mirror of
https://github.com/absmach/magistrala.git
synced 2026-06-23 04:10:28 +00:00
NOISSUE - Improve certbot script
Continuous Delivery / lint-and-build (push) Has been cancelled
Deploy GitHub Pages / swagger-ui (push) Has been cancelled
CI Pipeline / Lint Proto (push) Has been cancelled
CI Pipeline / Detect Changes (push) Has been cancelled
Continuous Delivery / Build and Push Docker Images (push) Has been cancelled
CI Pipeline / lint-and-build (push) Has been cancelled
CI Pipeline / Test ${{ matrix.module }} (push) Has been cancelled
CI Pipeline / Upload Coverage (push) Has been cancelled
Continuous Delivery / lint-and-build (push) Has been cancelled
Deploy GitHub Pages / swagger-ui (push) Has been cancelled
CI Pipeline / Lint Proto (push) Has been cancelled
CI Pipeline / Detect Changes (push) Has been cancelled
Continuous Delivery / Build and Push Docker Images (push) Has been cancelled
CI Pipeline / lint-and-build (push) Has been cancelled
CI Pipeline / Test ${{ matrix.module }} (push) Has been cancelled
CI Pipeline / Upload Coverage (push) Has been cancelled
Signed-off-by: dusan <borovcanindusan1@gmail.com>
This commit is contained in:
dusan
@@ -294,12 +294,12 @@ run_latest: check_certs
|
|||||||
$(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
|
$(DOCKER_PLATFORM) docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
|
||||||
|
|
||||||
run_tls:
|
run_tls:
|
||||||
@test -n "$(host)" || (echo "Usage: make run_tls host=example.com [email=admin@example.com] [letsencrypt=false] [staging=false] [force=true]" && exit 2)
|
@test -n "$(host)" || (echo "Usage: make run_tls host=example.com [email=admin@example.com] [letsencrypt=false] [staging=true] [force=true]" && exit 2)
|
||||||
@if [ "$(or $(letsencrypt),true)" != "false" ] && [ -z "$(email)" ]; then echo "Usage: make run_tls host=example.com email=admin@example.com [letsencrypt=false] [staging=false] [force=true]"; exit 2; fi
|
@if [ "$(or $(letsencrypt),true)" != "false" ] && [ -z "$(email)" ]; then echo "Usage: make run_tls host=example.com email=admin@example.com [letsencrypt=false] [staging=true] [force=true]"; exit 2; fi
|
||||||
MG_PUBLIC_HOST="$(host)" \
|
MG_PUBLIC_HOST="$(host)" \
|
||||||
MG_LETSENCRYPT_ENABLED="$(or $(letsencrypt),true)" \
|
MG_LETSENCRYPT_ENABLED="$(or $(letsencrypt),true)" \
|
||||||
MG_LETSENCRYPT_EMAIL="$(email)" \
|
MG_LETSENCRYPT_EMAIL="$(email)" \
|
||||||
MG_LETSENCRYPT_STAGING="$(or $(staging),true)" \
|
MG_LETSENCRYPT_STAGING="$(or $(staging),false)" \
|
||||||
MG_LETSENCRYPT_FORCE_RENEWAL="$(or $(force),false)" \
|
MG_LETSENCRYPT_FORCE_RENEWAL="$(or $(force),false)" \
|
||||||
DOCKER_PROJECT="$(DOCKER_PROJECT)" \
|
DOCKER_PROJECT="$(DOCKER_PROJECT)" \
|
||||||
./docker/setup-tls.sh
|
./docker/setup-tls.sh
|
||||||
|
|||||||
+48
-19
@@ -11,7 +11,7 @@ COMPOSE_FILE="$ROOT_DIR/docker/docker-compose.yaml"
|
|||||||
HOST=${MG_PUBLIC_HOST:-}
|
HOST=${MG_PUBLIC_HOST:-}
|
||||||
EMAIL=${MG_LETSENCRYPT_EMAIL:-}
|
EMAIL=${MG_LETSENCRYPT_EMAIL:-}
|
||||||
LETSENCRYPT_ENABLED=${MG_LETSENCRYPT_ENABLED:-true}
|
LETSENCRYPT_ENABLED=${MG_LETSENCRYPT_ENABLED:-true}
|
||||||
STAGING=${MG_LETSENCRYPT_STAGING:-true}
|
STAGING=${MG_LETSENCRYPT_STAGING:-false}
|
||||||
FORCE_RENEWAL=${MG_LETSENCRYPT_FORCE_RENEWAL:-false}
|
FORCE_RENEWAL=${MG_LETSENCRYPT_FORCE_RENEWAL:-false}
|
||||||
PROJECT=${DOCKER_PROJECT:-magistrala}
|
PROJECT=${DOCKER_PROJECT:-magistrala}
|
||||||
