Compare commits
25 Commits
b0c96bb546
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
|
513b8ecde5 | ||
|
|
5d2a782201 | ||
|
|
6d219eaa6c | ||
|
|
8fa324553d | ||
|
|
7274cab64f | ||
|
|
3f2d75c086 | ||
|
|
0c3dccfa26 | ||
|
|
d682f43489 | ||
|
|
2653583702 | ||
| 14a6e628fc | |||
|
|
e558ae96e8 | ||
|
|
815c154a28 | ||
| 59cfb9b619 | |||
| 1c25dc156a | |||
|
6e9f7542c4 | ||
| c6c5007ebb | |||
| e695bff6bd | |||
| 8e6c875d64 | |||
| e33c7c2d6a | |||
| 63d9f76cbb | |||
| 6194a9dfe3 | |||
| 74aa62abc4 | |||
| e5bfb9299c | |||
| 33b2570a98 | |||
| 91e715f5cf |
47
.drone.yml
Normal file
47
.drone.yml
Normal file
@@ -0,0 +1,47 @@
|
||||
kind: pipeline
|
||||
type: kubernetes
|
||||
name: default
|
||||
|
||||
node_selector:
|
||||
physical-node: dev2
|
||||
|
||||
trigger:
|
||||
branch:
|
||||
- master
|
||||
event:
|
||||
- push
|
||||
workspace:
|
||||
path: /drone/src
|
||||
|
||||
steps:
|
||||
- name: build multiarch from dev
|
||||
image: docker.io/owncloudci/drone-docker-buildx:4
|
||||
privileged: true
|
||||
settings:
|
||||
cache-from: [ "registry.dev.format.hu/letsencrypt" ]
|
||||
registry: registry.dev.format.hu
|
||||
repo: registry.dev.format.hu/letsencrypt
|
||||
tags: latest
|
||||
dockerfile: Dockerfile
|
||||
username:
|
||||
from_secret: dev-hu-registry-username
|
||||
password:
|
||||
from_secret: dev-hu-registry-password
|
||||
platforms:
|
||||
- linux/amd64
|
||||
- linux/arm64
|
||||
|
||||
- name: pull image to dockerhub
|
||||
image: docker.io/owncloudci/drone-docker-buildx:4
|
||||
privileged: true
|
||||
settings:
|
||||
cache-from: [ "safebox/letsencrypt" ]
|
||||
repo: safebox/letsencrypt
|
||||
tags: latest
|
||||
username:
|
||||
from_secret: dockerhub-username
|
||||
password:
|
||||
from_secret: dockerhub-password
|
||||
platforms:
|
||||
- linux/amd64
|
||||
- linux/arm64
|
||||
@@ -1,7 +1,6 @@
|
||||
FROM neilpang/acme.sh:latest
|
||||
MAINTAINER gyurix
|
||||
FROM alpine
|
||||
|
||||
RUN apk update && apk add --no-cache jq
|
||||
RUN apk update && apk add --no-cache jq curl openssl socat
|
||||
COPY ./start.letsencrypt.sh /start.letsencrypt.sh
|
||||
|
||||
ENTRYPOINT ["/start.letsencrypt.sh"]
|
||||
|
||||
65
firewall-29eexhrh.json
Normal file
65
firewall-29eexhrh.json
Normal file
@@ -0,0 +1,65 @@
|
||||
{
|
||||
"main": {
|
||||
"SERVICE_NAME": "firewalls",
|
||||
"DOMAIN": "null"
|
||||
},
|
||||
"containers": [
|
||||
{
|
||||
"IMAGE": "registry.format.hu/firewall",
|
||||
"NAME": "null",
|
||||
"MEMORY": "64M",
|
||||
"IP": "null",
|
||||
"NETWORK": "host",
|
||||
"VOLUMES": [
|
||||
{
|
||||
"SOURCE": "/run/",
|
||||
"DEST": "/run/",
|
||||
"TYPE": "rw"
|
||||
},
|
||||
{
|
||||
"SOURCE": "/etc/user/config/services",
|
||||
"DEST": "/services",
|
||||
"TYPE": "ro"
|
||||
}
|
||||
],
|
||||
"PORTS": [ ],
|
||||
"READYNESS": [
|
||||
{"tcp": ""},
|
||||
{"HTTP": ""},
|
||||
{"EXEC": "/ready.sh"}
|
||||
],
|
||||
"ENVS": [
|
||||
{
|
||||
"NAME": "CHAIN",
|
||||
"VALUE": "DOCKER-USER"
|
||||
},
|
||||
{
|
||||
"NAME": "SOURCE_IP",
|
||||
"VALUE": "172.18.100.2"
|
||||
},
|
||||
{
|
||||
