Fix tls script.
This commit is contained in:
mguschin
@@ -1,57 +1,46 @@
|
||||
#!/bin/bash
|
||||
# Obtain TLS certificates from Let's Encrypt for evosync.ru
|
||||
# Run once on first deploy: sudo ./scripts/init-letsencrypt.sh
|
||||
# Requires nginx running on the host with acme-challenge location configured
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
DOMAIN="evosync.ru"
|
||||
EMAIL="${LETSENCRYPT_EMAIL:-admin@evosync.ru}"
|
||||
COMPOSE="docker compose"
|
||||
CERTBOT_DIR="./certbot"
|
||||
ACME_DIR="/var/www/certbot"
|
||||
|
||||
echo "==> Creating certbot directories..."
|
||||
mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"
|
||||
|
||||
echo "==> Starting nginx (HTTP only, for ACME challenge)..."
|
||||
# Temporarily use a basic config that doesn't require certs
|
||||
cat > nginx/nginx-temp.conf <<'TMPCONF'
|
||||
server {
|
||||
listen 80;
|
||||
server_name evosync.ru www.evosync.ru;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 200 'Setting up TLS...';
|
||||
add_header Content-Type text/plain;
|
||||
}
|
||||
}
|
||||
TMPCONF
|
||||
|
||||
$COMPOSE up -d nginx
|
||||
echo "==> Ensuring acme-challenge directory exists on host..."
|
||||
sudo mkdir -p "$ACME_DIR"
|
||||
sudo chmod 755 "$ACME_DIR"
|
||||
|
||||
echo "==> Requesting certificate from Let's Encrypt..."
|
||||
docker run --rm \
|
||||
-v "$(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt" \
|
||||
-v "$(pwd)/$CERTBOT_DIR/www:/var/www/certbot" \
|
||||
--network "${COMPOSE_PROJECT_NAME:-evo-syncgit}_default" \
|
||||
certbot/certbot certonly \
|
||||
sudo certbot certonly \
|
||||
--webroot \
|
||||
--webroot-path=/var/www/certbot \
|
||||
--webroot-path="$ACME_DIR" \
|
||||
--email "$EMAIL" \
|
||||
--agree-tos \
|
||||
--no-eff-email \
|
||||
-d "$DOMAIN" \
|
||||
-d "www.$DOMAIN"
|
||||
|
||||
echo "==> Restoring production nginx config..."
|
||||
rm -f nginx/nginx-temp.conf
|
||||
|
||||
echo "==> Restarting nginx with TLS..."
|
||||
$COMPOSE restart nginx
|
||||
echo "==> Copying certificates to project directory..."
|
||||
sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$CERTBOT_DIR/conf/fullchain.pem"
|
||||
sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$CERTBOT_DIR/conf/privkey.pem"
|
||||
sudo chown "$(whoami):$(whoami)" "$CERTBOT_DIR/conf"/*.pem
|
||||
|
||||
echo "==> Done! TLS certificate installed for $DOMAIN"
|
||||
echo " Set up auto-renewal with: sudo crontab -e"
|
||||
echo " Add: 0 3 * * * cd $(pwd) && docker run --rm -v $(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt -v $(pwd)/$CERTBOT_DIR/www:/var/www/certbot certbot/certbot renew --quiet && docker compose restart nginx"
|
||||
echo ""
|
||||
echo "Certificate files:"
|
||||
echo " - $CERTBOT_DIR/conf/fullchain.pem"
|
||||
echo " - $CERTBOT_DIR/conf/privkey.pem"
|
||||
echo ""
|
||||
echo "Configure nginx:"
|
||||
echo " ssl_certificate $CERTBOT_DIR/conf/fullchain.pem;"
|
||||
echo " ssl_certificate_key $CERTBOT_DIR/conf/privkey.pem;"
|
||||
echo ""
|
||||
echo "Set up auto-renewal with: sudo crontab -e"
|
||||
echo "Add: 0 3 * * * certbot renew --quiet && systemctl reload nginx"
|
||||
|
||||
Reference in New Issue
Block a user