0k
/
0k-charms
6
3
Fork 2
Code Issues 11 Pull Requests 5 Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
267 Commits
27 Branches
14 Tags
41 MiB
Tree: 6ac5bf3656
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6ac5bf3656'
${ noResults }
0k-charms/letsencrypt/lib/common

363 lines
11 KiB
Raw Normal View History

fix: [letsencrypt] could not add domains to existing list Docker base image for letsencrypt support now better querying of existing domains registered. This allows a fine grained check for stopping the 80-port blocking containers when required.
6 years ago
new: [letsencrypt] not anymore a daemon.
6 years ago
fix: [letsencrypt] could not add domains to existing list Docker base image for letsencrypt support now better querying of existing domains registered. This allows a fine grained check for stopping the 80-port blocking containers when required.
6 years ago
new: [letsencrypt] not anymore a daemon.
6 years ago
fix: [letsencrypt] could not add domains to existing list Docker base image for letsencrypt support now better querying of existing domains registered. This allows a fine grained check for stopping the 80-port blocking containers when required.
6 years ago
fix: [letsencrypt] use action ``crt {renew,create}`` to manage properly renewal.
5 years ago
fix: [letsencrypt] could not add domains to existing list Docker base image for letsencrypt support now better querying of existing domains registered. This allows a fine grained check for stopping the 80-port blocking containers when required.
6 years ago
fix: [letsencrypt] use action ``crt {renew,create}`` to manage properly renewal.
5 years ago
fix: [letsencrypt] could not add domains to existing list Docker base image for letsencrypt support now better querying of existing domains registered. This allows a fine grained check for stopping the 80-port blocking containers when required.
6 years ago
fix: [letsencrypt] use action ``crt {renew,create}`` to manage properly renewal.
5 years ago
fix: [letsencrypt] could not add domains to existing list Docker base image for letsencrypt support now better querying of existing domains registered. This allows a fine grained check for stopping the 80-port blocking containers when required.
6 years ago
fix: [letsencrypt] use action ``crt {renew,create}`` to manage properly renewal.
5 years ago
  1. # -*- mode: shell-script -*-
  3. yaml_opt_bash_env() {
  4. local prefix="$1" key value
  5. while read-0 key value; do
  6. new_prefix="${prefix}_${key^^}"
  7. if [[ "$(echo "$value" | shyaml get-type)" == "struct" ]]; then
  8. echo "$value" | yaml_opt_bash_env "${new_prefix}"
  9. else
  10. printf "%s\0%s\0" "${new_prefix/-/_}" "$value"
  11. fi
  12. done < <(shyaml key-values-0)
  13. }
  16. yaml_opt_bash_env_ignore_first_level() {
  17. local prefix="$1" key value
  18. while read-0 key value; do
  19. new_prefix="${prefix}_${key^^}"
  20. if [[ "$(echo "$value" | shyaml get-type)" == "struct" ]]; then
  21. echo "$value" | yaml_opt_bash_env "${new_prefix}"
  22. fi
  23. done < <(shyaml key-values-0)
  24. }
  27. get_dc_env() {
  28. local cfg="$1" action="$2" domain="$3"
  30. config="\
  31. $SERVICE_NAME:
  32. docker-compose:
  33. environment:"
  34. if USER_EMAIL=$(echo "$cfg" | shyaml get-value email 2>/dev/null); then
  35. config+=$'\n'" LETSENCRYPT_USER_MAIL: $USER_EMAIL"
  36. fi
  38. if environment_def="$(printf "%s" "$cfg" | shyaml -y get-value env 2>/dev/null)"; then
  39. while read-0 key value; do
  40. config+="$(printf "\n %s: %s" "$key" "$value")"
  41. done < <(e "$environment_def" | yaml_opt_bash_env_ignore_first_level LEXICON)
  43. if ! provider=$(e "$environment_def" | shyaml get-value provider 2>/dev/null); then
  44. provider=
  45. ## If no provider is given, we fallback on the first found
  46. while read-0 key value; do
  47. [[ "$(echo "$value" | shyaml get-type)" == "struct" ]] && {
  48. provider="$key"
  49. break
  50. }
  51. done < <(e "$environment_def" | shyaml key-values-0)
  52. warn "No ${WHITE}provider${NORMAL} key given, had to infer it, chose '$key'."
