From 844ca25088c0e7aa2efdda7a3931bc4b95d6b03a Mon Sep 17 00:00:00 2001 From: Guo Xiang Tan Date: Mon, 23 May 2016 13:28:02 +0800 Subject: [PATCH] Update Let's Encrypt template to latest API. --- templates/web.letsencrypt.ssl.template.yml | 26 +++++++++++++--------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml index 97256c2..a3dc989 100644 --- a/templates/web.letsencrypt.ssl.template.yml +++ b/templates/web.letsencrypt.ssl.template.yml @@ -10,22 +10,27 @@ hooks: - exec: cmd: - - cd /root && git clone https://github.com/Neilpang/le.git && cd /root/le && git reset --hard a7b7355dcf1f1b75fb581bf5d15cf26086d58c06 + - apt-get install -y netcat + - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard 8d5618c44a2ab973aa7eb243db740e22c742b809 - touch /var/spool/cron/crontabs/root - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR - - cd /root/le && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./le.sh install + - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install - # Ideally, we want to name the file 'letsencrypt' but we can't until the following is fixed - # https://github.com/Neilpang/acme.sh/issues/164 - file: - path: /etc/runit/1.d/install_ssl_cert + path: /etc/runit/1.d/letsencrypt chmod: "+x" contents: | #!/bin/bash - LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh issue no $$ENV_DISCOURSE_HOSTNAME no 4096 - LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh installcert $$ENV_DISCOURSE_HOSTNAME /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer "sv reload nginx" + LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --standalone + + if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then + # Try to issue the cert again if something goes wrong + LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --standalone --force + fi + + LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx" # After the initial install, switch to Webroot plugin - LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public" + LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public" - replace: filename: "/etc/nginx/conf.d/discourse.conf" @@ -43,10 +48,11 @@ hooks: filename: "/etc/nginx/conf.d/discourse.conf" from: /ssl_certificate_key.+/ to: | - ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; # remember the certificate for 2 months and automatically connect to HTTPS for this domain + ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; - replace: filename: "/etc/nginx/conf.d/discourse.conf" from: /add_header.+/ to: | - add_header Strict-Transport-Security 'max-age=5184000'; + # remember the certificate for 80 days and automatically connect to HTTPS for this domain + add_header Strict-Transport-Security 'max-age=6912000'; -- 2.25.1