From fe2192166e57cf3010c5c756d99e8a8c1d7e66fd Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Fri, 8 Nov 2024 18:01:09 +0000
Subject: [PATCH] make LE work

---
 compose.yml         |  8 +++++-
 init-letsencrypt.sh | 67 +++++++++++++++++++++++----------------------
 setup.sh            |  7 ++---
 3 files changed, 44 insertions(+), 38 deletions(-)

diff --git a/compose.yml b/compose.yml
index a81a471..89981d5 100644
--- a/compose.yml
+++ b/compose.yml
@@ -92,7 +92,13 @@ services:
     volumes:
       - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt
       - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot
-    entrypoint: "/bin/sh -c 'trap exit TERM; while [ -e /etc/letsencrypt/live ]; do certbot renew; sleep 12h & wait $${!}; done;'"
+      - ${VOLUME_PATH}/data/ssl:/data/ssl
+    entrypoint: "/bin/sh -c 'trap exit TERM; \
+                 while [ -e /etc/letsencrypt/live ]; \
+                 do certbot --webroot -w /var/www/certbot renew; \
+                 cp /etc/letsencrypt/live/$DOMAIN/*.pem /data/ssl; \
+                 sleep 12h & wait $${!}; \
+                 done;'"
 
   postgres:
     image: postgres:latest
diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh
index a9b53e3..dddb1fa 100755
--- a/init-letsencrypt.sh
+++ b/init-letsencrypt.sh
@@ -5,7 +5,7 @@
 set -x
 
 if ! [ -x "$(command -v docker)" ]; then
-  echo 'Error: dockeris not installed.' >&2
+  echo 'Error: docker is not installed.' >&2
   exit 1
 fi
 
@@ -14,7 +14,7 @@ domains=$DOMAINS
 rsa_key_size=4096
 data_path="./data/certbot"
 read -p "admin email address for letsencrypt: " email
-staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
 
 if [ -d "$data_path" ]; then
   read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
@@ -31,31 +31,30 @@ if [ ! -e "data/ssl/options-ssl-nginx.conf" ] || [ ! -e "data/ssl/ssl-dhparams.p
   echo
 fi
 
-echo "### Creating dummy certificate for $domains ..."
-# N.B. in bash, $domains will return the first value of the array in string context, so this is not a bug:
-path="/etc/letsencrypt/live/$domains"
-mkdir -p "$data_path/conf/live/$domains"
-docker compose run --rm --entrypoint "\
-  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
-    -keyout '$path/privkey.pem' \
-    -out '$path/fullchain.pem' \
-    -subj '/CN=localhost'; \
-  cp /etc/ssl/certs/ca-certificates.crt '$path'" certbot
-echo
-
-echo "### Starting nginx ..."
-docker compose up --force-recreate -d nginx
-echo
-
-exit
-
-echo "### Deleting dummy certificate for $domains ..."
-docker compose run --rm --entrypoint "\
-  rm -Rf /etc/letsencrypt/live/$domains && \
-  rm -Rf /etc/letsencrypt/archive/$domains && \
-  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
-echo
-
+# echo "### Creating dummy certificate for $domains ..."
+# # N.B. in bash, $domains will return the first value of the array in string context, so this is not a bug:
+# mkdir -p "$data_path/conf/live/$domains"
+# path="/etc/letsencrypt/live/$domains"
+# docker compose run --rm --entrypoint "\
+#   openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
+#     -keyout '$path/privkey.pem' \
+#     -out '$path/fullchain.pem' \
+#     -subj '/CN=localhost'; \
+#   cp /etc/ssl/certs/ca-certificates.crt '$path'" certbot
+# echo
+# 
+# echo "### Starting nginx ..."
+# docker compose up --force-recreate -d nginx
+# echo
+# 
+# exit
+# 
+# echo "### Deleting dummy certificate for $domains ..."
+# docker compose run --rm --entrypoint "\
+#   rm -Rf /etc/letsencrypt/live/$domains && \
+#   rm -Rf /etc/letsencrypt/archive/$domains && \
+#   rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+# echo
 
 echo "### Requesting Let's Encrypt certificate for $domains ..."
 #Join $domains to -d args
@@ -73,15 +72,19 @@ esac
 # Enable staging mode if needed
 if [ $staging != "0" ]; then staging_arg="--staging"; fi
 
-docker compose run --rm --entrypoint "\
-  certbot certonly --webroot -w /var/www/certbot \
+docker compose run -p 80:80 --rm --entrypoint " \
+  sh -c \"certbot certonly --standalone \
     $staging_arg \
     $email_arg \
     $domain_args \
     --rsa-key-size $rsa_key_size \
     --agree-tos \
-    --force-renewal" certbot
+    --force-renewal;
+  cp /etc/letsencrypt/live/$domains/*.pem /data/ssl; \
+  cp /etc/ssl/certs/ca-certificates.crt /data/ssl; \
+  chown -R $USER_ID:$GROUP_ID /data/ssl; \
+    \"" certbot
 echo
 
-echo "### Reloading nginx ..."
-docker compose exec nginx nginx -s reload
+# echo "### Reloading nginx ..."
+# docker compose exec nginx nginx -s reload
diff --git a/setup.sh b/setup.sh
index 039515c..04d751c 100755
--- a/setup.sh
+++ b/setup.sh
@@ -44,12 +44,9 @@ if [[ ! -e .env  ]]; then
     else
         read -p "Use letsencrypt for SSL? [y/n] " use_letsencrypt
         if [[ use_letsencrypt =~ [Yy] ]]; then
-	    mkdir -p data/certbot/conf/live/$DOMAIN
-	    if [[ ! -L data/ssl ]]; then
-                ln -s ../data/certbot/conf/live/$DOMAIN data/ssl
-	    fi
+	    mkdir -p data/ssl
             touch data/ssl/ca-certificates.crt # will get overwritten by init-letsencrypt.sh
-            exec ./init-letsencrypt.sh
+            source ./init-letsencrypt.sh
         else
             echo "Please put a valid {privkey,fullchain}.pem and ca-certificates.crt into data/ssl/"
         fi