" ]]; then
chown -h "$user_num:$group_num" "$path" chown -h "$user_num:$group_num" "$path"
else else
@ -366,7 +369,7 @@ function set_ownership_and_permissions {
# If the path is a folder, check and modify permissions if required. # If the path is a folder, check and modify permissions if required.
if [[ -d "$path" ]]; then if [[ -d "$path" ]]; then
if [[ "$(stat -c %a "$path")" != "$d_perms" ]]; then if [[ "$(stat -c %a "$path")" != "$d_perms" ]]; then
[[ "$DEBUG" == true ]] && echo "Debug: setting $path permissions to $d_perms." [[ "$DEBUG" == 1 ]] && echo "Debug: setting $path permissions to $d_perms."
chmod "$d_perms" "$path" chmod "$d_perms" "$path"
fi fi
# If the path is a file, check and modify permissions if required. # If the path is a file, check and modify permissions if required.
@ -374,13 +377,13 @@ function set_ownership_and_permissions {
# Use different permissions for private files (private keys and ACME account files) ... # Use different permissions for private files (private keys and ACME account files) ...
if [[ "$path" =~ ^.*(default\.key|key\.pem|\.json)$ ]]; then if [[ "$path" =~ ^.*(default\.key|key\.pem|\.json)$ ]]; then
if [[ "$(stat -c %a "$path")" != "$f_perms" ]]; then if [[ "$(stat -c %a "$path")" != "$f_perms" ]]; then
[[ "$DEBUG" == true ]] && echo "Debug: setting $path permissions to $f_perms." [[ "$DEBUG" == 1 ]] && echo "Debug: setting $path permissions to $f_perms."
chmod "$f_perms" "$path" chmod "$f_perms" "$path"
fi fi
# ... and for public files (certificates, chains, fullchains, DH parameters). # ... and for public files (certificates, chains, fullchains, DH parameters).
else else
if [[ "$(stat -c %a "$path")" != "644" ]]; then if [[ "$(stat -c %a "$path")" != "644" ]]; then
[[ "$DEBUG" == true ]] && echo "Debug: setting $path permissions to 644." [[ "$DEBUG" == 1 ]] && echo "Debug: setting $path permissions to 644."
chmod "644" "$path" chmod "644" "$path"
fi fi
fi fi

