From af9c7f35dc3b001edeb15aa9e407cb1f8503d2c8 Mon Sep 17 00:00:00 2001
From: peter_rabbit <pierrejarriges@gmail.com>
Date: Sun, 24 Jan 2021 18:10:04 +0100
Subject: [PATCH] feat(hopefully):letsencrypt
---
data/certbot/conf/csr/0000_csr-certbot.pem | 27 --------
data/certbot/conf/options-ssl-nginx.conf | 14 ----
data/certbot/conf/ssl-dhparams.pem | 8 ---
docker-compose.yml | 11 ++-
init-letsencrypt.sh | 80 ++++++++++++++++++++++
nginx.conf | 29 +++++---
6 files changed, 108 insertions(+), 61 deletions(-)
delete mode 100644 data/certbot/conf/csr/0000_csr-certbot.pem
delete mode 100644 data/certbot/conf/options-ssl-nginx.conf
delete mode 100644 data/certbot/conf/ssl-dhparams.pem
create mode 100755 init-letsencrypt.sh
diff --git a/data/certbot/conf/csr/0000_csr-certbot.pem b/data/certbot/conf/csr/0000_csr-certbot.pem
deleted file mode 100644
index 3ce998a..0000000
--- a/data/certbot/conf/csr/0000_csr-certbot.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIEkTCCAnkCAQIwADCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM9e
-WQUz3IY3hHrxs60mQatOrhUbXJOKN9rurLa/z2R7Xtom7isPhV4GRnYRKei98jMW
-DK3BZY7nwD8I5QZ/Vba8MAvsw2wSs43CSacSUuW73Wu58NWe3xBfPoMo8j/pNjea
-imD28LUrnKKgbbPA4wbIjglDGDDcfSwvHdNgOHTQeHwYx4HQuWrzH3hMZ8cyYRmW
-igchYiv/KqUKhyUL0TW91rJ9nAtMG+eHWjc5L5/eUcASoi2w985Jp+oqi8unvnM0
-cK2QA944Ywf3Dh/e0fQSLOgZ44dbeFJlzrSfuOigVhbm/i0WCFBn/AAefkSYHP7W
-DE/tohxHgDYxfjQnNLZE9QE2DgpKxr/zk6yri0CvmNAmsgRRbPTZ7hX2TgeSMHJ6
-/kl9kTeQMmitNo1dVM/lmTt5tBZI0dZLDPqwWC8mDE+U/TkoTB+wzZ8HSvmHN/jH
-TeCmZAWev4cK0o5K2Gg3GI+FxWODnMT03WKzB2CDryIIhq2qUU7p3L6UzhkmQtj+
-BQA9Y5H7GQlQaUayogemqkIoa4uTfOefm74IqFWcp/+aTqzf1EmC/81yFYTil4mZ
-axZuIN4xE8Clg+WCsoEhchb9DcL2XErDLpNVsXxggL4kcBHrGCjYOlWzt58byvq5
-sD36xNscuBLTXP+IJQRxhW8LrTslwsb5Su14HB7rAgMBAAGgTDBKBgkqhkiG9w0B
-CQ4xPTA7MDkGA1UdEQQyMDCCFGt1YWRyYWRvLXNvZnR3YXJlLmZyghh3d3cua3Vh
-ZHJhZG8tc29mdHdhcmUuZnIwDQYJKoZIhvcNAQELBQADggIBAGIys5fahuNAkRKP
-sM1/gXNdjY3/We/BWCLLg2Gd9OJEGhyeereGo+wyBTmEbbUVNUJFy9lMeyOL5Pu8
-734+vqSplAVC5Ryw2pZ1mGuzP/9ncmo+OV0X/WgoJKiNrXK2wAQPn3CHbzCsigRo
-pXA1I6fAf2EazBMHKIYX3pHV9j4nLjBnaQb6tdJPQ1/GBuxvD6V1x7MlzkdnZtls
-q0RNM+3H2nMVzhUJPTEN2xekAK8B1Gsxv9iQq6rxYpYlcg77BSYfK+7/de79LHXH
-HE4b+iKIpXB4EgaFTyuCK32HKY00oWnhnm7fc77DUtO5cslEdcvmePfvrPXLGyx4
-x1JvXR2l75WrbDDcU5vb/wlL6Hye13mrsfgIRIErBQl6zi2v0G7NTo+OIOyyWlUo
-i7rBSwNqw3nWXltwsOp3k3tSmEMixdPRognSC72I9H6LxZj2+X58B77iAAgh+BTH
-8WWNzjq31RdlC0GZQuVes13ZiCnMdrWTfhG50nzjgKgge4IiABwwxJ6BDVC2tQBY
-nkeJCfYsXdd/8wLNbvkiHLDC+MXXDZtkbQBQhgoQDZ5gjQ2rUOAB6AZfQ4AFvTN7
-Yc72BVvXMLow//OkvsFp29GO5N4pttaLJd99/8Dl1IwWCD+gkb+C9N4XmhncUjcw
-KLmeoYOsUbtsFtRYwl+s09fzsPfK
------END CERTIFICATE REQUEST-----
diff --git a/data/certbot/conf/options-ssl-nginx.conf b/data/certbot/conf/options-ssl-nginx.conf
deleted file mode 100644
index 978e6e8..0000000
--- a/data/certbot/conf/options-ssl-nginx.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-ssl_session_cache shared:le_nginx_SSL:10m;
-ssl_session_timeout 1440m;
-ssl_session_tickets off;
-
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_prefer_server_ciphers off;
-
-ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
diff --git a/data/certbot/conf/ssl-dhparams.pem b/data/certbot/conf/ssl-dhparams.pem
deleted file mode 100644
index 9b182b7..0000000
--- a/data/certbot/conf/ssl-dhparams.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
------END DH PARAMETERS-----
diff --git a/docker-compose.yml b/docker-compose.yml