TIMEOUT_SECONDS=${MG_LETSENCRYPT_TIMEOUT_SECONDS:-180}
|
TIMEOUT_SECONDS=${MG_LETSENCRYPT_TIMEOUT_SECONDS:-180}
|
||||||
@@ -19,7 +19,8 @@ TIMEOUT_SECONDS=${MG_LETSENCRYPT_TIMEOUT_SECONDS:-180}
|
|||||||
usage() {
|
usage() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Usage:
|
Usage:
|
||||||
MG_PUBLIC_HOST=example.com MG_LETSENCRYPT_EMAIL=admin@example.com [MG_LETSENCRYPT_STAGING=false] $0
|
MG_PUBLIC_HOST=example.com MG_LETSENCRYPT_EMAIL=admin@example.com $0
|
||||||
|
MG_PUBLIC_HOST=example.com MG_LETSENCRYPT_EMAIL=admin@example.com MG_LETSENCRYPT_STAGING=true $0
|
||||||
MG_PUBLIC_HOST=example.com MG_LETSENCRYPT_ENABLED=false $0
|
MG_PUBLIC_HOST=example.com MG_LETSENCRYPT_ENABLED=false $0
|
||||||
|
|
||||||
Required:
|
Required:
|
||||||
@@ -31,7 +32,8 @@ Optional:
|
|||||||
MG_LETSENCRYPT_ENABLED true by default. Set false to use the fallback
|
MG_LETSENCRYPT_ENABLED true by default. Set false to use the fallback
|
||||||
Nginx certificate and comment out Let's Encrypt
|
Nginx certificate and comment out Let's Encrypt
|
||||||
cert/key paths in docker/.env.
|
cert/key paths in docker/.env.
|
||||||
MG_LETSENCRYPT_STAGING true by default. Set false for production certs.
|
MG_LETSENCRYPT_STAGING false by default (production certs). Set true for
|
||||||
|
Let's Encrypt staging (testing only).
|
||||||
MG_LETSENCRYPT_FORCE_RENEWAL
|
MG_LETSENCRYPT_FORCE_RENEWAL
|
||||||
false by default. Set true to replace an existing cert.
|
false by default. Set true to replace an existing cert.
|
||||||
DOCKER_PROJECT Compose project name. Defaults to magistrala.
|
DOCKER_PROJECT Compose project name. Defaults to magistrala.
|
||||||
@@ -111,6 +113,16 @@ comment_env() {
|
|||||||
mv "$tmp" "$ENV_FILE"
|
mv "$tmp" "$ENV_FILE"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
comment_env_any() {
|
||||||
|
key=$1
|
||||||
|
tmp=$(mktemp)
|
||||||
|
awk -v key="$key" '
|
||||||
|
index($0, key "=") == 1 { print "# " $0; next }
|
||||||
|
{ print }
|
||||||
|
' "$ENV_FILE" > "$tmp"
|
||||||
|
mv "$tmp" "$ENV_FILE"
|
||||||
|
}
|
||||||
|
|
||||||
compose() {
|
compose() {
|
||||||
docker compose -f "$COMPOSE_FILE" --env-file "$ENV_FILE" -p "$PROJECT" "$@"
|
docker compose -f "$COMPOSE_FILE" --env-file "$ENV_FILE" -p "$PROJECT" "$@"
|
||||||
}
|
}
|
||||||
@@ -152,7 +164,7 @@ wait_for_nginx_http() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
echo "Timed out waiting for Nginx to accept HTTP traffic." >&2
|
echo "Timed out waiting for Nginx to accept HTTP traffic." >&2
|
||||||
docker logs --tail 80 magistrala-nginx >&2 || true
|
compose logs --tail 80 nginx >&2 || true
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -165,9 +177,23 @@ if [ "$LETSENCRYPT_ENABLED" = "false" ]; then
|
|||||||
FORCE_RENEWAL=false
|
FORCE_RENEWAL=false
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$LETSENCRYPT_ENABLED" = "true" ] && [ "$STAGING" = "false" ] && [ -f "$cert_file" ]; then
|
if [ "$LETSENCRYPT_ENABLED" = "true" ] && [ "$STAGING" = "false" ]; then
|
||||||
if openssl x509 -in "$cert_file" -noout -issuer 2>/dev/null | grep -q "STAGING"; then
|
live_dir="$ROOT_DIR/docker/ssl/letsencrypt/live/$HOST"
|
||||||
FORCE_RENEWAL=true
|
if [ -d "$live_dir" ]; then
|
||||||
|
needs_cleanup=false
|
||||||
|
if openssl x509 -in "$cert_file" -noout -issuer 2>/dev/null | grep -q "STAGING"; then
|
||||||
|
echo "Existing staging certificate detected; replacing with a production certificate."