154
app/letsencrypt_service
View File

@ -2,20 +2,18 @@
# shellcheck source=functions.sh # shellcheck source=functions.sh
source /app/functions.sh source /app/functions.sh
DEBUG="$(lc "$DEBUG")"
seconds_to_wait=3600 seconds_to_wait=3600
ACME_CA_URI="${ACME_CA_URI:-https://acme-v02.api.letsencrypt.org/directory}" ACME_CA_URI="${ACME_CA_URI:-https://acme-v02.api.letsencrypt.org/directory}"
DEFAULT_KEY_SIZE=4096 DEFAULT_KEY_SIZE="${DEFAULT_KEY_SIZE:-4096}"
REUSE_ACCOUNT_KEYS="$(lc "${REUSE_ACCOUNT_KEYS:-true}")" RENEW_PRIVATE_KEYS="$(lc "${RENEW_PRIVATE_KEYS:-true}")"
REUSE_PRIVATE_KEYS="$(lc "${REUSE_PRIVATE_KEYS:-false}")"
function create_link { function create_link {
local -r source=${1?missing source argument} local -r source=${1?missing source argument}
local -r target=${2?missing target argument} local -r target=${2?missing target argument}
if [[ -f "$target" ]] && [[ "$(readlink "$target")" == "$source" ]]; then if [[ -f "$target" ]] && [[ "$(readlink "$target")" == "$source" ]]; then
set_ownership_and_permissions "$target" set_ownership_and_permissions "$target"
[[ "$DEBUG" == true ]] && echo "$target already linked to $source" [[ "$DEBUG" == 1 ]] && echo "$target already linked to $source"
return 1 return 1
else else
ln -sf "$source" "$target" \ ln -sf "$source" "$target" \
@ -62,7 +60,7 @@ function cleanup_links {
symlinked_domain="${symlinked_domain%*.crt}" symlinked_domain="${symlinked_domain%*.crt}"
SYMLINKED_DOMAINS+=("$symlinked_domain") SYMLINKED_DOMAINS+=("$symlinked_domain")
done done
[[ "$DEBUG" == true ]] && echo "Symlinked domains: ${SYMLINKED_DOMAINS[*]}" [[ "$DEBUG" == 1 ]] && echo "Symlinked domains: ${SYMLINKED_DOMAINS[*]}"
# Create an array containing domains that are considered # Create an array containing domains that are considered
# enabled (ie present on /app/letsencrypt_service_data or /app/letsencrypt_user_data). # enabled (ie present on /app/letsencrypt_service_data or /app/letsencrypt_user_data).
@ -77,7 +75,7 @@ function cleanup_links {
ENABLED_DOMAINS+=("$domain") ENABLED_DOMAINS+=("$domain")
done done
done done
[[ "$DEBUG" == true ]] && echo "Enabled domains: ${ENABLED_DOMAINS[*]}" [[ "$DEBUG" == 1 ]] && echo "Enabled domains: ${ENABLED_DOMAINS[*]}"
# Create an array containing only domains for which a symlinked private key exists # Create an array containing only domains for which a symlinked private key exists
# in /etc/nginx/certs but that no longer have a corresponding LETSENCRYPT_HOST set # in /etc/nginx/certs but that no longer have a corresponding LETSENCRYPT_HOST set
@ -88,28 +86,28 @@ function cleanup_links {
"${ENABLED_DOMAINS[@]}" \ "${ENABLED_DOMAINS[@]}" \
| tr ' ' '\n' | sort | uniq -u) | tr ' ' '\n' | sort | uniq -u)
fi fi
[[ "$DEBUG" == true ]] && echo "Disabled domains: ${DISABLED_DOMAINS[*]}" [[ "$DEBUG" == 1 ]] && echo "Disabled domains: ${DISABLED_DOMAINS[*]}"
# Remove disabled domains symlinks if present. # Remove disabled domains symlinks if present.
# Return 1 if nothing was removed and 0 otherwise. # Return 1 if nothing was removed and 0 otherwise.
if [[ ${#DISABLED_DOMAINS[@]} -gt 0 ]]; then if [[ ${#DISABLED_DOMAINS[@]} -gt 0 ]]; then
[[ "$DEBUG" == true ]] && echo "Some domains are disabled :" [[ "$DEBUG" == 1 ]] && echo "Some domains are disabled :"
for disabled_domain in "${DISABLED_DOMAINS[@]}"; do for disabled_domain in "${DISABLED_DOMAINS[@]}"; do
[[ "$DEBUG" == true ]] && echo "Checking domain ${disabled_domain}" [[ "$DEBUG" == 1 ]] && echo "Checking domain ${disabled_domain}"
cert_folder="$(readlink -f /etc/nginx/certs/"${disabled_domain}".crt)" cert_folder="$(readlink -f "/etc/nginx/certs/${disabled_domain}.crt")"
# If the dotfile is absent, skip domain. # If the dotfile is absent, skip domain.
if [[ ! -e "${cert_folder%/*}/.companion" ]]; then if [[ ! -e "${cert_folder%/*}/.companion" ]]; then
[[ "$DEBUG" == true ]] && echo "No .companion file found in ${cert_folder}. ${disabled_domain} is not managed by letsencrypt-nginx-proxy-companion. Skipping domain." [[ "$DEBUG" == 1 ]] && echo "No .companion file found in ${cert_folder}. ${disabled_domain} is not managed by letsencrypt-nginx-proxy-companion. Skipping domain."
continue continue
else else
[[ "$DEBUG" == true ]] && echo "${disabled_domain} is managed by letsencrypt-nginx-proxy-companion. Removing unused symlinks." [[ "$DEBUG" == 1 ]] && echo "${disabled_domain} is managed by letsencrypt-nginx-proxy-companion. Removing unused symlinks."
fi fi
for extension in .crt .key .dhparam.pem .chain.pem; do for extension in .crt .key .dhparam.pem .chain.pem; do
file="${disabled_domain}${extension}" file="${disabled_domain}${extension}"