  53. fi
  54. if [ "$provider" ]; then
  55. config+=$(echo -en "\n LEXICON_PROVIDER: $provider")
  56. fi
  57. fi
  59. challenge_type=$(get_challenge_type "$cfg" "$action" "$domain")
  61. config+=$(echo -en "\n CHALLENGE_TYPE: $challenge_type")
  62. info "Challenge type is $challenge_type"
  64. echo "$config"
  65. }
  67. compose_get_challenge_type() {
  68. local cfg="$1"
  69. e "$cfg" | shyaml get-value "challenge-type" 2>/dev/null
  70. }
  72. letsencrypt_get_challenge_type() {
  73. local domain="$1" renewal_file
  74. renewal_file="$SERVICE_DATASTORE"/etc/letsencrypt/renewal/"$domain".conf
  75. [ -e "$renewal_file" ] || return 1
  76. grep '^pref_challs' "$renewal_file" | cut -f 2 -d "=" | xargs echo
  77. }
  79. letsencrypt_set_renew_before_expiry() {
  80. local domain="$1" days="$2" renewal_file
  81. renewal_file="$SERVICE_DATASTORE"/etc/letsencrypt/renewal/"$domain".conf
  82. [ -e "$renewal_file" ] || return 1
  83. sed -ri "s/^(#\s+)?(renew_before_expiry\s*=)\s*[0-9]+(\s+days)$/\2 $days\3/g" "$renewal_file"
  84. }
  86. letsencrypt_get_renew_before_expiry() {
  87. local domain="$1" renewal_file
  88. renewal_file="$SERVICE_DATASTORE"/etc/letsencrypt/renewal/"$domain".conf
  89. [ -e "$renewal_file" ] || return 1
  90. if out=$(egrep "^renew_before_expiry\s*=\s*[0-9]+\s+days$" "$renewal_file" 2>/dev/null); then
  91. e "$out" | sed -r "s/^renew_before_expiry\s*=\s*([0-9]+)\s+days$/\1/g"
  92. else
  93. err "Couldn't find 'renew_before_expiry' in letsencrypt renewal" \
  94. "configuration for domain '$domain'."
  95. return 1
  96. fi
  97. }
  100. get_challenge_type() {
  101. local cfg="$1" action="$2" domain="$3" challenge_type renewal_file challenge
  102. case "$action" in
  103. create)
  104. if ! challenge_type=$(compose_get_challenge_type "$cfg"); then
  105. warn "No ${WHITE}challenge-type${NORMAL} provided, defaulting to 'http'."
  106. challenge_type=http
  107. fi
  108. echo "$challenge_type"
  109. ;;
  110. renew)
  111. challenge=$(letsencrypt_get_challenge_type "$domain")
  112. if [[ "$challenge" =~ ^http ]]; then
  113. echo "http"
  114. else
  115. echo "$challenge"
  116. fi
  117. ;;
  118. *)
  119. err "Invalid action '$action'."
  120. ;;
  121. esac
  122. }
  125. will_need_http_access() {
  126. local cfg="$1" action="$2" domain="$3" domains args_domains remaining
  128. challenge_type=$(get_challenge_type "$cfg" "$action" "$domain")
  129. [ "$challenge_type" == "http" ] || return 1
  132. }
  135. has_existing_cert() {
  136. local domain="$1"
  137. [ -d "$SERVICE_DATASTORE/etc/letsencrypt/live/$domain" ] || return 1
  138. }
  140. letsencrypt_cert_info() {
  141. local domain="$1"
  142. compose -q --no-init --no-relations run --rm "$SERVICE_NAME" \
  143. crt info "$domain"
  144. }
  147. letsencrypt_cert_delete() {
  148. local domain="$1"
  149. compose --debug --no-init --no-relations run --rm "$SERVICE_NAME" \
  150. certbot delete --cert-name "$domain"
  151. }
  154. valid_existing_cert() {
  155. local renew_before_expiry="$1" domain="$2" args_domains domains remaining
  156. shift
  157. args_domains=("$@")
  158. has_existing_cert "$domain" || return 1
  160. info "Querying $domain for previous info..."
