mish/evo-sync
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases 5 Wiki Activity
Files
dbb1f48da71c8a8419b2037966494b42b3bc98a4
evo-sync/scripts/init-letsencrypt.sh
mguschin 23e175d9a8 fix: convert IDN/Cyrillic domains to punycode before calling certbot 
certbot rejects non-ASCII domain names; convert using Python's idna
encoder per-label so мои-товары.рф becomes xn--e1afmapc4af.xn--p1af.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 14:00:05 +03:00

75 lines
2.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Obtain a TLS certificate from Let's Encrypt for one domain.
#
# Usage:
# sudo ./scripts/init-letsencrypt.sh мои-товары.рф
# sudo ./scripts/init-letsencrypt.sh my-products.ru
#
# If no argument is given, DOMAIN is read from .env.
# Run once per domain on first deploy.
set -euo pipefail
# ── resolve domain ────────────────────────────────────────────────────────────
if [ -n "${1:-}" ]; then
DOMAIN="$1"
else
if [ -f .env ]; then
DOMAIN_FROM_ENV=$(grep -E '^DOMAIN=' .env | cut -d= -f2- | tr -d '"'"'" | head -1)
DOMAIN="${DOMAIN:-${DOMAIN_FROM_ENV:-}}"
fi
fi
if [ -z "${DOMAIN:-}" ]; then
echo "ERROR: no domain specified." >&2
echo "Usage: $0 <domain> or set DOMAIN= in .env" >&2
exit 1
fi
EMAIL="${LETSENCRYPT_EMAIL:-admin@$DOMAIN}"
ACME_DIR="/var/www/certbot"
# Convert IDN/Cyrillic domain to punycode (certbot requires ASCII)
PUNYCODE=$(python3 -c "
import sys
d = sys.argv[1]
try:
parts = d.split('.')
print('.'.join(p.encode('idna').decode('ascii') for p in parts))
except Exception:
print(d)
" "$DOMAIN" 2>/dev/null || echo "$DOMAIN")
if [ "$PUNYCODE" != "$DOMAIN" ]; then
echo "==> IDN domain detected: $DOMAIN$PUNYCODE"
fi
echo "==> Obtaining certificate for: $DOMAIN (www.$DOMAIN)"
echo " Email: $EMAIL"
echo "==> Ensuring acme-challenge directory exists..."
sudo mkdir -p "$ACME_DIR"
sudo chmod 755 "$ACME_DIR"
echo "==> Requesting certificate from Let's Encrypt..."
sudo certbot certonly \
--webroot \
--webroot-path="$ACME_DIR" \
--email "$EMAIL" \
--agree-tos \
--no-eff-email \
-d "$PUNYCODE" \
-d "www.$PUNYCODE"
echo ""
echo "==> Certificate obtained for $DOMAIN"
echo " /etc/letsencrypt/live/$PUNYCODE/fullchain.pem"
echo " /etc/letsencrypt/live/$PUNYCODE/privkey.pem"
echo ""
echo "==> Generate nginx config and reload:"
echo " sudo ./scripts/generate-nginx-conf.sh $DOMAIN"
echo " sudo nginx -t && sudo systemctl reload nginx"
echo ""
echo "==> Auto-renewal (add to /etc/cron.d/certbot if not already present):"
echo " 0 3 * * * root certbot renew --quiet && systemctl reload nginx"
Reference in New Issue View Git Blame Copy Permalink