mirror of
https://codeberg.org/fediverse/fediparty.git
synced 2024-11-22 08:31:28 +00:00
[ci skip] Add cert auto renewal
This commit is contained in:
parent
5f6823ca99
commit
9841a04896
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
image: node:8.9
|
image: node:8.12
|
||||||
|
|
||||||
pages:
|
pages:
|
||||||
script:
|
script:
|
||||||
|
@ -18,3 +18,21 @@ pages:
|
||||||
|
|
||||||
only:
|
only:
|
||||||
- master
|
- master
|
||||||
|
|
||||||
|
cert-renewal:
|
||||||
|
only:
|
||||||
|
- schedules
|
||||||
|
variables:
|
||||||
|
CERTBOT_RENEWAL_GIT_TOKEN: $CERTBOT_RENEWAL_GIT_TOKEN
|
||||||
|
script:
|
||||||
|
- echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
|
||||||
|
- apt-get update
|
||||||
|
- apt-get install certbot -t jessie-backports -y
|
||||||
|
- apt-get install git curl -y
|
||||||
|
- export PATH=$PATH:$CI_PROJECT_DIR
|
||||||
|
- git config --global user.name $GITLAB_USER_LOGIN
|
||||||
|
- git config --global user.email $GITLAB_USER_EMAIL
|
||||||
|
- chmod +x ./letsencrypt_generate.sh
|
||||||
|
- chmod +x ./letsencrypt_authenticator.sh
|
||||||
|
- chmod +x ./letsencrypt_cleanup.sh
|
||||||
|
- ./letsencrypt_generate.sh
|
||||||
|
|
25
letsencrypt_authenticator.sh
Normal file
25
letsencrypt_authenticator.sh
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
# source https://www.harenslak.nl/blog/https-letsencrypt-gitlab-hugo
|
||||||
|
|
||||||
|
mkdir -p $CI_PROJECT_DIR/static/.well-known/acme-challenge
|
||||||
|
echo $CERTBOT_VALIDATION > $CI_PROJECT_DIR/static/.well-known/acme-challenge/$CERTBOT_TOKEN
|
||||||
|
git add $CI_PROJECT_DIR/static/.well-known/acme-challenge/$CERTBOT_TOKEN
|
||||||
|
git commit -m "GitLab runner - Added certbot challenge file for certificate renewal"
|
||||||
|
git push https://$GITLAB_USER_LOGIN:$CERTBOT_RENEWAL_GIT_TOKEN@gitlab.com/fediverse/fediverse.gitlab.io.git HEAD:master
|
||||||
|
|
||||||
|
interval_sec=15
|
||||||
|
max_tries=10 # ~3 minutes
|
||||||
|
n_tries=0
|
||||||
|
while [ $n_tries -le $max_tries ]
|
||||||
|
do
|
||||||
|
status_code=$(curl -L --write-out "%{http_code}\n" --silent --output /dev/null https://fediverse.party/.well-known/acme-challenge/$CERTBOT_TOKEN)
|
||||||
|
if [[ $status_code -eq 200 ]]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
n_tries=$((n_tries+1))
|
||||||
|
sleep $interval_sec
|
||||||
|
done
|
||||||
|
|
||||||
|
exit 1
|
7
letsencrypt_cleanup.sh
Normal file
7
letsencrypt_cleanup.sh
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
# source https://www.harenslak.nl/blog/https-letsencrypt-gitlab-hugo
|
||||||
|
|
||||||
|
git rm $CI_PROJECT_DIR/static/.well-known/acme-challenge/$CERTBOT_TOKEN
|
||||||
|
git commit -m "GitLab runner - Removed certbot challenge file"
|
||||||
|
git push https://$GITLAB_USER_LOGIN:$CERTBOT_RENEWAL_GIT_TOKEN@gitlab.com/fediverse/fediverse.gitlab.io.git HEAD:master
|
19
letsencrypt_generate.sh
Normal file
19
letsencrypt_generate.sh
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
# source https://www.harenslak.nl/blog/https-letsencrypt-gitlab-hugo
|
||||||
|
|
||||||
|
end_epoch=$(date -d "$(echo | openssl s_client -connect fediverse.party:443 -servername fediverse.party 2>/dev/null | openssl x509 -enddate -noout | cut -d'=' -f2)" "+%s")
|
||||||
|
current_epoch=$(date "+%s")
|
||||||
|
renew_days_threshold=30
|
||||||
|
days_diff=$((($end_epoch - $current_epoch) / 60 / 60 / 24))
|
||||||
|
|
||||||
|
if [ $days_diff -lt $renew_days_threshold ]; then
|
||||||
|
ls
|
||||||
|
echo "Certificate is $days_diff days old, renewing now."
|
||||||
|
certbot certonly --manual --debug --preferred-challenges=http -m $GITLAB_USER_EMAIL --agree-tos --manual-auth-hook letsencrypt_authenticator.sh --manual-cleanup-hook letsencrypt_cleanup.sh --manual-public-ip-logging-ok -d fediverse.party -d www.fediverse.party
|
||||||
|
echo "Certbot finished. Updating GitLab Pages domains."
|
||||||
|
curl --request PUT --header "PRIVATE-TOKEN: $CERTBOT_RENEWAL_GIT_TOKEN" --form "certificate=@/etc/letsencrypt/live/fediverse.party/fullchain.pem" --form "key=@/etc/letsencrypt/live/fediverse.party/privkey.pem" https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/pages/domains/fediverse.party
|
||||||
|
curl --request PUT --header "PRIVATE-TOKEN: $CERTBOT_RENEWAL_GIT_TOKEN" --form "certificate=@/etc/letsencrypt/live/fediverse.party/fullchain.pem" --form "key=@/etc/letsencrypt/live/fediverse.party/privkey.pem" https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/pages/domains/www.fediverse.party
|
||||||
|
else
|
||||||
|
echo "Certificate still valid for $days_diff days, no renewal required."
|
||||||
|
fi
|
Loading…
Reference in a new issue