Add standalone certificate feature

buchdag · buchdag · commit 8a936cc4feb5 · 2020-05-10T19:35:59.000+02:00
Standalone certificates are generated from a static user provided
configuration file rather than from the dynamicaly generated (from
running containers environment variables) letsencrypt_service_data file.
diff --git a/app/entrypoint.sh b/app/entrypoint.sh
@@ -161,6 +161,7 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
     check_writable_directory '/etc/nginx/certs'
     check_writable_directory '/etc/nginx/vhost.d'
     check_writable_directory '/usr/share/nginx/html'
+    [[ -f /app/letsencrypt_user_data ]] && check_writable_directory '/etc/nginx/conf.d'
     check_deprecated_env_var
     check_default_cert_key
     check_dh_group
diff --git a/app/functions.sh b/app/functions.sh
@@ -102,6 +102,39 @@ function add_location_configuration {
     fi
 }
 
+function add_standalone_configuration {
+    local domain="${1:?}"
+    if grep -q $domain "/etc/nginx/conf.d/default.conf"; then
+        # If the domain is already present in nginx's conf, use the location configuration.
+        add_location_configuration "$domain"
+    else
+        # Else use the standalone configuration.
+        cat > "/etc/nginx/conf.d/standalone-cert-$domain.conf" << EOF
+server {
+    server_name $domain;
+    listen 80;
+    access_log /var/log/nginx/access.log vhost;
+    location ^~ /.well-known/acme-challenge/ {
+        auth_basic off;
+        allow all;
+        root /usr/share/nginx/html;
+        try_files \$uri =404;
+        break;
+    }
+}
+EOF
+    fi
+}
+
+function remove_all_standalone_configurations {
+    local old_shopt_options=$(shopt -p) # Backup shopt options
+    shopt -s nullglob
+    for file in "/etc/nginx/conf.d/standalone-cert-"*".conf"; do
+      rm -f "$file"
+    done
+    eval "$old_shopt_options" # Restore shopt options
+}
+
 function remove_all_location_configurations {
     for file in "${VHOST_DIR}"/*; do
         [[ -e "$file" ]] || continue
diff --git a/app/letsencrypt_service b/app/letsencrypt_service
@@ -50,6 +50,8 @@ function create_links {
 }
 
 function cleanup_links {
+    local -a LETSENCRYPT_CONTAINERS
+    local -a LETSENCRYPT_STANDALONE_CERTS
     local -a ENABLED_DOMAINS
     local -a SYMLINKED_DOMAINS
     local -a DISABLED_DOMAINS
@@ -65,9 +67,10 @@ function cleanup_links {
     [[ "$DEBUG" == true ]] && echo "Symlinked domains: ${SYMLINKED_DOMAINS[*]}"
 
     # Create an array containing domains that are considered
-    # enabled (ie present on /app/letsencrypt_service_data).
-    # shellcheck source=/dev/null
-    source /app/letsencrypt_service_data
+    # enabled (ie present on /app/letsencrypt_service_data or /app/letsencrypt_user_data).
+    [[ -f /app/letsencrypt_service_data ]] && source /app/letsencrypt_service_data
+    [[ -f /app/letsencrypt_user_data ]] && source /app/letsencrypt_user_data
+    LETSENCRYPT_CONTAINERS+=( "${LETSENCRYPT_STANDALONE_CERTS[@]}" )
     for cid in "${LETSENCRYPT_CONTAINERS[@]}"; do
       host_varname="LETSENCRYPT_${cid}_HOST"
       hosts_array="${host_varname}[@]"
@@ -80,7 +83,7 @@ function cleanup_links {
 
     # Create an array containing only domains for which a symlinked private key exists
     # in /etc/nginx/certs but that no longer have a corresponding LETSENCRYPT_HOST set
-    # on an active container.
+    # on an active container or on /app/letsencrypt_user_data
     if [[ ${#SYMLINKED_DOMAINS[@]} -gt 0 ]]; then
         mapfile -t DISABLED_DOMAINS < <(echo "${SYMLINKED_DOMAINS[@]}" \
                                              "${ENABLED_DOMAINS[@]}" \
@@ -120,15 +123,34 @@ function cleanup_links {
 }
 
 function update_certs {
+    local -a LETSENCRYPT_CONTAINERS
+    local -a LETSENCRYPT_STANDALONE_CERTS
 