|
||||||
|
needs_cleanup=true
|
||||||
|
elif [ ! -L "$cert_file" ] || [ ! -L "$key_file" ]; then
|
||||||
|
echo "Broken certificate symlinks detected; removing stale data for a fresh issuance."
|
||||||
|
needs_cleanup=true
|
||||||
|
fi
|
||||||
|
if [ "$needs_cleanup" = "true" ]; then
|
||||||
|
FORCE_RENEWAL=true
|
||||||
|
rm -rf "$live_dir" \
|
||||||
|
"$ROOT_DIR/docker/ssl/letsencrypt/archive/$HOST" \
|
||||||
|
"$ROOT_DIR/docker/ssl/letsencrypt/renewal/$HOST.conf"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -180,8 +206,8 @@ set_env MG_LETSENCRYPT_EMAIL "$EMAIL"
|
|||||||
set_env MG_LETSENCRYPT_STAGING "$STAGING"
|
set_env MG_LETSENCRYPT_STAGING "$STAGING"
|
||||||
set_env MG_LETSENCRYPT_FORCE_RENEWAL "$FORCE_RENEWAL"
|
set_env MG_LETSENCRYPT_FORCE_RENEWAL "$FORCE_RENEWAL"
|
||||||
set_env MG_NGINX_SERVER_NAME "$HOST"
|
set_env MG_NGINX_SERVER_NAME "$HOST"
|
||||||
comment_env MG_NGINX_SERVER_CERT "$cert_path"
|
comment_env_any MG_NGINX_SERVER_CERT
|
||||||
comment_env MG_NGINX_SERVER_KEY "$key_path"
|
comment_env_any MG_NGINX_SERVER_KEY
|
||||||
set_env MG_UI_DOCKER_ACCEPT_EULA yes
|
set_env MG_UI_DOCKER_ACCEPT_EULA yes
|
||||||
|
|
||||||
set_env MG_OAUTH_UI_REDIRECT_URL "https://$HOST/api/auth/token"
|
set_env MG_OAUTH_UI_REDIRECT_URL "https://$HOST/api/auth/token"
|
||||||
@@ -217,22 +243,25 @@ wait_for_nginx_http
|
|||||||
echo "Requesting Let's Encrypt certificate for $HOST"
|
echo "Requesting Let's Encrypt certificate for $HOST"
|
||||||
MG_UI_DOCKER_ACCEPT_EULA=yes COMPOSE_PROFILES=letsencrypt compose up -d --force-recreate certbot
|
MG_UI_DOCKER_ACCEPT_EULA=yes COMPOSE_PROFILES=letsencrypt compose up -d --force-recreate certbot
|
||||||
|
|
||||||
|
cert_ready() {
|
||||||
|
compose logs certbot 2>&1 | \
|
||||||
|
grep -qE "Successfully received certificate|Certificate not yet due for renewal"
|
||||||
|
}
|
||||||
|
|
||||||
elapsed=0
|
elapsed=0
|
||||||
while [ "$elapsed" -lt "$TIMEOUT_SECONDS" ]; do
|
until cert_ready || [ "$elapsed" -ge "$TIMEOUT_SECONDS" ]; do
|
||||||
if [ -s "$cert_file" ] && [ -s "$key_file" ]; then
|
compose logs --tail 3 certbot 2>&1 | sed 's/^/ [certbot] /'
|
||||||
break
|
sleep 5
|
||||||
fi
|
elapsed=$((elapsed + 5))
|
||||||
sleep 2
|
|
||||||
elapsed=$((elapsed + 2))
|
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ ! -s "$cert_file" ] || [ ! -s "$key_file" ]; then
|
if ! cert_ready; then
|
||||||
echo "Timed out waiting for Let's Encrypt certificate files." >&2
|
echo "Timed out waiting for Let's Encrypt certificate." >&2
|
||||||
docker logs --tail 80 magistrala-certbot >&2 || true
|
compose logs --tail 80 certbot >&2 || true
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Switching Nginx to the issued certificate"
|
echo "Certificate obtained. Switching Nginx to the issued certificate."
|
||||||
set_env MG_NGINX_SERVER_CERT "$cert_path"
|
set_env MG_NGINX_SERVER_CERT "$cert_path"
|
||||||
set_env MG_NGINX_SERVER_KEY "$key_path"
|
set_env MG_NGINX_SERVER_KEY "$key_path"
|
||||||
set_env MG_LETSENCRYPT_FORCE_RENEWAL false
|
set_env MG_LETSENCRYPT_FORCE_RENEWAL false
|
||||||
|
|||||||
Reference in New Issue
Block a user