Fix tls script.
This commit is contained in:
mguschin
@@ -1,57 +1,46 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# Obtain TLS certificates from Let's Encrypt for evosync.ru
|
# Obtain TLS certificates from Let's Encrypt for evosync.ru
|
||||||
# Run once on first deploy: sudo ./scripts/init-letsencrypt.sh
|
# Run once on first deploy: sudo ./scripts/init-letsencrypt.sh
|
||||||
|
# Requires nginx running on the host with acme-challenge location configured
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
DOMAIN="evosync.ru"
|
DOMAIN="evosync.ru"
|
||||||
EMAIL="${LETSENCRYPT_EMAIL:-admin@evosync.ru}"
|
EMAIL="${LETSENCRYPT_EMAIL:-admin@evosync.ru}"
|
||||||
COMPOSE="docker compose"
|
|
||||||
CERTBOT_DIR="./certbot"
|
CERTBOT_DIR="./certbot"
|
||||||
|
ACME_DIR="/var/www/certbot"
|
||||||
|
|
||||||
echo "==> Creating certbot directories..."
|
echo "==> Creating certbot directories..."
|
||||||
mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"
|
mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"
|
||||||
|
|
||||||
echo "==> Starting nginx (HTTP only, for ACME challenge)..."
|
echo "==> Ensuring acme-challenge directory exists on host..."
|
||||||
# Temporarily use a basic config that doesn't require certs
|
sudo mkdir -p "$ACME_DIR"
|
||||||
cat > nginx/nginx-temp.conf <<'TMPCONF'
|
sudo chmod 755 "$ACME_DIR"
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name evosync.ru www.evosync.ru;
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge/ {
|
|
||||||
root /var/www/certbot;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 200 'Setting up TLS...';
|
|
||||||
add_header Content-Type text/plain;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
TMPCONF
|
|
||||||
|
|
||||||
$COMPOSE up -d nginx
|
|
||||||
|
|
||||||
echo "==> Requesting certificate from Let's Encrypt..."
|
echo "==> Requesting certificate from Let's Encrypt..."
|
||||||
docker run --rm \
|
sudo certbot certonly \
|
||||||
-v "$(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt" \
|
|
||||||
-v "$(pwd)/$CERTBOT_DIR/www:/var/www/certbot" \
|
|
||||||
--network "${COMPOSE_PROJECT_NAME:-evo-syncgit}_default" \
|
|
||||||
certbot/certbot certonly \
|
|
||||||
--webroot \
|
--webroot \
|
||||||
--webroot-path=/var/www/certbot \
|
--webroot-path="$ACME_DIR" \
|
||||||
--email "$EMAIL" \
|
--email "$EMAIL" \
|
||||||
--agree-tos \
|
--agree-tos \
|
||||||
--no-eff-email \
|
--no-eff-email \
|
||||||
-d "$DOMAIN" \
|
-d "$DOMAIN" \
|
||||||
-d "www.$DOMAIN"
|
-d "www.$DOMAIN"
|
||||||
|
|
||||||
echo "==> Restoring production nginx config..."
|
echo "==> Copying certificates to project directory..."
|
||||||
rm -f nginx/nginx-temp.conf
|
sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$CERTBOT_DIR/conf/fullchain.pem"
|
||||||
|
sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$CERTBOT_DIR/conf/privkey.pem"
|
||||||
echo "==> Restarting nginx with TLS..."
|
sudo chown "$(whoami):$(whoami)" "$CERTBOT_DIR/conf"/*.pem
|
||||||
$COMPOSE restart nginx
|
|
||||||
|
|
||||||
echo "==> Done! TLS certificate installed for $DOMAIN"
|
echo "==> Done! TLS certificate installed for $DOMAIN"
|
||||||
|
echo ""
|
||||||
|
echo "Certificate files:"
|
||||||
|
echo " - $CERTBOT_DIR/conf/fullchain.pem"
|
||||||
|
echo " - $CERTBOT_DIR/conf/privkey.pem"
|
||||||
|
echo ""
|
||||||
|
echo "Configure nginx:"
|
||||||
|
echo " ssl_certificate $CERTBOT_DIR/conf/fullchain.pem;"
|
||||||
|
echo " ssl_certificate_key $CERTBOT_DIR/conf/privkey.pem;"
|
||||||
|
echo ""
|
||||||
echo "Set up auto-renewal with: sudo crontab -e"
|
echo "Set up auto-renewal with: sudo crontab -e"
|
||||||
echo " Add: 0 3 * * * cd $(pwd) && docker run --rm -v $(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt -v $(pwd)/$CERTBOT_DIR/www:/var/www/certbot certbot/certbot renew --quiet && docker compose restart nginx"
|
echo "Add: 0 3 * * * certbot renew --quiet && systemctl reload nginx"
|
||||||
|
|||||||
Reference in New Issue
Block a user