if [[ -n "${file// }" ]] && [[ -L "/etc/nginx/certs/${file}" ]]; then if [[ -n "${file// }" ]] && [[ -L "/etc/nginx/certs/${file}" ]]; then
[[ "$DEBUG" == true ]] && echo "Removing /etc/nginx/certs/${file}" [[ "$DEBUG" == 1 ]] && echo "Removing /etc/nginx/certs/${file}"
rm -f "/etc/nginx/certs/${file}" rm -f "/etc/nginx/certs/${file}"
fi fi
done done
@ -124,6 +122,7 @@ function update_certs {
local -a LETSENCRYPT_CONTAINERS local -a LETSENCRYPT_CONTAINERS
local -a LETSENCRYPT_STANDALONE_CERTS local -a LETSENCRYPT_STANDALONE_CERTS
pushd /etc/nginx/certs > /dev/null || return
check_nginx_proxy_container_run || return check_nginx_proxy_container_run || return
# Load relevant container settings # Load relevant container settings
@ -163,18 +162,10 @@ function update_certs {
params_d_arr=() params_d_arr=()
# Use container's LETSENCRYPT_EMAIL if set, fallback to DEFAULT_EMAIL
email_varname="LETSENCRYPT_${cid}_EMAIL"
email_address="${!email_varname:-"<no value>"}"
if [[ "$email_address" != "<no value>" ]]; then
params_d_arr+=(--email "$email_address")
elif [[ -n "${DEFAULT_EMAIL:-}" ]]; then
params_d_arr+=(--email "$DEFAULT_EMAIL")
fi
keysize_varname="LETSENCRYPT_${cid}_KEYSIZE" keysize_varname="LETSENCRYPT_${cid}_KEYSIZE"
cert_keysize="${!keysize_varname:-"<no value>"}" cert_keysize="${!keysize_varname:-"<no value>"}"
if [[ "$cert_keysize" == "<no value>" ]]; then if [[ "$cert_keysize" == "<no value>" ]] || \
[[ ! "$cert_keysize" =~ ^(2048|3072|4096|8192|ec-256|ec-384)$ ]]; then
cert_keysize=$DEFAULT_KEY_SIZE cert_keysize=$DEFAULT_KEY_SIZE
fi fi
@ -192,114 +183,61 @@ function update_certs {
certificate_dir="/etc/nginx/certs/$base_domain" certificate_dir="/etc/nginx/certs/$base_domain"
fi fi
account_varname="LETSENCRYPT_${cid}_ACCOUNT_ALIAS" config_varname="LETSENCRYPT_${cid}_ACMESH_CONFIG"
account_alias="${!account_varname:-"<no value>"}" config_name="${!config_varname:-"<no value>"}"
if [[ "$account_alias" == "<no value>" ]]; then if [[ "$config_name" == "<no value>" ]]; then
account_alias=default config_name=default
else
[[ ! -d "/etc/acme.sh/$config_name" ]] && mkdir -p "/etc/acme.sh/$config_name"
fi fi
[[ "$DEBUG" == true ]] && params_d_arr+=(-v) [[ "$DEBUG" == 1 ]] && params_d_arr+=("--debug")
[[ $REUSE_PRIVATE_KEYS == true ]] && params_d_arr+=(--reuse_key) [[ "$RENEW_PRIVATE_KEYS" == true ]] && params_d_arr+=("--always-force-new-domain-key")
[[ "${1}" == "--force-renew" ]] && params_d_arr+=(--valid_min 7776000) [[ "$1" == "--force-renew" ]] && params_d_arr+=("--force")
# Create directory for the first domain, # Create directory for the first domain
# make it root readable only and make it the cwd
mkdir -p "$certificate_dir" mkdir -p "$certificate_dir"
set_ownership_and_permissions "$certificate_dir" set_ownership_and_permissions "$certificate_dir"
pushd "$certificate_dir" || return
for domain in "${!hosts_array}"; do for domain in "${!hosts_array}"; do
# Add all the domains to certificate # Add all the domains to certificate
params_d_arr+=(-d "$domain") params_d_arr+=("--domain" "$domain")
# Add location configuration for the domain # Add location configuration for the domain
add_location_configuration "$domain" || reload_nginx add_location_configuration "$domain" || reload_nginx
done done
if [[ -e "./account_key.json" ]] && [[ ! -e "./account_reg.json" ]]; then
# If there is an account key present without account registration, this is
# a leftover from the ACME v1 version of simp_le. Remove this account key.
rm -f ./account_key.json
[[ "$DEBUG" == true ]] \
&& echo "Debug: removed ACME v1 account key $certificate_dir/account_key.json"
fi
# The ACME account key and registration full path are derived from the
# endpoint URI + the account alias (set to 'default' if no alias is provided)
account_dir="../accounts/${acme_ca_uri#*://}"
if [[ $REUSE_ACCOUNT_KEYS == true ]]; then
for type in "key" "reg"; do
file_full_path="${account_dir}/${account_alias}_${type}.json"
simp_le_file="./account_${type}.json"
if [[ -f "$file_full_path" ]]; then
# If there is no symlink to the account file, create it
if [[ ! -L "$simp_le_file" ]]; then
ln -sf "$file_full_path" "$simp_le_file" \
&& set_ownership_and_permissions "$simp_le_file"
# If the symlink target the wrong account file, replace it
elif [[ "$(readlink -f "$simp_le_file")" != "$file_full_path" ]]; then
ln -sf "$file_full_path" "$simp_le_file" \
&& set_ownership_and_permissions "$simp_le_file"
fi
fi
done
fi
echo "Creating/renewal $base_domain certificates... (${hosts_array_expanded[*]})" echo "Creating/renewal $base_domain certificates... (${hosts_array_expanded[*]})"
/usr/bin/simp_le \ acme.sh --issue \
-f account_key.json -f account_reg.json \ --log /dev/null \
-f key.pem -f chain.pem -f fullchain.pem -f cert.pem \ --config-home "/etc/acme.sh/$config_name" \
