Selaa lähdekoodia
Make cerbot certs renewal challenge-agnostic
Relies on renewal configuration file generated by certbot instead of using explicit arguments Maps DNS configuration folder if DNS challenge has been used during setuppull/1876/head
ZzMzaw
3 vuotta sitten
1 muutettua tiedostoa jossa 10 lisäystä ja 5 poistoa
Yhdistetty näkymä
Diff Options
-
+10 -5roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+ 10
- 5
roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
Näytä tiedosto
| @@ -1,11 +1,16 @@ | |||||
| #jinja2: lstrip_blocks: "True" | #jinja2: lstrip_blocks: "True" | ||||
| #!/bin/bash | #!/bin/bash | ||||
| # For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) | |||||
| # Certificates renewal allows both HTTP or DNS challenges based on renewal configuration | |||||
| # generated when certificates have been issued using `certonly` command. | |||||
| # | |||||
| # For renewal relying on HTTP challenge to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) | |||||
| # need to forward requests for `/.well-known/acme-challenge` to the certbot container. | # need to forward requests for `/.well-known/acme-challenge` to the certbot container. | ||||
| # | # | ||||
| # This can happen inside the container network by proxying to `http://matrix-certbot:8080` | # This can happen inside the container network by proxying to `http://matrix-certbot:8080` | ||||
| # or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. | # or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. | ||||
| # | |||||
| # For renewal relying on DNS challenge to work, certbot docker image must have the associated DNS plugins configured. | |||||
| docker run \ | docker run \ | ||||
| --rm \ | --rm \ | ||||
| @@ -13,20 +18,20 @@ docker run \ | |||||
| --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ | --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ | ||||
| --cap-drop=ALL \ | --cap-drop=ALL \ | ||||
| --network="{{ matrix_docker_network }}" \ | --network="{{ matrix_docker_network }}" \ | ||||
| -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ | |||||
| --publish 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ | |||||
| --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ | --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ | ||||
| {% if (matrix_ssl_lets_encrypt_dns_config is defined) and (matrix_ssl_lets_encrypt_dns_config|length > 0) %} | |||||
| --mount type=bind,src={{ matrix_ssl_dns_config_dir_path }},dst=/etc/letsencrypt-dns-config,readonly \ | |||||
| {% endif %} | |||||
| --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ | --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ | ||||
| {{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ | {{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ | ||||
| renew \ | renew \ | ||||
| --non-interactive \ | --non-interactive \ | ||||
| --work-dir=/tmp \ | --work-dir=/tmp \ | ||||
| --http-01-port 8080 \ | |||||
| {% if matrix_ssl_lets_encrypt_staging %} | {% if matrix_ssl_lets_encrypt_staging %} | ||||
| --staging \ | --staging \ | ||||
| {% endif %} | {% endif %} | ||||
| --key-type {{ matrix_ssl_lets_encrypt_key_type }} \ | --key-type {{ matrix_ssl_lets_encrypt_key_type }} \ | ||||
| --standalone \ | |||||
| --preferred-challenges http \ | |||||
| --agree-tos \ | --agree-tos \ | ||||
| --email={{ matrix_ssl_lets_encrypt_support_email }} \ | --email={{ matrix_ssl_lets_encrypt_support_email }} \ | ||||
| --no-random-sleep-on-renew | --no-random-sleep-on-renew | ||||