56 lines
2.7 KiB
Bash
Executable File
56 lines
2.7 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Portal domain requires 3 domain certificates:
|
|
# - exact portal domain, ie. example.com
|
|
# - wildcard subdomain on portal domain, ie. *.example.com
|
|
# used for skylinks served from portal subdomain
|
|
# - wildcard subdomain on hns portal domain subdomain, ie. *.hns.example.com
|
|
# used for resolving handshake domains
|
|
DOMAINS=${PORTAL_DOMAIN},*.${PORTAL_DOMAIN},*.hns.${PORTAL_DOMAIN}
|
|
|
|
# Add server domain when it is not empty and different from portal domain
|
|
if [ ! -z "${SERVER_DOMAIN}" ] && [ "${PORTAL_DOMAIN}" != "${SERVER_DOMAIN}" ]; then
|
|
# In case where server domain is not covered by portal domain's
|
|
# wildcard certificate, add server domain name to domains list.
|
|
# - server-001.example.com is covered by *.example.com
|
|
# - server-001.servers.example.com or server-001.example-severs.com
|
|
# are not covered by any already requested wildcard certificates
|
|
#
|
|
# The condition checks whether server domain does not match portal domain
|
|
# with exactly one level of subdomain (portal domain wildcard cert):
|
|
# (start) [anything but the dot] + [dot] + [portal domain] (end)
|
|
if ! printf "${SERVER_DOMAIN}" | grep -q -E "^[^\.]+\.${PORTAL_DOMAIN}$"; then
|
|
DOMAINS=${DOMAINS},${SERVER_DOMAIN}
|
|
fi
|
|
|
|
# Server domain requires the same set of domain certificates as portal domain.
|
|
# Exact server domain case is handled above.
|
|
DOMAINS=${DOMAINS},*.${SERVER_DOMAIN},*.hns.${SERVER_DOMAIN}
|
|
fi
|
|
|
|
# The "wait" will prevent an exit from the script while background tasks are
|
|
# still active, so we are adding the line below as a method to prevent orphaning
|
|
# the background child processe. The trap fires when docker terminates the container.
|
|
trap exit TERM
|
|
|
|
while :; do
|
|
# Execute certbot and generate or maintain certificates for given domain string.
|
|
# --non-interactive: we are running this as an automation so we cannot be prompted
|
|
# --agree-tos: required flag marking agreement with letsencrypt tos
|
|
# --cert-name: output directory name
|
|
# --email: required for generating certificates, used for communication with CA
|
|
# --domains: comma separated list of domains (will generate one bundled SAN cert)
|
|
# Use CERTBOT_ARGS env variable to pass any additional arguments, ie --dns-route53
|
|
certbot certonly \
|
|
--non-interactive --agree-tos --cert-name skynet-portal \
|
|
--email ${EMAIL_ADDRESS} --domains ${DOMAINS} ${CERTBOT_ARGS}
|
|
|
|
# Run a background sleep process that counts down given time
|
|
# Certbot docs advise running maintenance process every 12 hours
|
|
sleep 12h &
|
|
|
|
# Await execution until sleep process is finished (it's a background process)
|
|
# Syntax explanation: ${!} expands to a pid of last ran process
|
|
wait ${!}
|
|
done
|