diff --git a/docker/haproxy/Dockerfile b/docker/haproxy/Dockerfile index 9ff408f..04b8940 100644 --- a/docker/haproxy/Dockerfile +++ b/docker/haproxy/Dockerfile @@ -4,7 +4,7 @@ USER root RUN apk add openssl certbot py-pip RUN pip install certbot-plugin-gandi -COPY letsencrypt-hook-deploy-concatenante.sh / +COPY letsencrypt-hook-deploy-concatenante.sh /usr/local/sbin/ COPY letsencrypt.sh /usr/local/sbin/ COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew COPY auto-generate-certs.sh /usr/local/sbin/ diff --git a/docker/haproxy/haproxy.conf b/docker/haproxy/haproxy.conf index 8307bc1..17bba98 100644 --- a/docker/haproxy/haproxy.conf +++ b/docker/haproxy/haproxy.conf @@ -49,6 +49,7 @@ frontend website acl is_api hdr_beg(host) api. acl is_admin hdr_beg(host) admin. + use_backend letsencrypt if { path_beg /.well-known/acme-challenge/ } use_backend be_nextcloud if is_nextcloud use_backend be_moodle if is_moodle use_backend be_jitsi if is_jitsi @@ -65,6 +66,9 @@ frontend website http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" } # default_backend be_sso +backend letsencrypt + server letsencrypt 127.0.0.1:8080 + backend be_api mode http acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found diff --git a/docker/haproxy/letsencrypt-renew-cron.sh b/docker/haproxy/letsencrypt-renew-cron.sh index 7a839f2..f7ee2be 100755 --- a/docker/haproxy/letsencrypt-renew-cron.sh +++ b/docker/haproxy/letsencrypt-renew-cron.sh @@ -1,2 +1,2 @@ #!/bin/sh -certbot renew --cert-name $LETSENCRYPT_DOMAIN +certbot renew --http-01-port 8080 --cert-name sso.$LETSENCRYPT_DOMAIN diff --git a/docker/haproxy/letsencrypt.sh b/docker/haproxy/letsencrypt.sh index 07d84f0..1198912 100755 --- a/docker/haproxy/letsencrypt.sh +++ b/docker/haproxy/letsencrypt.sh @@ -1,28 +1,31 @@ #!/bin/sh -if [ -f /letsencrypt-hook-deploy-concatenante.sh ] +if [ ! -L /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh ] then mkdir -p /etc/letsencrypt/renewal-hooks/deploy/ - mv /letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/concatenate.sh + ln -s /usr/local/sbin/letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/ fi - if [ -n "$LETSENCRYPT_DOMAIN" -a -n "$LETSENCRYPT_EMAIL" ] then LETSENCRYPT_DOMAIN="$LETSENCRYPT_DOMAIN" crond - if [ -n "$GANDI_KEY" ] + if [ "$LETSENCRYPT_DOMAIN_ROOT" == "true" ] then - touch /gandi.ini - chmod 600 /gandi.ini - echo "dns_gandi_api_key=$GANDI_KEY" > /gandi.ini - GANDI_OPTIONS="--authenticator dns-gandi --dns-gandi-credentials /gandi.ini" - else - GANDI_OPTIONS="" + option_root_domain="-d $LETSENCRYPT_DOMAIN" fi if [ ! -f /certs/chain.pem ] then - if certbot certonly $GANDI_OPTIONS -d "$LETSENCRYPT_DOMAIN" -d "*.$LETSENCRYPT_DOMAIN" -m "$LETSENCRYPT_EMAIL" -n --agree-tos + if certbot certonly --standalone -m "$LETSENCRYPT_EMAIL" -n --agree-tos \ + -d "sso.$LETSENCRYPT_DOMAIN" \ + -d "api.$LETSENCRYPT_DOMAIN" \ + -d "admin.$LETSENCRYPT_DOMAIN" \ + -d "moodle.$LETSENCRYPT_DOMAIN" \ + -d "nextcloud.$LETSENCRYPT_DOMAIN" \ + -d "wp.$LETSENCRYPT_DOMAIN" \ + -d "oof.$LETSENCRYPT_DOMAIN" \ + -d "pad.$LETSENCRYPT_DOMAIN" \ + $option_root_domain then - RENEWED_LINEAGE="/etc/letsencrypt/live/$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/concatenate.sh + RENEWED_LINEAGE="/etc/letsencrypt/live/sso.$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh fi fi fi diff --git a/main.conf.example b/main.conf.example index 1474f0e..21a7849 100644 --- a/main.conf.example +++ b/main.conf.example @@ -6,7 +6,12 @@ # to your /etc/hosts (ipa, login and hydra) DOMAIN=mydomain.org LETSENCRYPT_EMAIL= -GANDI_KEY= +# Generate letsencrypt certificate for root domain +# Values: +# - false (default): dont generate certificate for root domain, only for +# subdomains. +# - true: generate certificate for root domain and subdomains. +#LETSENCRYPT_DOMAIN_ROOT=false DB_FOLDER=/opt/isard-sso/db DATA_FOLDER=/opt/isard-sso/data