"${params_d_arr[@]}" \ "${params_d_arr[@]}" \
--cert_key_size="$cert_keysize" \ --keylength "$cert_keysize" \
--server="$acme_ca_uri" \ --server "$acme_ca_uri" \
--default_root /usr/share/nginx/html/ --webroot /usr/share/nginx/html \
--cert-file "${certificate_dir}/cert.pem" \
--key-file "${certificate_dir}/key.pem" \
--ca-file "${certificate_dir}/chain.pem" \
--fullchain-file "${certificate_dir}/fullchain.pem"
simp_le_return=$? acmesh_return=$?
if [[ $REUSE_ACCOUNT_KEYS == true ]]; then if [[ $acmesh_return -ne 2 ]]; then
mkdir -p "$account_dir"
for type in "key" "reg"; do
file_full_path="${account_dir}/${account_alias}_${type}.json"
simp_le_file="./account_${type}.json"
# If the account file to be reused does not exist yet, copy it
# from the CWD and replace the file in CWD with a symlink
if [[ ! -f "$file_full_path" && -f "$simp_le_file" ]]; then
cp "$simp_le_file" "$file_full_path"
ln -sf "$file_full_path" "$simp_le_file"
fi
done
fi
popd || return
if [[ $simp_le_return -ne 2 ]]; then
for domain in "${!hosts_array}"; do for domain in "${!hosts_array}"; do
if [[ "$acme_ca_uri" == "$le_staging_uri" ]]; then if [[ $acme_ca_uri =~ ^https://acme-staging.* ]]; then
create_links "_test_$base_domain" "$domain" && should_reload_nginx='true' && should_restart_container='true' create_links "_test_$base_domain" "$domain" && should_reload_nginx='true' && should_restart_container='true'
else else
create_links "$base_domain" "$domain" && should_reload_nginx='true' && should_restart_container='true' create_links "$base_domain" "$domain" && should_reload_nginx='true' && should_restart_container='true'
fi fi
done done
touch "${certificate_dir}/.companion" touch "${certificate_dir}/.companion"
# Set ownership and permissions of the files inside $certificate_dir set_ownership_and_permissions "${certificate_dir}/.companion"
for file in .companion cert.pem key.pem chain.pem fullchain.pem account_key.json account_reg.json; do # Make private key root readable only
for file in cert.pem key.pem chain.pem fullchain.pem; do
file_path="${certificate_dir}/${file}" file_path="${certificate_dir}/${file}"
[[ -e "$file_path" ]] && set_ownership_and_permissions "$file_path" [[ -e "$file_path" ]] && set_ownership_and_permissions "$file_path"
done done
account_path="/etc/nginx/certs/accounts/${acme_ca_uri#*://}"
account_key_perm_path="${account_path}/${account_alias}_key.json"
account_reg_perm_path="${account_path}/${account_alias}_reg.json"
# Account key and registration files do not necessarily exists after
# simp_le exit code 1. Check if they exist before perm check (#591).
[[ -f "$account_key_perm_path" ]] && set_ownership_and_permissions "$account_key_perm_path"
[[ -f "$account_reg_perm_path" ]] && set_ownership_and_permissions "$account_reg_perm_path"
# Set ownership and permissions of the ACME account folder and its
# parent folders (up to /etc/nginx/certs/accounts included)
until [[ "$account_path" == /etc/nginx/certs ]]; do
set_ownership_and_permissions "$account_path"
account_path="$(dirname "$account_path")"
done
# Queue nginx reload if a certificate was issued or renewed # Queue nginx reload if a certificate was issued or renewed
[[ $simp_le_return -eq 0 ]] && should_reload_nginx='true' && should_restart_container='true' [[ $acmesh_return -eq 0 ]] && should_reload_nginx='true' && should_restart_container='true'
fi fi
# Restart container if certs are updated and the respective environmental variable is set # Restart container if certs are updated and the respective environmental variable is set
@ -311,7 +249,7 @@ function update_certs {
for domain in "${!hosts_array}"; do for domain in "${!hosts_array}"; do
if [[ -f "/etc/nginx/conf.d/standalone-cert-$domain.conf" ]]; then if [[ -f "/etc/nginx/conf.d/standalone-cert-$domain.conf" ]]; then
[[ $DEBUG == true ]] && echo "Debug: removing standalone configuration file /etc/nginx/conf.d/standalone-cert-$domain.conf" [[ "$DEBUG" == 1 ]] && echo "Debug: removing standalone configuration file /etc/nginx/conf.d/standalone-cert-$domain.conf"
rm -f "/etc/nginx/conf.d/standalone-cert-$domain.conf" && should_reload_nginx='true' rm -f "/etc/nginx/conf.d/standalone-cert-$domain.conf" && should_reload_nginx='true'
fi fi
done done
@ -321,6 +259,8 @@ function update_certs {
cleanup_links && should_reload_nginx='true' cleanup_links && should_reload_nginx='true'
[[ "$should_reload_nginx" == 'true' ]] && reload_nginx [[ "$should_reload_nginx" == 'true' ]] && reload_nginx
popd > /dev/null || return
} }
# Allow the script functions to be sourced without starting the Service Loop. # Allow the script functions to be sourced without starting the Service Loop.