"NAME": "TARGET_IP",
|
||||
"VALUE": "172.18.254.254"
|
||||
},
|
||||
{
|
||||
"NAME": "TYPE",
|
||||
"VALUE": "tcp"
|
||||
},
|
||||
{
|
||||
"NAME": "TARGET_PORT",
|
||||
"VALUE": "80"
|
||||
},
|
||||
{
|
||||
"NAME": "COMMENT",
|
||||
"VALUE": "29eexhrh"
|
||||
}
|
||||
],
|
||||
"EXTRA": "--privileged",
|
||||
"DEPEND": "null",
|
||||
"START_ON_BOOT": "false",
|
||||
"CMD": "null",
|
||||
"PRE_START": "null",
|
||||
"POST_START": "null"
|
||||
}
|
||||
]
|
||||
}
|
||||
64
letsencrypt.json
Normal file
64
letsencrypt.json
Normal file
@@ -0,0 +1,64 @@
|
||||
{
|
||||
"main": {
|
||||
"SERVICE_NAME": "letsencrypt",
|
||||
"DOMAIN": "null"
|
||||
},
|
||||
"networks": [
|
||||
{
|
||||
"NAME": "letsencrypt",
|
||||
"DRIVER": "bridge",
|
||||
"SUBNET": "172.18.254.0/24",
|
||||
"RANGE": "172.18.254.0/24",
|
||||
"GATEWAY": "172.18.254.1"
|
||||
}
|
||||
],
|
||||
"containers": [
|
||||
{
|
||||
"IMAGE": "registry.format.hu/letsencrypt",
|
||||
"NAME": "letsencrypt",
|
||||
"MEMORY": "64M",
|
||||
"IP": "172.18.254.254",
|
||||
"NETWORK": "letsencrypt",
|
||||
"VOLUMES": [
|
||||
{
|
||||
"SOURCE": "/etc/system/data/ssl/keys/",
|
||||
"DEST": "/acme.sh/",
|
||||
"TYPE": "rw"
|
||||
},
|
||||
{
|
||||
"SOURCE": "SHARED",
|
||||
"DEST": "/var/tmp/shared",
|
||||
"TYPE": "rw"
|
||||
},
|
||||
{
|
||||
"SOURCE": "/etc/user/config/domains",
|
||||
"DEST": "/domains",
|
||||
"TYPE": "ro"
|
||||
}
|
||||
],
|
||||
"PORTS": [],
|
||||
"ENV_FILES": [
|
||||
"/etc/user/config/user.json"
|
||||
],
|
||||
"READYNESS": [
|
||||
{
|
||||
"tcp": ""
|
||||
},
|
||||
{
|
||||
"HTTP": ""
|
||||
},
|
||||
{
|
||||
"EXEC": "/ready.sh"
|
||||
}
|
||||
],
|
||||
"EXTRA": "",
|
||||
"DEPEND": "null",
|
||||
"START_ON_BOOT": "false",
|
||||
"CMD": "null",
|
||||
"PRE_START": "null",
|
||||
"POST_START": [
|
||||
"firewall-29eexhrh"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,49 +1,165 @@
|
||||
#!/bin/sh
|
||||
|
||||
email=$EMAIL
|
||||
email="-m $EMAIL"
|
||||
DOMAIN=$DOMAIN
|
||||
|
||||
start_letsencrypt() {
|
||||
LOG_DIR=/var/tmp/shared/output
|
||||
LOG_FILE=$LOG_DIR/letsencrypt.txt
|
||||
LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json
|
||||
DATE=$(date +"%Y-%m-%d-%H-%M")
|
||||
|
||||
mkdir -p /acme.sh/$DOMAIN/ ;
|
||||
echo "email $EMAIL"
|
||||
echo "DOMAIN: $DOMAIN"
|
||||
|
||||
ACME_PARAMS="--issue --standalone --keylength 4096 -d $DOMAIN --cert-file /acme.sh/$DOMAIN/cert.pem --key-file /acme.sh/$DOMAIN/key.pem --fullchain-file /acme.sh/$DOMAIN/fullchain.pem"
|
||||
|
||||
if acme.sh --register-account -m $email $ACME_PARAMS | grep 'Already registered' ; then
|
||||
|
||||
acme.sh $ACME_PARAMS ;
|
||||
fi
|
||||
|
||||
#mkdir -p /acme.sh/$DOMAIN/ecc-certs ;
|
||||
|
||||
#acme.sh --issue --standalone --keylength ec-384 -d $DOMAIN --cert-file /acme.sh/$DOMAIN/ecc-certs/cert.pem --key-file /acme.sh/$DOMAIN/ecc-certs/key.pem --fullchain-file /acme.sh/$DOMAIN/ecc-certs/fullchain.pem
|
||||
|
||||
}
|
||||
|
||||
LETSENCRYPT_FILE=$(find /acme.sh/ -type f -name letsencrypt);
|
||||
if [ -n "$LETSENCRYPT_FILE" ] ; then
|
||||
DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE) ;
|
||||
start_letsencrypt;
|
||||
rm $LETSENCRYPT_FILE;
|
||||
else
|
||||
cd /domains
|
||||
for i in `ls` ; do
|
||||
DOMAIN=$(jq -r .DOMAIN $i) ;
|
||||
if [[ -f /acme.sh/$DOMAIN/key.pem && -f /acme.sh/$DOMAIN/fullchain.pem && -f /acme.sh/$DOMAIN/cert.pem ]] ; then
|
||||
start_letsencrypt ;
|
||||
touch /acme.sh/$DOMAIN/renew_certificate;
|
||||
else
|
||||
start_letsencrypt;
|
||||
if [[ -f /acme.sh/$DOMAIN/key.pem && -f /acme.sh/$DOMAIN/fullchain.pem && -f /acme.sh/$DOMAIN/cert.pem ]] ; then
|
||||
touch /acme.sh/$DOMAIN/new_certificate;
|
||||
|
||||
else
|
||||
while [[ ! -f /acme.sh/$DOMAIN/key.pem || ! -f /acme.sh/$DOMAIN/fullchain.pem || ! -f /acme.sh/$DOMAIN/cert.pem ]] ; do
|
||||
sleep 10;
|
||||
start_letsencrypt ;
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done ;
|
||||
if [ "$LETSENCRYPT_SERVER" != "" ]; then
|
||||
L_S="--server $LETSENCRYPT_SERVER"
|
||||
fi
|
||||
|
||||
if [ "$EAB_KID" != "" ]; then
|
||||
EK="--eab-kid $EAB_KID"
|
||||
fi
|
||||
|
||||
if [ "$EAB_HMAC_KEY" != "" ]; then
|
||||
EHK="--eab-hmac-key $EAB_HMAC_KEY"
|
||||
fi
|
||||
|
||||
TIMEOUT=$TIMEOUT
|
||||
if [[ -z "$TIMEOUT" ]]; then
|
||||
TIMEOUT=10
|
||||
fi
|
||||
|
||||
RESTART=$RESTART
|
||||
if [[ -z "$RESTART" ]]; then
|
||||
RESTART=5
|
||||
fi
|
||||
|
||||
sending_error_msg() {
|
||||
|
||||
echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE
|
||||
}
|
||||
|
||||
create_json() {
|
||||
LOG=$(cat $LOG_FILE | base64 -w0)
|
||||
TMP_FILE=$(mktemp)
|
||||
jq '
|
||||
if . == null or . == [] then
|
||||
{"'$DOMAIN'":{"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
|
||||
else
|
||||
. + {"'$DOMAIN'": {"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}}
|
||||
end
|
||||
' $LETSENCRYPT_OUTPUT >$TMP_FILE
|
||||
cat $TMP_FILE >$LETSENCRYPT_OUTPUT
|
||||
rm $TMP_FILE
|
||||
}
|
||||
|
||||
start_letsencrypt() {
|
||||
cd /root
|
||||
if [ "$LETSENCRYPT_INSTALLED" != "true" ]; then
|
||||
curl https://get.acme.sh | sh -s email=$EMAIL
|
||||
LETSENCRYPT_INSTALLED=true
|
||||
fi
|
||||
|
||||
sh /root/.acme.sh/acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /acme.sh/$DOMAIN/cert.pem --key-file /acme.sh/$DOMAIN/key.pem --fullchain-file /acme.sh/$DOMAIN/fullchain.pem >$LOG_FILE 2>&1
|
||||
RESPONSE=$?
|
||||
echo "OUTPOUT: $RESPONSE"
|
||||
if [[ "$(echo $RESPONSE)" == "1" ]]; then
|
||||
for retries in $(seq 0 $((RESTART + 1))); do
|
||||
if [[ $retries -le $RESTART ]]; then
|
||||
# Check certificate issuer
|
||||
ISSUER=$(openssl x509 -in /acme.sh/$DOMAIN/fullchain.pem -text -noout | grep -w CN | grep Issuer | cut -d '=' -f2)
|
||||
SUBJECT=$(openssl x509 -in /acme.sh/$DOMAIN/fullchain.pem -text -noout | grep -w CN | grep Subject | cut -d '=' -f2)
|
||||
if [ "$ISSUER" == "$SUBJECT" ]; then
|
||||
echo "Self signed certificate found"
|
||||
sh /root/.acme.sh/acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /acme.sh/$DOMAIN/cert.pem --key-file /acme.sh/$DOMAIN/key.pem --fullchain-file /acme.sh/$DOMAIN/fullchain.pem >>$LOG_FILE 2>&1
|
||||
RESPONSE=$?