  161. out=$(letsencrypt_cert_info "$domain") || return 1
  162. domains=$(e "$out" | shyaml get-value domains) || return 1
  164. domains=$(printf "%s " $domains | tr " " "\n" | sort)
  165. args_domains=$(printf "%s " "${args_domains[@]}" | tr " " "\n" | sort)
  166. # info domains: "$domains"
  167. # info args_domain: "$args_domains"
  168. remaining=$(e "$out" | shyaml get-value remaining) || return 1
  169. if [ "$domains" != "$args_domains" ]; then
  170. info "Domains mismatch:"
  171. info " old: $domains"
  172. info " new: $args_domains"
  173. return 2
  174. fi
  176. if [ "$remaining" == EXPIRED ]; then
  177. info "Existing certificate expired."
  178. return 1
  179. fi
  181. if [ "$remaining" -lt "$renew_before_expiry" ]; then
  182. info "Existing certificate in renew period" \
  183. "($remaining remaining days of validity)."
  184. return 1
  185. fi
  186. }
  189. get_domain_list() {
  190. compose -q --no-init --no-relations run --rm "$SERVICE_NAME" crt list
  191. }
  194. crt() {
  195. local cfg="$1" action="$2" domain="$3" config \
  196. stopped_containers container_ids
  197. shift
  198. shift
  199. ## expiry was checked, launch the action on the real charm, but take care of
  200. ## correctly running it.
  201. ## - provide env
  202. ## - declare proper ports
  203. ## - stop containers and restart them if necessary
  205. config=$(get_dc_env "$cfg" "$action" "$domain") || return 1
  206. stopped_containers=()
  207. if will_need_http_access "$cfg" "$action" "$domain"; then
  208. container_ids=($(docker ps \
  209. --filter label="compose.project=$PROJECT_NAME" \
  210. --filter publish=80 \
  211. --format "{{.ID}}"
  212. )) || exit 1
  214. for container_id in "${container_ids[@]}"; do
  215. info "Attempting to clear port 80 by stopping $container_id"
  216. docker stop -t 5 "$container_id"
  217. stopped_containers+=("$container_id")
  218. done
  219. config+=$(echo -en "\n ports:
  220. - \"0.0.0.0:80:80\"")
  221. fi
  223. compose_opts=()
  224. if [ "$DEBUG" ]; then
  225. compose_opts+=("--debug")
  226. else
  227. compose_opts+=("--quiet")
  228. fi
  229. compose "${compose_opts[@]}" --no-init --no-relations --add-compose-content "$config" \
  230. run --service-ports --rm "$SERVICE_NAME" crt "$action" "$@"
  231. errlvl="$?"
  233. for container_id in "${stopped_containers[@]}"; do
  234. info "Attempting restart $container_id"
  235. docker start "$container_id"
  236. done
  238. return "$errlvl"
  239. }
  242. crt_create() {
  243. local force service_def cfg renew_before_expiry msg domains
  244. usage="
  245. $exname [-h|--help]
  246. $exname MAIN_DOMAIN [ALT_DOMAINS...]"
  248. force=
  249. domains=()
  250. while [ "$1" ]; do
  251. case "$1" in
  252. "--help"|"-h")
  253. print_usage
  254. return 0
  255. ;;
  256. "--force"|"-f") force=1;;
  257. *) domains+=("$1");;
  258. esac
  259. shift
  260. done
  262. if [ "${#domains[@]}" == 0 ]; then
  263. err "At least one domain should be provided as argument."
