From ac1e1f7008aad8052cc08f646a7d583a63b4a9b5 Mon Sep 17 00:00:00 2001
From: Philip Henning <philip.henning@base23.de>
Date: Tue, 19 Nov 2024 12:11:49 +0100
Subject: [PATCH] add location for acme; update scripts

---
 data/nginx/default.conf.template | 10 +++++++++-
 docker-compose.yml               |  1 +
 scripts/cert_renew.sh            |  8 ++++----
 scripts/init.sh                  |  7 +++++--
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/data/nginx/default.conf.template b/data/nginx/default.conf.template
index 366e82e..003e62e 100644
--- a/data/nginx/default.conf.template
+++ b/data/nginx/default.conf.template
@@ -33,7 +33,15 @@ server {
 	listen [::]:${NGINX_HTTP_PORT};
 	server_name ${NGINX_SERVERNAME};
 
-	return 302 https://$host$request_uri;
+	# Exclude Let's Encrypt directory from redirection
+	location /.well-known/acme-challenge/ {
+		root /var/www/letsencrypt;
+	}
+
+	# Redirect all other traffic to HTTPS
+	location / {
+		return 302 https://$host$request_uri;
+	}
 }
 
 # HTTPS Server
diff --git a/docker-compose.yml b/docker-compose.yml
index b10db22..bbcbc10 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -125,6 +125,7 @@ services:
       - ./data/nginx/default.conf.template:/etc/nginx/templates/default.conf.template:ro
       - ./data/nginx/dhparams.pem:/etc/nginx/ssl/dhparams.pem:ro
       - ./data/nginx/certs:/etc/nginx/ssl/certs:ro
+      - ./data/nginx/acme:/var/www/letsencrypt:ro
     ports:
       - target: 8080
         published: "80"
diff --git a/scripts/cert_renew.sh b/scripts/cert_renew.sh
index ce5eade..55b20bb 100755
--- a/scripts/cert_renew.sh
+++ b/scripts/cert_renew.sh
@@ -5,9 +5,9 @@ cd "$(dirname "$(realpath "$0")")/../"
 
 lego \
 --path ./data/.lego \
-	--http.port :8080 \
-	--tls.port :8443 \
 	--email="acme@base23.de" \
 	--domains="sso.base23.de" \
-	--http renew \
-	--renew-hook="./scripts/cert_renew_hook.sh"
+	--http \
+	--http.webroot ./data/nginx/acme \
+	--renew-hook="./scripts/cert_renew_hook.sh" \
+	renew
diff --git a/scripts/init.sh b/scripts/init.sh
index d566471..10c771c 100755
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -51,12 +51,15 @@ echo ""
 echo "Create certificate"
 lego \
 	--path ./data/.lego \
-	--http.port :8080 \
-	--tls.port :8443 \
+	--accept-tos \
 	--email="acme@base23.de" \
 	--domains="sso.base23.de" \
 	--http run
 
 # Link certificates to correct directory
 
+ln -s ../../.lego/certificates/sso.base23.de.crt ./data/nginx/certs/sso.base23.de.crt
+ln -s ../../.lego/certificates/sso.base23.de.issuer.crt ./data/nginx/certs/sso.base23.de.issuer.crt
+ln -s ../../.lego/certificates/sso.base23.de.key ./data/nginx/certs/sso.base23.de.key
+
 # Setup cronjob to automatically renew certificates