6
app/letsencrypt_service_data.tmpl
View File

@ -25,18 +25,16 @@ LETSENCRYPT_CONTAINERS=(
{{ $host := trimSuffix "." $host }} {{ $host := trimSuffix "." $host }}
{{ $hostHash := sha1 $host }} {{ $hostHash := sha1 $host }}
LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_HOST=('{{ $host }}') LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_HOST=('{{ $host }}')
LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}" LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}" LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_ACCOUNT_ALIAS="{{ $container.Env.LETSENCRYPT_ACCOUNT_ALIAS }}" LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_ACMESH_CONFIG="{{ $container.Env.LETSENCRYPT_ACMESH_CONFIG }}"
LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}" LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
{{ end }} {{ end }}
{{ else }} {{ else }}
LETSENCRYPT_{{ $cid }}_HOST=( {{ range $host := split $hosts "," }}{{ $host := trim $host }}{{ $host := trimSuffix "." $host }}'{{ $host }}' {{ end }}) LETSENCRYPT_{{ $cid }}_HOST=( {{ range $host := split $hosts "," }}{{ $host := trim $host }}{{ $host := trimSuffix "." $host }}'{{ $host }}' {{ end }})
LETSENCRYPT_{{ $cid }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}" LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
LETSENCRYPT_{{ $cid }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}" LETSENCRYPT_{{ $cid }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
LETSENCRYPT_{{ $cid }}_ACCOUNT_ALIAS="{{ $container.Env.LETSENCRYPT_ACCOUNT_ALIAS }}" LETSENCRYPT_{{ $cid }}_ACMESH_CONFIG="{{ $container.Env.LETSENCRYPT_ACMESH_CONFIG }}"
LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}" LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
{{ end }} {{ end }}
{{ end }} {{ end }}