  264. print_usage >&2
  265. return 1
  266. fi
  268. service_def=$(get_compose_service_def "$SERVICE_NAME") || return 1
  269. cfg=$(e "$service_def" | shyaml get-value "options" 2>/dev/null)
  270. renew_before_expiry=$(e "$cfg" | shyaml get-value "renew-before-expiry" 30 2>/dev/null)
  271. renew_before_expiry=${renew_before_expiry:-30}
  272. valid_existing_cert "$renew_before_expiry" "${domains[@]}"
  273. valid_existing_cert="$?"
  274. if [ -z "$force" ] && [ "$valid_existing_cert" == 0 ]; then
  275. if [ "${#domains[@]}" -gt 1 ]; then
  276. msg=" (with ${domains[*]:1})"
  277. fi
  278. info "A valid cert already exists for domain ${domains[0]}$msg."
  279. return 0
  280. fi
  282. if [ "$valid_existing_cert" == 2 ]; then
  283. err "Domain mismatch detected, lets delete previous cert."
  284. letsencrypt_cert_delete "${domains[0]}" || return 1
  285. err "Previous cert for ${domains[0]} deleted."
  286. fi
  288. crt "$cfg" create "${domains[@]}" || {
  289. err "Certificate creation/renew failed for domain '${domains[0]}'."
  290. return 1
  291. }
  293. letsencrypt_set_renew_before_expiry "${domains[0]}" "$renew_before_expiry" || {
  294. err "Setting renew-before-expiry on '${domains[0]}' failed."
  295. return 1
  296. }
  297. }
  300. crt_renew() {
  301. local service_def cfg renew_before_expiry msg start domains_yml \
  302. domain domain_cfg
  303. usage="$
  304. $exname [-h|--help]
  305. "
  307. while [ "$1" ]; do
  308. case "$1" in
  309. "--help"|"-h")
  310. print_usage
  311. return 0
  312. ;;
  313. *)
  314. err "No argument required"
  315. print_usage >&2
  316. return 1
  317. ;;
  318. esac
  319. shift
  320. done
  322. service_def=$(get_compose_service_def "$SERVICE_NAME") || return 1
  323. cfg=$(e "$service_def" | shyaml get-value "options" 2>/dev/null)
  324. default_renew_before_expiry=$(e "$cfg" | shyaml get-value "renew-before-expiry" 2>/dev/null)
  325. default_renew_before_expiry=${renew_before_expiry:-30}
  326. if ! renew_before_expiry=$(letsencrypt_get_renew_before_expiry "$domain") || \
  327. [ -z "$renew_before_expiry" ]; then
  328. renew_before_expiry=$default_renew_before_expiry
  329. fi
  330. start="$SECONDS"
  331. info "Get domain list.."
  332. domains_yml=$(get_domain_list) || return 1
  333. info " .. Done ${GRAY}($((SECONDS - start))s)${NORMAL}"
  335. [ "$domains_yml" ] || {
  336. info "No domain founds"
  337. return 0
  338. }
  340. failed=()
  341. while read-0 domain domain_cfg; do
  342. remaining=$(e "$domain_cfg" | shyaml get-value "remaining") || return 1
  343. if [ "$remaining" == EXPIRED ] || [ "$remaining" -lt "$renew_before_expiry" ]; then
  344. if [ "$remaining" == EXPIRED ]; then
  345. info "Renewing domain $domain (expired)."
  346. else
  347. info "Renewing domain $domain ($remaining days left)."
  348. fi
  349. crt "$cfg" renew "$domain"
  350. if [ "$?" != "0" ]; then
  351. failed+=("$domain")
  352. err "Certificate renew of '$domain' failed."
  353. fi
  354. else
  355. info "Domain $domain does not need renewing ($remaining days left)."
  356. fi
  357. done < <(e "$domains_yml" | shyaml key-values-0)
  359. if [ "${#failed[@]}" -gt 0 ]; then
  360. err "At least one domain failed to be renewed: ${failed[@]}"
  361. return 1
  362. fi
  363. }