Renewal hooks #161
Renewal hooks #161
Conversation
|
I am a bot, here are the test results for this PR: |
|
I am a bot, here are the test results for this PR: |
|
I am a bot, here are the test results for this PR: |
|
I am a bot, here are the test results for this PR: |
|
This would be great, first of all it is the proper way and clean way to do it. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
nemchik
force-pushed
the
renewal-hooks
branch
2 times, most recently
from
5f7da20 to
7101a00
Compare
|
I am a bot, here are the test results for this PR: |
nemchik
force-pushed
the
renewal-hooks
branch
2 times, most recently
from
eb7426d to
e76759b
Compare
|
I am a bot, here are the test results for this PR: |
1 similar comment
|
I am a bot, here are the test results for this PR: |
|
I am a bot, here are the test results for this PR: |
|
I am a bot, here are the test results for this PR: |
| opt_param_usage_include_env: true | ||
| opt_param_env_vars: | ||
| - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only)" } | ||
| - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only)" } |
| - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`,`aliyun`, `azure`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `dynu`, `gandi`, `gehirn`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." } | ||
| - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." } | ||
| - { env_var: "DUCKDNSTOKEN", env_value: "", desc: "Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org" } | ||
| - { env_var: "DUCKDNSTOKEN", env_value: "", desc: "Required if `VALIDATION` is set to `duckdns`. Retrieve your token from <https://www.duckdns.org>" } |
| * You can check the status of a specific jail via `docker exec -it swag fail2ban-client status <jail name>` | ||
| * You can unban an IP via `docker exec -it swag fail2ban-client set <jail name> unbanip <IP>` | ||
| * A list of commands can be found here: https://www.fail2ban.org/wiki/index.php/Commands | ||
| * A list of commands can be found here: <https://www.fail2ban.org/wiki/index.php/Commands> |
| * You can check the new sample and adjust your active config as needed. | ||
| ### Migration from the old `linuxserver/letsencrypt` image | ||
| - { date: "20.11.21:", desc: "Added support for dnspod validation." } | ||
| - { date: "15.11.21:", desc: "Added support for deSEC DNS for wildcard certificate generation." } | ||
| - { date: "26.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate https://httpoxy.org/ vulnerabilities. Ref: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus" } | ||
| - { date: "26.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) proxy.conf - Mitigate <https://httpoxy.org/> vulnerabilities. Ref: <https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx#Defeating-the-Attack-using-NGINX-and-NGINX-Plus>" } |
| @@ -1,27 +1,8 @@ | |||
| #!/usr/bin/with-contenv bash | |||
|
|
|||
| . /config/.donoteditthisfile.conf | |||
There was a problem hiding this comment.
These variables are no longer used in this file (they are used in the hooks).
| # copy dns default configs | ||
| cp -n /defaults/dns-conf/* /config/dns-conf/ | ||
| chown -R abc:abc /config/dns-conf | ||
|
|
There was a problem hiding this comment.
Not removed, just relocated below the next if statement.
| sed -i 's|^certbot_dns_domeneshop:||g' /config/dns-conf/domeneshop.ini | ||
| sed -i 's|^certbot_dns_inwx:||g' /config/dns-conf/inwx.ini | ||
| sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini | ||
|
|
There was a problem hiding this comment.
Not removed, just relocated up under where the dns-conf files are copied from /defaults just to keep them together.
root/etc/cont-init.d/50-certbot
Outdated
| fi | ||
| rm -rf /config/etc/letsencrypt | ||
| mkdir -p /config/etc/letsencrypt | ||
| rm -rf /config/etc/letsencrypt/{live,renewal} |
There was a problem hiding this comment.
After reviewing what actually happens when you run certbot delete, these two folders are the only things touched. Normally certbot delete is used to remove one cert at a time, and this assumes you have the required .conf file in the renewal folder, and the fullchain.pem and other files in the live folder. In case these things get messed up, it's safer to remove the whole live and renewal folder.
certbot doesn't recommend this, but in the two scenarios where this script decides to remove these folders it makes sense, and will be more consistent with fixing user issues compared to using certbot delete in the recommended way.
p.s. I did write up the code changes to iterate through the output of certbot certificates and then use certbot delete on each one, but if the user's files and folders are messed up at all certbot delete won't handle it nicely, and the next run of certbot renew could attempt to renew a certificate with issues.
There was a problem hiding this comment.
Oh right, the reason for removing these subfolders and not the parent folder:
I want to keep the /config/etc/letsencrypt/renewal-hooks folder, which should allow for user modifications. I reviewed the other folders in /config/etc/letsencrypt and they don't seem like they will cause any issues being left behind.
There was a problem hiding this comment.
Added removing the /config/etc/letsencrypt/archive folder after testing it is required to remove it as well.
| if [ -d /config/keys/letsencrypt ]; then | ||
| cd /config/keys/letsencrypt || exit | ||
| else | ||
| certbot certonly --non-interactive --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL |
|
I am a bot, here are the test results for this PR: |
|
I did some extra research and testing and ran a bunch of |
|
I am a bot, here are the test results for this PR: |
|
I am a bot, here are the test results for this PR: |
|
I am a bot, here are the test results for this PR: |
This supersedes #89
The changes here use the default location that already exists for hooks (
/config/etc/letsencrypt/renewal-hooks) and remove the suggestions in the documentation for users to make changes.Essentially, the feature will exist undocumented.
Will need to rebase after #169