26
install_acme.sh Executable file
View File

@ -0,0 +1,26 @@
#!/bin/bash
set -e
# Install git (required to fetch acme.sh)
apk --update add git
# Get acme.sh Let's Encrypt client source
tag="2.8.7"
mkdir /src
git -C /src clone https://github.com/Neilpang/acme.sh.git
cd /src/acme.sh
git checkout "$tag"
# Install acme.sh in /app
./acme.sh --install \
--nocron \
--auto-upgrade 0 \
--home /app \
--config-home /etc/acme.sh/default
# Make house cleaning
cd /
rm -rf /src
apk del git
rm -rf /var/cache/apk/*

30
install_simp_le.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
set -e
# Install python and packages needed to build simp_le
apk add --update python3 git gcc musl-dev libffi-dev python3-dev openssl-dev
# Create expected symlinks if they don't exist
[[ -e /usr/bin/pip ]] || ln -sf /usr/bin/pip3 /usr/bin/pip
[[ -e /usr/bin/python ]] || ln -sf /usr/bin/python3 /usr/bin/python
# Get Let's Encrypt simp_le client source
branch="0.18.0"
mkdir -p /src
git -C /src clone --depth=1 --branch $branch https://github.com/zenhack/simp_le.git
# Install simp_le in /usr/bin
cd /src/simp_le
#pip install wheel requests
for pkg in pip setuptools wheel
do
pip3 install -U "${pkg?}"
done
pip3 install .
# Make house cleaning
cd /
rm -rf /src
apk del git gcc musl-dev libffi-dev python3-dev openssl-dev
rm -rf /var/cache/apk/*

4
test/setup/setup-boulder.sh
View File

@ -12,12 +12,16 @@ setup_boulder() {
pushd $GOPATH/src/github.com/letsencrypt/boulder pushd $GOPATH/src/github.com/letsencrypt/boulder
git checkout release-2019-10-07 git checkout release-2019-10-07
if [[ "$(uname)" == 'Darwin' ]]; then if [[ "$(uname)" == 'Darwin' ]]; then
# Set Standard Ports
sed -i '' 's/ 5002/ 80/g' test/config/va.json sed -i '' 's/ 5002/ 80/g' test/config/va.json
sed -i '' 's/ 5001/ 443/g' test/config/va.json sed -i '' 's/ 5001/ 443/g' test/config/va.json
# Modify custom rate limit
sed -i '' 's/le.wtf,le1.wtf/le1.wtf,le2.wtf,le3.wtf/g' test/rate-limit-policies.yml sed -i '' 's/le.wtf,le1.wtf/le1.wtf,le2.wtf,le3.wtf/g' test/rate-limit-policies.yml
else else
# Set Standard Ports
sed --in-place 's/ 5002/ 80/g' test/config/va.json sed --in-place 's/ 5002/ 80/g' test/config/va.json
sed --in-place 's/ 5001/ 443/g' test/config/va.json sed --in-place 's/ 5001/ 443/g' test/config/va.json
# Modify custom rate limit
sed --in-place 's/le.wtf,le1.wtf/le1.wtf,le2.wtf,le3.wtf/g' test/rate-limit-policies.yml sed --in-place 's/le.wtf,le1.wtf/le1.wtf,le2.wtf,le3.wtf/g' test/rate-limit-policies.yml
fi fi
docker-compose build --pull docker-compose build --pull

2
test/tests/certs_san/expected-std-out.txt
View File

@ -35,7 +35,7 @@ The correct certificate for le2.wtf was served by Nginx.
le3.wtf is on certificate. le3.wtf is on certificate.
Connection to le3.wtf using https was successful. Connection to le3.wtf using https was successful.
The correct certificate for le3.wtf was served by Nginx. The correct certificate for le3.wtf was served by Nginx.
Started test web server for le1.wtf.,le2.wtf.,le3.wtf Started test web server for le1.wtf.,le3.wtf.,le2.wtf
Symlink to le1.wtf certificate has been generated. Symlink to le1.wtf certificate has been generated.
The link is pointing to the file ./le1.wtf/fullchain.pem The link is pointing to the file ./le1.wtf/fullchain.pem
le1.wtf is on certificate. le1.wtf is on certificate.

