From 7e103de4690f281aa21a160a46c354f7d0793b8b Mon Sep 17 00:00:00 2001 From: Alexander Merck Date: Wed, 5 Dec 2018 10:41:51 -0500 Subject: [PATCH 1/4] Removed nginx startup before certbot run --- nginx.run | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/nginx.run b/nginx.run index d0d0cb8..97bb859 100644 --- a/nginx.run +++ b/nginx.run @@ -10,7 +10,7 @@ trap "exit 130" SIGINT trap "exit 137" SIGKILL trap "exit 143" SIGTERM -PIDFILE=/var/run/nginx.pid +PIDFILE=/run/nginx.pid SERVER_BASE_URL=${SERVER_BASE_URL:-http://$(curl http://httpbin.org/ip | jq -r .origin)} SERVER=$(echo ${SERVER_BASE_URL} | awk -F/ '{print $3}') @@ -31,14 +31,10 @@ then # directories exist and certs is empty, let's put in a cert # We'll use a self-signed to start, and let LetsEncrypt replace openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/private/key.pem -out /etc/pki/tls/certs/cert.pem -nodes -days 1 -subj "/CN=${SERVER}" - /usr/sbin/nginx & - sleep 2 ## Note, -ie means inplace, suffix with 'e', '-i -e' means in-place, with no suffix, then run expression sed -i -e "s/#server_name/server_name ${SERVER};/" /etc/nginx/sites-available/default certbot --nginx -n --register-unsafely-without-email --keep-until-expiring --agree-tos --domains ${SERVER} - sleep 1 - pkill nginx fi /usr/sbin/nginx -t -exec /usr/sbin/nginx +exec /usr/sbin/nginx \ No newline at end of file From d676a603c7de0f642d6675f38511d8009d4005c7 Mon Sep 17 00:00:00 2001 From: Jesse Bowling Date: Thu, 6 Dec 2018 09:16:29 -0500 Subject: [PATCH 2/4] Revert "Removed nginx startup before certbot run" --- nginx.run | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nginx.run b/nginx.run index 97bb859..d0d0cb8 100644 --- a/nginx.run +++ b/nginx.run @@ -10,7 +10,7 @@ trap "exit 130" SIGINT trap "exit 137" SIGKILL trap "exit 143" SIGTERM -PIDFILE=/run/nginx.pid +PIDFILE=/var/run/nginx.pid SERVER_BASE_URL=${SERVER_BASE_URL:-http://$(curl http://httpbin.org/ip | jq -r .origin)} SERVER=$(echo ${SERVER_BASE_URL} | awk -F/ '{print $3}') @@ -31,10 +31,14 @@ then # directories exist and certs is empty, let's put in a cert # We'll use a self-signed to start, and let LetsEncrypt replace openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/private/key.pem -out /etc/pki/tls/certs/cert.pem -nodes -days 1 -subj "/CN=${SERVER}" + /usr/sbin/nginx & + sleep 2 ## Note, -ie means inplace, suffix with 'e', '-i -e' means in-place, with no suffix, then run expression sed -i -e "s/#server_name/server_name ${SERVER};/" /etc/nginx/sites-available/default certbot --nginx -n --register-unsafely-without-email --keep-until-expiring --agree-tos --domains ${SERVER} + sleep 1 + pkill nginx fi /usr/sbin/nginx -t -exec /usr/sbin/nginx \ No newline at end of file +exec /usr/sbin/nginx From 19649bb4c3ab0945f339d54b6926c205f3b03483 Mon Sep 17 00:00:00 2001 From: Alexander Merck Date: Thu, 6 Dec 2018 14:18:09 -0500 Subject: [PATCH 3/4] Check for http, localhost, or ip address --- nginx.run | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/nginx.run b/nginx.run index 97bb859..d787342 100644 --- a/nginx.run +++ b/nginx.run @@ -25,16 +25,31 @@ fi mkdir -p /var/log/nginx touch /var/log/nginx/error.log +# Check whether we can generate a certbot cert +USE_CERTBOT=1 +protocol=$(echo ${SERVER_BASE_URL} | awk -F: '{print $1}') +if [[ $protocol == "http" ]] || [[ $SERVER == "localhost" ]] || [[ $SERVER =~ ([0-9]{1,3}\.){3}[0-9]{1,3} ]] +then + USE_CERTBOT=0 +fi + # Test if we should generate a self-signed cert -if [ -d "/etc/pki/tls/certs" ] && [ -d "/etc/pki/tls/private" ] && [ -z "$(ls -A /etc/pki/tls/certs)" ] +if [ -d "/etc/pki/tls/certs" ] && [ -d "/etc/pki/tls/private" ] && [ -z "$(ls -A /etc/pki/tls/certs)" ] then # directories exist and certs is empty, let's put in a cert # We'll use a self-signed to start, and let LetsEncrypt replace openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/private/key.pem -out /etc/pki/tls/certs/cert.pem -nodes -days 1 -subj "/CN=${SERVER}" - ## Note, -ie means inplace, suffix with 'e', '-i -e' means in-place, with no suffix, then run expression - sed -i -e "s/#server_name/server_name ${SERVER};/" /etc/nginx/sites-available/default - certbot --nginx -n --register-unsafely-without-email --keep-until-expiring --agree-tos --domains ${SERVER} + if [ $USE_CERTBOT -ne 0 ] + then + /usr/sbin/nginx & + sleep 2 + ## Note, -ie means inplace, suffix with 'e', '-i -e' means in-place, with no suffix, then run expression + sed -i -e "s/#server_name/server_name ${SERVER};/" /etc/nginx/sites-available/default + certbot --nginx -n --register-unsafely-without-email --keep-until-expiring --agree-tos --domains ${SERVER} + sleep 1 + pkill nginx + fi fi /usr/sbin/nginx -t -exec /usr/sbin/nginx \ No newline at end of file +exec /usr/sbin/nginx From c199a1ddec79ab8b5735a6a6fd93d1252583b110 Mon Sep 17 00:00:00 2001 From: Jesse Bowling Date: Thu, 13 Dec 2018 09:58:33 -0500 Subject: [PATCH 4/4] Adjust boolean logic to be more readable. --- nginx.run | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nginx.run b/nginx.run index ec98eb7..dd91af4 100644 --- a/nginx.run +++ b/nginx.run @@ -26,11 +26,11 @@ mkdir -p /var/log/nginx touch /var/log/nginx/error.log # Check whether we can generate a certbot cert -USE_CERTBOT=1 +USE_CERTBOT="yes" protocol=$(echo ${SERVER_BASE_URL} | awk -F: '{print $1}') if [[ $protocol == "http" ]] || [[ $SERVER == "localhost" ]] || [[ $SERVER =~ ([0-9]{1,3}\.){3}[0-9]{1,3} ]] then - USE_CERTBOT=0 + USE_CERTBOT="no" fi # Test if we should generate a self-signed cert @@ -39,7 +39,7 @@ then # directories exist and certs is empty, let's put in a cert # We'll use a self-signed to start, and let LetsEncrypt replace openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/private/key.pem -out /etc/pki/tls/certs/cert.pem -nodes -days 1 -subj "/CN=${SERVER}" - if [ $USE_CERTBOT -ne 0 ] + if [ $USE_CERTBOT == "yes" ] then /usr/sbin/nginx & sleep 2