74 lines
2.7 KiB
Bash
Executable File
74 lines
2.7 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -u
|
|
|
|
log_and_run(){
|
|
local CMD=$1
|
|
echo "${CMD}"
|
|
${CMD}
|
|
}
|
|
|
|
main(){
|
|
mkdir -p /secrets/acme
|
|
for IDX in $(printenv | grep -E '^ACME_\d+_EMAIL=' | sed -E 's/ACME_(\d+)_EMAIL.*/\1/'); do
|
|
export ACME_IDX=${IDX}
|
|
export ACME_CA=$(printenv ACME_${IDX}_CA)
|
|
EMAIL=$(printenv ACME_${IDX}_EMAIL)
|
|
CHALLENGE=$(printenv ACME_${IDX}_CHALLENGE)
|
|
|
|
LEGO_OPTS="--path /secrets/acme --server ${ACME_CA} --email ${EMAIL} --accept-tos"
|
|
|
|
if [ "${CHALLENGE}" = "http-01" ]; then
|
|
LEGO_OPTS="${LEGO_OPTS} --http --http.port 127.0.0.1:${ACME_HTTP_PORT}"
|
|
elif [ "${ACME_CHALLENGE}" = "dns-01" ]; then
|
|
LEGO_OPTS="${LEGO_OPTS} --dns $(printenv ACME_${IDX}_DNS_PROVIDER)"
|
|
export $(printenv ACME_${IDX}_DNS_KEY_ENV)=$(printenv ACME_${IDX}_DNS_KEY_VALUE)
|
|
if printenv ACME_${IDX}_DNS_RESOLVERS; then
|
|
LEGO_OPTS="${LEGO_OPTS} --dns.resolvers $(printenv ACME_${IDX}_DNS_RESOLVERS)"
|
|
fi
|
|
fi
|
|
|
|
if printenv ACME_${IDX}_KEY_TYPE; then
|
|
LEGO_OPTS="${LEGO_OPTS} --key-type $(printenv ACME_${IDX}_KEY_TYPE)"
|
|
fi
|
|
|
|
for CERT in $(printenv | grep -E "^ACME_${IDX}_CERT_\d+" | sed -E 's/([^=]+)=.*/\1/'); do
|
|
# Use the first hostname as CN
|
|
CN=$(printenv ${CERT} | sed -E 's/([^,]+).*/\1/')
|
|
ACTION=run
|
|
if [ -e /secrets/acme/certificates/${CN}.crt -a -e /secrets/acme/certificates/${CN}.key ]; then
|
|
local CUR_DOMAIN=$(openssl x509 -in /secrets/acme/certificates/${CN}.crt -noout -ext subjectAltName | tail -1 | sed -E 's/\s+DNS://g')
|
|
if [ "${CUR_DOMAIN}" = "$(printenv ${CERT})" ]; then
|
|
echo "Certificate for ${CN} already exists, trying to renew (if needed)"
|
|
ACTION=renew
|
|
else
|
|
echo "Certificate for ${CN} changed subjectAltName, trying to get a new cert"
|
|
fi
|
|
else
|
|
echo "Certificate for ${CN} doesn't exist, trying to get it"
|
|
fi
|
|
log_and_run "lego ${LEGO_OPTS} --domains=$(printenv ${CERT}) ${ACTION} --${ACTION}-hook /usr/local/bin/upload-to-vault.sh"
|
|
done
|
|
|
|
echo "Saving ACME account ${EMAIL} for ${ACME_CA} on vault"
|
|
CA=$(echo ${ACME_CA} | sed -E 's|^https?://([^/:]+).*|\1|')
|
|
vault kv put ${ACME_KV_ACCOUNT_ROOT}/${CA}/${EMAIL} \
|
|
metadata=@/secrets/acme/accounts/${CA}/${EMAIL}/account.json \
|
|
key=@/secrets/acme/accounts/${CA}/${EMAIL}/keys/${EMAIL}.key
|
|
|
|
done
|
|
}
|
|
|
|
# Run once at start of the container
|
|
main
|
|
|
|
# If a cron expression is defined, run a cron daemon
|
|
if [ -n "${ACME_CRON}" -a -z "${ACME_CRON_RUNNING:-}" ]; then
|
|
echo "Running using cron with expression ${ACME_CRON}"
|
|
cat <<_EOF > /tmp/crontab
|
|
${ACME_CRON} /usr/local/bin/acme-to-vault.sh
|
|
_EOF
|
|
export ACME_CRON_RUNNING=true
|
|
supercronic /tmp/crontab
|
|
fi
|