|
||||
if [[ "$(echo $RESPONSE)" == "1" ]]; then
|
||||
sleep $TIMEOUT
|
||||
echo "Restarting number is only: "$retries" so try again"
|
||||
else
|
||||
echo "Created or renew successfuly the certificate for $DOMAIN"
|
||||
echo "Creating log json from letsencrypt output"
|
||||
STATUS=success
|
||||
create_json $STATUS
|
||||
break
|
||||
fi
|
||||
else
|
||||
sleep $TIMEOUT
|
||||
echo "Restarting number is only: "$retries" so try again"
|
||||
fi
|
||||
else
|
||||
echo "Reached retrying limit: "$RESTART" ,giving up"
|
||||
echo "Creating log json from letsencrypt output"
|
||||
STATUS=failed
|
||||
create_json $STATUS
|
||||
fi
|
||||
|
||||
done
|
||||
else
|
||||
echo "Created or renew successfuly the certificate for $DOMAIN"
|
||||
echo "Creating log json from letsencrypt output"
|
||||
STATUS=success
|
||||
create_json $STATUS
|
||||
fi
|
||||
}
|
||||
|
||||
check_new_cert() {
|
||||
#DATE=$(date +%s)
|
||||
if [[ -f /acme.sh/$DOMAIN/key.pem && -f /acme.sh/$DOMAIN/fullchain.pem && -f /acme.sh/$DOMAIN/cert.pem ]]; then
|
||||
#D1=$(date -r /acme.sh/$DOMAIN/fullchain.pem +%s)
|
||||
#DIFF=$(expr $DATE - $D1);
|
||||
#if [ $DIFF < 3600 ]; then touch /acme.sh/$DOMAIN/new_certificate; fi
|
||||
NEW=$(openssl x509 -in /acme.sh/$DOMAIN/fullchain.pem -fingerprint -noout)
|
||||
if [ "$ORIGINAL" != "$NEW" ]; then
|
||||
touch /acme.sh/$DOMAIN/new_certificate
|
||||
fi
|
||||
else
|
||||
sending_error_msg $DOMAIN $DATE
|
||||
fi
|
||||
}
|
||||
|
||||
LETSENCRYPT_FILES=$(find /acme.sh/ -type f -name letsencrypt)
|
||||
|
||||
if [ "$DOMAIN" != "localhost" ]; then
|
||||
if [ ! -f $LETSENCRYPT_OUTPUT ]; then
|
||||
install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
|
||||
echo '{}' >$LETSENCRYPT_OUTPUT
|
||||
fi
|
||||
|
||||
if [ "$DOMAIN" != "" ]; then
|
||||
echo "DOMAIN: $DOMAIN"
|
||||
echo "domain exists"
|
||||
ORIGINAL=$(openssl x509 -in /acme.sh/$DOMAIN/fullchain.pem -fingerprint -noout)
|
||||
if [ "$DOMAIN" != "localhost" ]; then
|
||||
start_letsencrypt
|
||||
check_new_cert
|
||||
fi
|
||||
|
||||
elif [ -n "$LETSENCRYPT_FILES" ]; then
|
||||
echo "letsencrypt files exist"
|
||||
for LETSENCRYPT_FILE in $(echo $LETSENCRYPT_FILES); do
|
||||
DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE)
|
||||
echo "DOMAIN: $DOMAIN"
|
||||
for DOMAIN in $(echo $DOMAIN); do
|
||||
ORIGINAL=$(openssl x509 -in /acme.sh/$DOMAIN/fullchain.pem -fingerprint -noout)
|
||||
start_letsencrypt $DOMAIN
|
||||
check_new_cert
|
||||
DOMAIN=""
|
||||
done
|
||||
done
|
||||
|
||||
else
|
||||
DOMAIN_FILE=""
|
||||
echo "no any new created domain exists try renew all"
|
||||
for DOMAIN_FILE in $(ls /domains); do
|
||||
cd /domains
|
||||
echo "DOMAIN_FILE: $(basename $DOMAIN_FILE)"
|
||||
DOMAIN=$(jq -r .DOMAIN $DOMAIN_FILE)
|
||||
echo "DOMAIN: $DOMAIN"
|
||||
if [ "$DOMAIN" != "localhost" ]; then
|
||||
ORIGINAL=$(openssl x509 -in /acme.sh/$DOMAIN/fullchain.pem -fingerprint -noout)
|
||||
start_letsencrypt $DOMAIN
|
||||
check_new_cert
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user