multidomain letsencrypt

Use multidomain letsencrypt SSL certificate instead of wildcard via
dns-gandi authenticator

docker/haproxy/Dockerfile

@@ -4,7 +4,7 @@ USER root
 RUN apk add openssl certbot py-pip
 RUN pip install certbot-plugin-gandi
 
-COPY letsencrypt-hook-deploy-concatenante.sh /
+COPY letsencrypt-hook-deploy-concatenante.sh /usr/local/sbin/
 COPY letsencrypt.sh /usr/local/sbin/
 COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew
 COPY auto-generate-certs.sh /usr/local/sbin/

docker/haproxy/haproxy.conf

@@ -49,6 +49,7 @@ frontend website
     acl is_api hdr_beg(host) api.
     acl is_admin hdr_beg(host) admin.
 
+    use_backend letsencrypt if { path_beg /.well-known/acme-challenge/ }
     use_backend be_nextcloud if is_nextcloud
     use_backend be_moodle if is_moodle
     use_backend be_jitsi if is_jitsi
@@ -65,6 +66,9 @@ frontend website
     http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }
 #    default_backend be_sso
 
+backend letsencrypt
+  server letsencrypt 127.0.0.1:8080
+
 backend be_api
 	mode http
   acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found

docker/haproxy/letsencrypt-renew-cron.sh

@@ -1,2 +1,2 @@
 #!/bin/sh
-certbot renew --cert-name $LETSENCRYPT_DOMAIN
+certbot renew --http-01-port 8080 --cert-name sso.$LETSENCRYPT_DOMAIN

docker/haproxy/letsencrypt.sh

@@ -1,28 +1,31 @@
 #!/bin/sh
-if [ -f /letsencrypt-hook-deploy-concatenante.sh ]
+if [ ! -L /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh ]
 then
   mkdir -p /etc/letsencrypt/renewal-hooks/deploy/
-  mv /letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/concatenate.sh
+  ln -s /usr/local/sbin/letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/
 fi
 
-
 if [ -n "$LETSENCRYPT_DOMAIN" -a -n "$LETSENCRYPT_EMAIL" ]
 then
   LETSENCRYPT_DOMAIN="$LETSENCRYPT_DOMAIN" crond
-  if [ -n "$GANDI_KEY" ]
+  if [ "$LETSENCRYPT_DOMAIN_ROOT" == "true" ]
   then
-    touch /gandi.ini
+    option_root_domain="-d $LETSENCRYPT_DOMAIN"
-    chmod 600 /gandi.ini
-    echo "dns_gandi_api_key=$GANDI_KEY" > /gandi.ini
-    GANDI_OPTIONS="--authenticator dns-gandi --dns-gandi-credentials /gandi.ini"
-  else
-    GANDI_OPTIONS=""
   fi
   if [ ! -f /certs/chain.pem ]
   then
-    if certbot certonly $GANDI_OPTIONS -d "$LETSENCRYPT_DOMAIN" -d "*.$LETSENCRYPT_DOMAIN" -m "$LETSENCRYPT_EMAIL" -n --agree-tos
+    if certbot certonly --standalone -m "$LETSENCRYPT_EMAIL" -n --agree-tos \
+      -d "sso.$LETSENCRYPT_DOMAIN" \
+      -d "api.$LETSENCRYPT_DOMAIN" \
+      -d "admin.$LETSENCRYPT_DOMAIN" \
+      -d "moodle.$LETSENCRYPT_DOMAIN" \
+      -d "nextcloud.$LETSENCRYPT_DOMAIN" \
+      -d "wp.$LETSENCRYPT_DOMAIN" \
+      -d "oof.$LETSENCRYPT_DOMAIN" \
+      -d "pad.$LETSENCRYPT_DOMAIN" \
+      $option_root_domain
     then
-      RENEWED_LINEAGE="/etc/letsencrypt/live/$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/concatenate.sh
+      RENEWED_LINEAGE="/etc/letsencrypt/live/sso.$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh
     fi
   fi
 fi

main.conf.example

@@ -6,7 +6,12 @@
 #       to your /etc/hosts (ipa, login and hydra)
 DOMAIN=mydomain.org
 LETSENCRYPT_EMAIL=
-GANDI_KEY=
+# Generate letsencrypt certificate for root domain
+# Values:
+# - false (default): dont generate certificate for root domain, only for
+#                    subdomains.
+# - true: generate certificate for root domain and subdomains.
+#LETSENCRYPT_DOMAIN_ROOT=false
 
 DB_FOLDER=/opt/isard-sso/db
 DATA_FOLDER=/opt/isard-sso/data