issue fix and enhancements

.gitignore

@@ -1 +1,7 @@
-/data/certbot
+/data/certbot/
+
+!options-ssl-nginx.conf
+!ssl-dhparams.pem
+# ...even if they are in subdirectories
+!*/
+

data/certbot/conf/options-ssl-nginx.conf

@@ -0,0 +1,13 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

data/certbot/conf/ssl-dhparams.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

docker-compose.yml

@@ -1,21 +1,26 @@
-version: '3'
-
+version: '3.6'
 services:
   nginx:
     image: nginx:1.15-alpine
     restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
     volumes:
       - ./data/nginx:/etc/nginx/conf.d
       - ./data/certbot/conf:/etc/letsencrypt
       - ./data/certbot/www:/var/www/certbot
-    ports:
-      - "80:80"
-      - "443:443"
+      - ./data/nginx/log:/var/log/nginx
+    # We need to make sure that nginx reloads the newly obtained certificates
+    # This makes nginx reload its configuration (and certificates) every six hours 
+    # in the background and launches nginx in the foreground.
     command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
   certbot:
-    image: certbot/certbot
+    image: certbot/certbot:v0.36.0
     restart: unless-stopped
     volumes:
       - ./data/certbot/conf:/etc/letsencrypt
       - ./data/certbot/www:/var/www/certbot
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    # Automatic Certificate Renewal
+    # This will check if your certificate is up for renewal every 12 hours as recommended by Let’s Encrypt.
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

init-letsencrypt.sh

@@ -1,80 +1,74 @@
 #!/bin/bash
 
 if ! [ -x "$(command -v docker-compose)" ]; then
-  echo 'Error: docker-compose is not installed.' >&2
-  exit 1
+echo 'Error: docker-compose is not installed.' >&2
+exit 1
 fi
 
-domains=(example.org www.example.org)
+domains=(mydomain.com)
 rsa_key_size=4096
 data_path="./data/certbot"
-email="" # Adding a valid address is strongly recommended
+email="mymail@mail.com" # Adding a valid address is strongly recommended
 staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+subscribe_to_eff=1 # Set to 1 if you provided an e-mail address and want to subscribe to EFF mailings
 
 if [ -d "$data_path" ]; then
-  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
-  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
-    exit
-  fi
+read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+	exit
 fi
-
-
-if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
-  echo "### Downloading recommended TLS parameters ..."
-  mkdir -p "$data_path/conf"
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
-  echo
 fi
 
 echo "### Creating dummy certificate for $domains ..."
 path="/etc/letsencrypt/live/$domains"
 mkdir -p "$data_path/conf/live/$domains"
+
 docker-compose run --rm --entrypoint "\
-  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-    -keyout '$path/privkey.pem' \
-    -out '$path/fullchain.pem' \
-    -subj '/CN=localhost'" certbot
+openssl req -x509 -nodes -newkey rsa:2048 -days 1\
+-keyout '$path/privkey.pem' \
+-out '$path/fullchain.pem' \
+-subj '/CN=localhost'" certbot
+docker ps
 echo
 
-
 echo "### Starting nginx ..."
 docker-compose up --force-recreate -d nginx
 echo
 
 echo "### Deleting dummy certificate for $domains ..."
 docker-compose run --rm --entrypoint "\
-  rm -Rf /etc/letsencrypt/live/$domains && \
-  rm -Rf /etc/letsencrypt/archive/$domains && \
-  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+rm -Rf /etc/letsencrypt/live/$domains && \
+rm -Rf /etc/letsencrypt/archive/$domains && \
+rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
 echo
 
-
 echo "### Requesting Let's Encrypt certificate for $domains ..."
 #Join $domains to -d args
 domain_args=""
 for domain in "${domains[@]}"; do
-  domain_args="$domain_args -d $domain"
+	domain_args="$domain_args -d $domain"
 done
+echo "domain args ..."
+echo $domain_args
 
 # Select appropriate email arg
 case "$email" in
-  "") email_arg="--register-unsafely-without-email" ;;
-  *) email_arg="--email $email" ;;
+"") email_arg="--register-unsafely-without-email" ;;
+*)  email_arg="--email $email"
+		if [ $subscribe_to_eff == "1" ]; then
+			subscribe_arg="--eff-email";
+		else
+			subscribe_arg="--no-eff-email";
+		fi
+;;
 esac
 
 # Enable staging mode if needed
-if [ $staging != "0" ]; then staging_arg="--staging"; fi
+if [ $staging != "0" ]; then 
+staging_arg="--staging"; 
+fi
 
-docker-compose run --rm --entrypoint "\
-  certbot certonly --webroot -w /var/www/certbot \
-    $staging_arg \
-    $email_arg \
-    $domain_args \
-    --rsa-key-size $rsa_key_size \
-    --agree-tos \
-    --force-renewal" certbot
+docker-compose run --rm --entrypoint "certbot certonly -a webroot -v --debug-challenges -w /var/www/certbot $staging_arg $email_arg $domain_args $subscribe_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot
 echo
-
 echo "### Reloading nginx ..."
 docker-compose exec nginx nginx -s reload