diff --git a/data/nginx/default.conf.template b/data/nginx/default.conf.template index 74d8f53..341eee7 100644 --- a/data/nginx/default.conf.template +++ b/data/nginx/default.conf.template @@ -51,8 +51,8 @@ server { http2 on; server_name ${NGINX_SERVERNAME}; - ssl_certificate /etc/nginx/ssl/certs/sso.base23.de.crt; - ssl_certificate_key /etc/nginx/ssl/certs/sso.base23.de.key; + ssl_certificate /etc/nginx/ssl/certs/_.base23.de.crt; + ssl_certificate_key /etc/nginx/ssl/certs/_.base23.de.key; ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT}; ssl_session_cache ${NGINX_SSL_SESSION_CACHE}; @@ -71,7 +71,7 @@ server { ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY}; # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/nginx/ssl/certs/sso.base23.de.issuer.crt; + ssl_trusted_certificate /etc/nginx/ssl/certs/_.base23.de.issuer.crt; # replace with the IP address of your resolver resolver ${NGINX_RESOLVER}; diff --git a/scripts/cert_renew.sh b/scripts/cert_renew.sh index 9a4d3da..8a3b1a6 100755 --- a/scripts/cert_renew.sh +++ b/scripts/cert_renew.sh @@ -6,7 +6,8 @@ cd "$(dirname "$(realpath "$0")")/../" lego \ --path ./data/.lego \ --email="acme@base23.de" \ - --domains="sso.base23.de" \ - --http.webroot="./data/nginx/acme" \ - --http renew \ + --domains="*.base23.de" \ + --dns hetzner \ + --dns \ + renew \ --renew-hook="./scripts/cert_renew_hook.sh" diff --git a/scripts/cert_renew_hook.sh b/scripts/cert_renew_hook.sh index 381c2cf..4fe8734 100755 --- a/scripts/cert_renew_hook.sh +++ b/scripts/cert_renew_hook.sh @@ -3,6 +3,6 @@ set -euf -o pipefail cd "$(dirname "$(realpath "$0")")/../" -install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{sso.base23.de.crt,sso.base23.de.issuer.crt,sso.base23.de.key} "./data/nginx/certs" +install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{_.base23.de.crt,_.base23.de.issuer.crt,_.base23.de.key} "./data/nginx/certs" docker compose restart nginx diff --git a/scripts/init.sh b/scripts/init.sh index bd05a5d..587935b 100755 --- a/scripts/init.sh +++ b/scripts/init.sh @@ -42,6 +42,13 @@ if [[ ! -f ./.env ]]; then echo "" >> ./.env fi +# Check if lego.env exists and exit if it is +if [[ ! -f ./lego.env ]]; then + echo "# Lego - Let's Encrypt certificate tool" >> ./lego.env + prompt_password HETZNER_API_KEY; echo "HETZNER_API_KEY=${RETURNED_PASSWORD}" >> ./lego.env; unset RETURNED_PASSWORD + echo "" >> ./.env +fi + # Check if ssh key already exists, otherwise generate one [[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ [[ ! -f ./data/restic/ssh/id_ed25519 ]] && ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519 @@ -59,24 +66,26 @@ if [[ ! -d ./data/.lego ]]; then --path ./data/.lego \ --accept-tos \ --email="acme@base23.de" \ - --domains="sso.base23.de" \ - --http run \ - && install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{sso.base23.de.crt,sso.base23.de.issuer.crt,sso.base23.de.key} "./data/nginx/certs" + --domains="*.base23.de" \ + --dns hetzner \ + run \ + && install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{_.base23.de.crt,_.base23.de.issuer.crt,_.base23.de.key} "./data/nginx/certs" fi # Setup directory for acme cheallenges [[ ! -d ./data/nginx/acme ]] && mkdir -p ./data/nginx/acme # Setup cronjob to automatically renew certificates -[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.service ]] && cat < /etc/systemd/system/lego-renew-sso-base23-de.service && systemctl daemon-reload +[[ ! -f /etc/systemd/system/lego-renew-wildcard-base23-de.service ]] && cat < /etc/systemd/system/lego-renew-wildcard-base23-de.service && systemctl daemon-reload [Unit] -Description=SSL Certificate renewal for sso.base23.de with LEGO +Description=SSL Certificate renewal for *.base23.de with LEGO Documentation=https://go-acme.github.io/lego/ Wants=network-online.target After=network-online.target [Service] Type=oneshot +EnvironmentFile=${AUTHENTIK_DOCKER_COMPOSE_PATH}/lego.env ExecStart=${AUTHENTIK_DOCKER_COMPOSE_PATH}/scripts/cert_renew.sh WorkingDirectory=${AUTHENTIK_DOCKER_COMPOSE_PATH}/ User=root @@ -87,9 +96,9 @@ RemainAfterExit=no WantedBy=multi-user.target EOF -[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.timer ]] && cat < /etc/systemd/system/lego-renew-sso-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-sso-base23-de.timer +[[ ! -f /etc/systemd/system/lego-renew-wildcard-base23-de.timer ]] && cat < /etc/systemd/system/lego-renew-wildcard-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-wildcard-base23-de.timer [Unit] -Description=SSL Certificate renewal for sso.base23.de with LEGO Timer +Description=SSL Certificate renewal for *.base23.de with LEGO Timer [Timer] OnCalendar=*-*-* 01:32:00