safebox/letsencrypt
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Enhance letsencrypt configuration and logging functionality
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
- Added shared volume for temporary output storage
- Implemented logging of letsencrypt output to a file
- Created JSON log entries for certificate creation status
- Improved handling of domain checks and output file initialization
This commit is contained in:
gyurix
2025-03-08 11:31:03 +01:00
parent 59cfb9b619
commit 815c154a28
2 changed files with 93 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
letsencrypt.json
View File

@@ -1,49 +1,64 @@
{ {
"main": { "main": {
"SERVICE_NAME": "letsencrypt", "SERVICE_NAME": "letsencrypt",
"DOMAIN": "null" "DOMAIN": "null"
}, },
"networks": [ "networks": [
{ {
"NAME": "letsencrypt", "NAME": "letsencrypt",
"DRIVER": "bridge", "DRIVER": "bridge",
"SUBNET": "172.18.254.0/24", "SUBNET": "172.18.254.0/24",
"RANGE": "172.18.254.0/24", "RANGE": "172.18.254.0/24",
"GATEWAY": "172.18.254.1" "GATEWAY": "172.18.254.1"
} }
], ],
"containers": [ "containers": [
{ {
"IMAGE": "registry.format.hu/letsencrypt", "IMAGE": "registry.format.hu/letsencrypt",
"NAME": "letsencrypt", "NAME": "letsencrypt",
"MEMORY": "64M", "MEMORY": "64M",
"IP": "172.18.254.254", "IP": "172.18.254.254",
"NETWORK": "letsencrypt", "NETWORK": "letsencrypt",
"VOLUMES": [ "VOLUMES": [
{ {
"SOURCE": "/etc/system/data/ssl/keys/", "SOURCE": "/etc/system/data/ssl/keys/",
"DEST": "/acme.sh/", "DEST": "/acme.sh/",
"TYPE": "rw" "TYPE": "rw"
}, },
{ {
"SOURCE": "/etc/user/config/domains", "SOURCE": "SHARED",
"DEST": "/domains", "DEST": "/var/tmp/shared",
"TYPE": "ro" "TYPE": "rw"
} },
], {
"PORTS": [ ], "SOURCE": "/etc/user/config/domains",
"ENV_FILES": [ "/etc/user/config/user.json" ], "DEST": "/domains",
"READYNESS": [ "TYPE": "ro"
{"tcp": ""}, }
{"HTTP": ""}, ],
{"EXEC": "/ready.sh"} "PORTS": [],
], "ENV_FILES": [
"EXTRA": "", "/etc/user/config/user.json"
"DEPEND": "null", ],
"START_ON_BOOT": "false", "READYNESS": [
"CMD": "null", {
"PRE_START": "null", "tcp": ""
"POST_START": [ "firewall-29eexhrh" ] },
} {
] "HTTP": ""
} },
{
"EXEC": "/ready.sh"
}
],
"EXTRA": "",
"DEPEND": "null",
"START_ON_BOOT": "false",
"CMD": "null",
"PRE_START": "null",
"POST_START": [
"firewall-29eexhrh"
]
}
]
}

33
start.letsencrypt.sh
View File

@@ -3,6 +3,13 @@
email="-m $EMAIL" email="-m $EMAIL"
DOMAIN=$DOMAIN DOMAIN=$DOMAIN
LOG_DIR=/var/tmp/shared/output
LOG_FILE=$LOG_DIR/letsencrypt.txt
LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json
DATE=$(date +"%Y-%m-%d-%H-%M")
echo "email $EMAIL" echo "email $EMAIL"
echo "DOMAIN: $DOMAIN" echo "DOMAIN: $DOMAIN"
@@ -33,12 +40,22 @@ sending_error_msg() {
echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE; echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE;
} }
create_json() {
LOG=$(cat $LOG_FILE | base64 -w0)
TMP_FILE=$(mktemp)
install -m 664 -g 65534 /dev/null $TMP_FILE
jq 'if . == null or . == [] then [{"domain": "'$DOMAIN'", "date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] else . + [{"domain": "'$DOMAIN'",
"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] end' $LETSENCRYPT_OUTPUT > $TMP_FILE
mv $TMP_FILE $LETSENCRYPT_OUTPUT
rm $TMP_FILE
}
start_letsencrypt() { start_letsencrypt() {
cd /root cd /root
curl https://get.acme.sh | sh -s email=$EMAIL curl https://get.acme.sh | sh -s email=$EMAIL
cd /root/.acme.sh cd /root/.acme.sh
chmod a+x ./acme.sh chmod a+x ./acme.sh
RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem); RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem > $LOG_FILE);
if [[ "$(echo $?)" == "1" ]]; then if [[ "$(echo $?)" == "1" ]]; then
for retries in $(seq 0 $((RESTART + 1))); do for retries in $(seq 0 $((RESTART + 1))); do
if [[ $retries -le $RESTART ]] ; then if [[ $retries -le $RESTART ]] ; then
@@ -47,7 +64,7 @@ start_letsencrypt() {
SUBJECT=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Subject | cut -d '=' -f2); SUBJECT=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Subject | cut -d '=' -f2);
if [ "$ISSUER" == "$SUBJECT" ]; then if [ "$ISSUER" == "$SUBJECT" ]; then
echo "Self signed certificate found"; echo "Self signed certificate found";
RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem); RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem >> $LOG_FILE);
if [[ "$(echo $?)" != "1" ]]; then if [[ "$(echo $?)" != "1" ]]; then
sleep $TIMEOUT; sleep $TIMEOUT;
echo "Restarting number is only: "$retries" so try again" echo "Restarting number is only: "$retries" so try again"
@@ -58,11 +75,17 @@ start_letsencrypt() {
fi fi
else else
echo "Reached retrying limit: "$RESTART" ,giving up" echo "Reached retrying limit: "$RESTART" ,giving up"
echo "Creating log json from letsencrypt output"
STATUS=failed
create_json $STATUS
fi fi
done done
else else
echo "Created or renew successfuly the certificate for $DOMAIN" echo "Created or renew successfuly the certificate for $DOMAIN"
echo "Creating log json from letsencrypt output"
STATUS=success
create_json $STATUS
fi fi
} }
@@ -82,11 +105,15 @@ check_new_cert() {
} }
LETSENCRYPT_FILE=$(find /etc/ssl/keys/ -type f -name letsencrypt); LETSENCRYPT_FILE=$(find /etc/ssl/keys/ -type f -name letsencrypt);
if [ -n "$LETSENCRYPT_FILE" ] ; then if [ -n "$LETSENCRYPT_FILE" ] || [ "$DOMAIN" != "" ] ; then
DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE) ; DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE) ;
rm $LETSENCRYPT_FILE; rm $LETSENCRYPT_FILE;
ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout)
if [ "$DOMAIN" != "localhost" ]; then if [ "$DOMAIN" != "localhost" ]; then
if [ ! -f $LETSENCRYPT_OUTPUT ] then
install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
echo '[]' > $LETSENCRYPT_OUTPUT
fi
start_letsencrypt; start_letsencrypt;
check_new_cert check_new_cert
fi fi