From cec4995891944d07d175120e50e1f1703efb5e53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristhian=20Mart=C3=ADnez=20Ochoa?= Date: Sat, 1 Sep 2018 18:14:55 -0600 Subject: [PATCH] ssl root-path Let's Encrypt running in manual mode with HTTP Challenge for site with not var/www location, reverse proxy sites for instance. --- lib/ex-ssl-authentication | 6 ++++++ lib/ex-ssl-cleanup | 4 ++++ lib/site-ssl | 22 +++++++++++++++++----- plugins/site | 8 ++++---- weby | 1 + 5 files changed, 32 insertions(+), 9 deletions(-) create mode 100644 lib/ex-ssl-authentication create mode 100644 lib/ex-ssl-cleanup diff --git a/lib/ex-ssl-authentication b/lib/ex-ssl-authentication new file mode 100644 index 0000000..f659654 --- /dev/null +++ b/lib/ex-ssl-authentication @@ -0,0 +1,6 @@ +#!/bin/bash + +# Let's Encrypt manual mode (for Reverse Proxy sites) +sudo mkdir -p $value/.well-known/acme-challenge +sudo touch $value/.well-known/acme-challenge/$CERTBOT_TOKEN +sudo echo $CERTBOT_VALIDATION > $value/.well-known/acme-challenge/$CERTBOT_TOKEN diff --git a/lib/ex-ssl-cleanup b/lib/ex-ssl-cleanup new file mode 100644 index 0000000..4b3bc11 --- /dev/null +++ b/lib/ex-ssl-cleanup @@ -0,0 +1,4 @@ +#!/bin/bash + +# Let's Encrypt manual mode (for Reverse Proxy sites) +rm -rf $value/.well-known diff --git a/lib/site-ssl b/lib/site-ssl index 8b73e5f..2f70427 100644 --- a/lib/site-ssl +++ b/lib/site-ssl @@ -18,7 +18,7 @@ site_ssl_on() { exit 1 fi - if [[ ! -d /var/www/$root/htdocs ]]; then + if [[ ! -d /var/www/$root/htdocs && $cache != "-root-path" ]]; then echo "${red}Seems like you are trying to request an SSL Certificate for a Parked/Mapped Domain.!${end}" echo "${red}Please, use the '-root=domain.com' parameter to include the main domain path.${end}" exit 1 @@ -58,14 +58,26 @@ site_ssl_on() { # Create new certificate [[ $(conf_read debug) == "true" ]] && param="--test-cert" || param="" + [[ $subdomflag == 1 ]] && domset="-d $domain" || domset="-d $domain -d www.$domain" + + # Wildcard if [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $cache == "-wildcard" ]]; then sudo certbot certonly --manual --preferred-challenges=dns --no-eff-email --manual-public-ip-logging-ok --agree-tos --staple-ocsp --must-staple --email $cermail -d $domain -d *.$domain $param - elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $subdomflag == 0 ]]; then - sudo certbot certonly --webroot -w /var/www/$root/htdocs/ -d $domain -d www.$domain --email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple $param - elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $subdomflag == 1 ]]; then - sudo certbot certonly --webroot -w /var/www/$root/htdocs/ -d $domain --email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple $param + + # Manual mode for Reverse Proxy sites + elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $cache == "-root-path" ]]; then + if [[ ! -d $value ]]; then + echo "${red}[ERROR] Invalid root path!${end}" + exit 1 + fi + sudo certbot certonly --manual --preferred-challenges=http --manual-auth-hook /opt/webinoly/lib/ex-ssl-authentication --manual-cleanup-hook /opt/webinoly/lib/ex-ssl-cleanup $domset --no-eff-email --manual-public-ip-logging-ok --agree-tos --staple-ocsp --must-staple --email $cermail $param + + # Single cert + elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem ]]; then + sudo certbot certonly --webroot -w /var/www/$root/htdocs/ $domset --email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple $param fi + # SSL Nginx Conf if [[ -a /etc/letsencrypt/live/$root/fullchain.pem ]]; then sudo sed -i '/listen 80/c \ listen 443 ssl http2;' /etc/nginx/sites-available/$domain diff --git a/plugins/site b/plugins/site index a0c82d2..151c092 100644 --- a/plugins/site +++ b/plugins/site @@ -3,7 +3,7 @@ # Site Manager Plugin (Create, delete and de/activate) # Syntax: site