6
test/tests/certs_san/run.sh
View File

@ -21,7 +21,7 @@ function cleanup {
i=$(( $i + 1 )) i=$(( $i + 1 ))
done done
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }
@ -35,7 +35,7 @@ letsencrypt_hosts=( \
[0]="${domains[0]},${domains[1]},${domains[2]}" \ #straight comma separated list [0]="${domains[0]},${domains[1]},${domains[2]}" \ #straight comma separated list
[1]="${domains[1]}, ${domains[2]}, ${domains[0]}" \ #comma separated list with spaces [1]="${domains[1]}, ${domains[2]}, ${domains[0]}" \ #comma separated list with spaces
[2]="${domains[2]}, ${domains[0]}, ${domains[1]}," \ #comma separated list with spaces and a trailing comma [2]="${domains[2]}, ${domains[0]}, ${domains[1]}," \ #comma separated list with spaces and a trailing comma
[3]="${domains[0]}.,${domains[1]}.,${domains[2]}" ) #trailing dots [3]="${domains[0]}.,${domains[2]}.,${domains[1]}" ) #trailing dots
i=1 i=1
@ -94,7 +94,7 @@ for hosts in "${letsencrypt_hosts[@]}"; do
done done
docker stop "$container" > /dev/null 2>&1 docker stop "$container" > /dev/null 2>&1
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
i=$(( $i + 1 )) i=$(( $i + 1 ))
done done

2
test/tests/certs_single/run.sh
View File

@ -19,7 +19,7 @@ function cleanup {
docker rm --force "$domain" > /dev/null 2>&1 docker rm --force "$domain" > /dev/null 2>&1
done done
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }

4
test/tests/certs_single_domain/run.sh
View File

@ -21,7 +21,7 @@ function cleanup {
i=$(( $i + 1 )) i=$(( $i + 1 ))
done done
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }
@ -99,7 +99,7 @@ for hosts in "${letsencrypt_hosts[@]}"; do
done done
docker stop "$container" > /dev/null 2>&1 docker stop "$container" > /dev/null 2>&1
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
i=$(( $i + 1 )) i=$(( $i + 1 ))
done done

2
test/tests/certs_standalone/run.sh
View File

@ -17,7 +17,7 @@ function cleanup {
# Remove the Nginx container silently. # Remove the Nginx container silently.
docker rm --force "$subdomain" > /dev/null 2>&1 docker rm --force "$subdomain" > /dev/null 2>&1
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }

2
test/tests/container_restart/run.sh
View File

@ -29,7 +29,7 @@ function cleanup {
docker rm --force "$domain" > /dev/null 2>&1 docker rm --force "$domain" > /dev/null 2>&1
done done
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }

2
test/tests/force_renew/run.sh
View File

@ -17,7 +17,7 @@ function cleanup {
# Remove the Nginx container silently. # Remove the Nginx container silently.
docker rm --force "${domains[0]}" > /dev/null 2>&1 docker rm --force "${domains[0]}" > /dev/null 2>&1
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }

13
test/tests/permissions_custom/run.sh
View File

@ -23,7 +23,7 @@ function cleanup {
# Remove the ${domains[0]} Nginx container silently. # Remove the ${domains[0]} Nginx container silently.
docker rm --force "${domains[0]}" > /dev/null 2>&1 docker rm --force "${domains[0]}" > /dev/null 2>&1
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }
@ -41,10 +41,7 @@ wait_for_symlink "${domains[0]}" "$le_container_name"
# Array of folder paths to test # Array of folder paths to test
folders=( \ folders=( \
[0]="/etc/nginx/certs/accounts" \ [0]="/etc/nginx/certs/${domains[0]}" \
[1]="/etc/nginx/certs/accounts/boulder:4001" \
[2]="/etc/nginx/certs/accounts/boulder:4001/directory" \
[3]="/etc/nginx/certs/${domains[0]}" \
) )
# Test folder paths # Test folder paths
@ -61,8 +58,6 @@ symlinks=( \
[1]="/etc/nginx/certs/${domains[0]}.key" \ [1]="/etc/nginx/certs/${domains[0]}.key" \
[2]="/etc/nginx/certs/${domains[0]}.chain.pem" \ [2]="/etc/nginx/certs/${domains[0]}.chain.pem" \
[3]="/etc/nginx/certs/${domains[0]}.dhparam.pem" \ [3]="/etc/nginx/certs/${domains[0]}.dhparam.pem" \
[4]="/etc/nginx/certs/${domains[0]}/account_key.json" \
[5]="/etc/nginx/certs/${domains[0]}/account_reg.json" \
) )
# Test symlinks paths # Test symlinks paths
@ -76,9 +71,7 @@ symlinks=( \
# Array of private file paths to test # Array of private file paths to test
private_files=( \ private_files=( \
[0]="/etc/nginx/certs/default.key" \ [0]="/etc/nginx/certs/default.key" \
[1]="/etc/nginx/certs/accounts/boulder:4001/directory/default_key.json" \ [1]="/etc/nginx/certs/${domains[0]}/key.pem" \
[2]="/etc/nginx/certs/accounts/boulder:4001/directory/default_reg.json" \
[3]="/etc/nginx/certs/${domains[0]}/key.pem" \
) )
# Test private file paths # Test private file paths