index 93c7959..5e4af35 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,6 +5,15 @@ services:
container_name: "kuadrado"
ports:
- "80:80"
- # - "443:443"
+ - "443:443"
volumes:
- ./public:/usr/share/nginx/html
+ - ./data/certbot/conf:/etc/letsencrypt
+ - ./data/certbot/www:/var/www/certbot
+ command: “/bin/sh -c ‘while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \â€daemon off;\â€â€˜â€
+ certbot:
+ image: certbot/certbot
+ volumes:
+ - ./data/certbot/conf:/etc/letsencrypt
+ - ./data/certbot/www:/var/www/certbot
+ entrypoint: “/bin/sh -c ‘trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'â€
diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh
new file mode 100755
index 0000000..8924e3d
--- /dev/null
+++ b/init-letsencrypt.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+ echo 'Error: docker-compose is not installed.' >&2
+ exit 1
+fi
+
+domains=(kuadrado-software.fr www.kuadrado-software.fr)
+rsa_key_size=4096
+data_path="./data/certbot"
+email="contact@kuadrado-software.fr"
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+ read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+ if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+ exit
+ fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+ echo "### Downloading recommended TLS parameters ..."
+ mkdir -p "$data_path/conf"
+ curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+ curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+ echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose run --rm --entrypoint "\
+ openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
+ -keyout '$path/privkey.pem' \
+ -out '$path/fullchain.pem' \
+ -subj '/CN=localhost'" certbot
+echo
+
+
+echo "### Starting nginx ..."
+docker-compose up --force-recreate -d web
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose run --rm --entrypoint "\
+ rm -Rf /etc/letsencrypt/live/$domains && \
+ rm -Rf /etc/letsencrypt/archive/$domains && \
+ rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+ domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+ "") email_arg="--register-unsafely-without-email" ;;
+ *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker-compose run --rm --entrypoint "\
+ certbot certonly --webroot -w /var/www/certbot \
+ $staging_arg \
+ $email_arg \
+ $domain_args \
+ --rsa-key-size $rsa_key_size \
+ --agree-tos \
+ --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose exec web nginx -s reload
diff --git a/nginx.conf b/nginx.conf
index 6799010..215b5b4 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -33,18 +33,25 @@ http {
root /usr/share/nginx/html;
index index.html index.htm;
server_name kuadrado-software.fr www.kuadrado-software.fr;
- # location / {
- # return 301 https://$host$request_uri;
- # }
- # location /.well-known/acme-challenge/ {
- # root /var/www/certbot;
- # }
+ location / {
+ return 301 https://$host$request_uri;
+ }
+ location /.well-known/acme-challenge/ {
+ root /var/www/certbot;
+ }
}
- # server {
- # listen 443 ssl;
- # server_name kuadrado-software.fr www.kuadrado-software.fr;
- # index index.html index.htm;
- # }
+ server {
+ listen 443 ssl;
+ server_name kuadrado-software.fr www.kuadrado-software.fr;
+ index index.html index.htm;
+ ssl_certificate /etc/letsencrypt/live/kuadrado-software.fr/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/kuadrado-software.fr/privkey.pem;
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+ location / {
+ proxy_pass http://kuadrado-software.fr;
+ }
+ }
}
--
GitLab