This make the container behave exactly the same wether test certificates
are requested with the LETSENCRYPT_TEST env var or by setting ACME_CA_URI
to the Let's Encrypt stating API endpoint.
This commit enable the two strategies outlined on
https://letsencrypt.org/docs/integration-guide/
under the "One Account or Many?" paragraph, with
the single account key being the default.
Incorrect trimming did lead to empty domains being created on space separated domains
or with comma trailed LETSENCRYPT_HOST environment variable. This in turns led to the
container being caught in an endless loop trying to delete /etc/nginx/certs #254#288
https://github.com/koalaman/shellcheck/wiki
start.sh:
Fix SC2173 on line 14.
letsencrypt_service:
Ignore SC2120 and SC1090.
Fix SC1087 on line 54, SC2068 on lines 54 and 124.
Fix SC2034 on lines 12, 13, 19 and 20.
+ use pushd / popd to change the CWD back to /etc/nginx/certs after simp_le execution.
functions.sh:
Ignore SC2155.
Add the missing shebang.
entrypoint.sh:
Ignore SC2155.
Don't need to use a regexp because the vhost.d/default configuration must be include
specificaly in each server configurations by the nginx.tmpl template file.
Something like:
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
{{ else if (exists "/etc/nginx/vhost.d/default") }}
include /etc/nginx/vhost.d/default;
{{ end }}
In nginx.tmpl, vhosts.d are included before the 'location /' target, and last basic location wins.
If our /.well-known location is defined as a prefix string (or as a regex), it takes priority over basic locations
Details on http://nginx.org/en/docs/http/ngx_http_core_module.html#location
SAN certificates are now only created if the domain is contained in the base_domain.
For example:
LETSENCRYPT_HOST=domain.tld,sub.domain.tld,sub2.domain.tld,newdomain.tld,sub.newdomain.tld
will create 2 SAN certificates for domain.tld and newdomain.tld.
Assuming they're following a conventional setup, this will warn users
that they likely didn't set their volumes up correctly. It's not an
error though because they may have done something like mount the entire
/etc/nginx directory.
I hadn't seen this pattern before and it took me a while to figure out
where the loop was happening. (It could have been in the docker
invocation, in entrypoint.sh, or in start.sh too.)
Add a break into the letsencrypt block so that no more rules are executed otherwise if you have a block like...
## Start of configuration add by letsencrypt container
location /.well-known/acme-challenge/ {
auth_basic off;
root /usr/share/nginx/html;
try_files $uri =404;
}
## End of configuration add by letsencrypt container
if (!-f /code/home/cookies/$cookie_AUTH_COOKIE) {
rewrite ^ https://auth.example.org break;
}
Then lets encrypt never manages to verify the domain as the request gets re-written to the authentication URL.