13
test/tests/permissions_default/run.sh
View File

@ -17,7 +17,7 @@ function cleanup {
# Remove the ${domains[0]} Nginx container silently. # Remove the ${domains[0]} Nginx container silently.
docker rm --force "${domains[0]}" > /dev/null 2>&1 docker rm --force "${domains[0]}" > /dev/null 2>&1
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }
@ -35,10 +35,7 @@ wait_for_symlink "${domains[0]}" "$le_container_name"
# Array of folder paths to test # Array of folder paths to test
folders=( \ folders=( \
[0]="/etc/nginx/certs/accounts" \ [0]="/etc/nginx/certs/${domains[0]}" \
[1]="/etc/nginx/certs/accounts/boulder:4001" \
[2]="/etc/nginx/certs/accounts/boulder:4001/directory" \
[3]="/etc/nginx/certs/${domains[0]}" \
) )
# Test folder paths # Test folder paths
@ -55,8 +52,6 @@ symlinks=( \
[1]="/etc/nginx/certs/${domains[0]}.key" \ [1]="/etc/nginx/certs/${domains[0]}.key" \
[2]="/etc/nginx/certs/${domains[0]}.chain.pem" \ [2]="/etc/nginx/certs/${domains[0]}.chain.pem" \
[3]="/etc/nginx/certs/${domains[0]}.dhparam.pem" \ [3]="/etc/nginx/certs/${domains[0]}.dhparam.pem" \
[4]="/etc/nginx/certs/${domains[0]}/account_key.json" \
[5]="/etc/nginx/certs/${domains[0]}/account_reg.json" \
) )
# Test symlinks paths # Test symlinks paths
@ -70,9 +65,7 @@ symlinks=( \
# Array of private file paths to test # Array of private file paths to test
private_files=( \ private_files=( \
[0]="/etc/nginx/certs/default.key" \ [0]="/etc/nginx/certs/default.key" \
[1]="/etc/nginx/certs/accounts/boulder:4001/directory/default_key.json" \ [1]="/etc/nginx/certs/${domains[0]}/key.pem" \
[2]="/etc/nginx/certs/accounts/boulder:4001/directory/default_reg.json" \
[3]="/etc/nginx/certs/${domains[0]}/key.pem" \
) )
# Test private file paths # Test private file paths

4
test/tests/symlinks/run.sh
View File

@ -23,8 +23,8 @@ function cleanup {
symlink-lim-le2 \ symlink-lim-le2 \
> /dev/null 2>&1 > /dev/null 2>&1
# Cleanup the files created by this run of the test to avoid foiling following test(s). # Cleanup the files created by this run of the test to avoid foiling following test(s).
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/le?.wtf* && rm -rf /etc/acme.sh/default/le?.wtf*'
docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/lim.it*' docker exec "$le_container_name" bash -c 'rm -rf /etc/nginx/certs/lim.it* && rm -rf /etc/acme.sh/default/lim.it*'
# Stop the LE container # Stop the LE container
docker stop "$le_container_name" > /dev/null docker stop "$le_container_name" > /dev/null
} }

2
test/tests/test-functions.sh
View File

@ -23,7 +23,7 @@ function run_le_container {
--volume /var/run/docker.sock:/var/run/docker.sock:ro \ --volume /var/run/docker.sock:/var/run/docker.sock:ro \
$cli_args \ $cli_args \
--env "DHPARAM_BITS=256" \ --env "DHPARAM_BITS=256" \
--env "DEBUG=true" \ --env "DEBUG=2" \
--env "ACME_CA_URI=http://boulder:4001/directory" \ --env "ACME_CA_URI=http://boulder:4001/directory" \
--label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \ --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \
--network boulder_bluenet \ --network boulder_bluenet \