     check_nginx_proxy_container_run || return
 
-    [[ -f /app/letsencrypt_service_data ]] || return
-
     # Load relevant container settings
-    unset LETSENCRYPT_CONTAINERS
-    # shellcheck source=/dev/null
-    source /app/letsencrypt_service_data
+    if [[ -f /app/letsencrypt_service_data ]]; then
+        source /app/letsencrypt_service_data
+    else
+        echo "Warning: /app/letsencrypt_service_data not found, skipping data from containers."
+    fi
+
+    # Load settings for standalone certs
+    if [[ -f /app/letsencrypt_user_data ]]; then
+        if source /app/letsencrypt_user_data; then
+            for cid in "${LETSENCRYPT_STANDALONE_CERTS[@]}"; do
+                host_varname="LETSENCRYPT_${cid}_HOST"
+                hosts_array="${host_varname}[@]"
+                for domain in "${!hosts_array}"; do
+                    add_standalone_configuration "$domain"
+                done
+            done
+            reload_nginx
+            LETSENCRYPT_CONTAINERS+=( "${LETSENCRYPT_STANDALONE_CERTS[@]}" )
+        else
+            echo "Warning: could not source /app/letsencrypt_user_data, skipping user data"
+        fi
+    fi
 
     should_reload_nginx='false'
     for cid in "${LETSENCRYPT_CONTAINERS[@]}"; do
@@ -145,15 +167,15 @@ function update_certs {
 
         # Use container's LETSENCRYPT_EMAIL if set, fallback to DEFAULT_EMAIL
         email_varname="LETSENCRYPT_${cid}_EMAIL"
-        email_address="${!email_varname}"
+        email_address="${!email_varname:-"<no value>"}"
         if [[ "$email_address" != "<no value>" ]]; then
             params_d_arr+=(--email "$email_address")
         elif [[ -n "${DEFAULT_EMAIL:-}" ]]; then
             params_d_arr+=(--email "$DEFAULT_EMAIL")
         fi
 
         keysize_varname="LETSENCRYPT_${cid}_KEYSIZE"
-        cert_keysize="${!keysize_varname}"
+        cert_keysize="${!keysize_varname:-"<no value>"}"
         if [[ "$cert_keysize" == "<no value>" ]]; then
             cert_keysize=$DEFAULT_KEY_SIZE
         fi
@@ -173,7 +195,7 @@ function update_certs {
         fi
 
         account_varname="LETSENCRYPT_${cid}_ACCOUNT_ALIAS"
-        account_alias="${!account_varname}"
+        account_alias="${!account_varname:-"<no value>"}"
         if [[ "$account_alias" == "<no value>" ]]; then
             account_alias=default
         fi
@@ -182,7 +204,7 @@ function update_certs {
         [[ $REUSE_PRIVATE_KEYS == true ]] && params_d_arr+=(--reuse_key)
         
         min_validity="LETSENCRYPT_${cid}_MIN_VALIDITY"
-        min_validity="${!min_validity}"
+        min_validity="${!min_validity:-"<no value>"}"
         if [[ "$min_validity" == "<no value>" ]]; then
             min_validity=$DEFAULT_MIN_VALIDITY
         fi
@@ -310,6 +332,13 @@ function update_certs {
             docker_restart "${cid}"
         fi
 
+        for domain in "${!hosts_array}"; do
+            if [[ -f "/etc/nginx/conf.d/standalone-cert-$domain.conf" ]]; then
+                [[ $DEBUG == true ]] && echo "Debug: removing standalone configuration file /etc/nginx/conf.d/standalone-cert-$domain.conf"
+                rm -f "/etc/nginx/conf.d/standalone-cert-$domain.conf" && should_reload_nginx='true'
+            fi
+        done
+
     done
 
     cleanup_links && should_reload_nginx='true'
diff --git a/app/start.sh b/app/start.sh
@@ -8,6 +8,7 @@ term_handler() {
     # shellcheck source=functions.sh
     source /app/functions.sh
     remove_all_location_configurations
+    remove_all_standalone_configurations
 
     exit 0
 }

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ term_handler() {`
`8`	`8`	`# shellcheck source=functions.sh`
`9`	`9`	`source /app/functions.sh`
`10`	`10`	`remove_all_location_configurations`
	`11`	`+ remove_all_standalone_configurations`
`11`	`12`
`12`	`13`	`exit 0`
`13`	`14`	`}`