From 9841a04896852dc6708e8dddec57e6e1844839a5 Mon Sep 17 00:00:00 2001 From: lostinlight Date: Wed, 17 Oct 2018 23:27:04 +0300 Subject: [PATCH] [ci skip] Add cert auto renewal --- .gitlab-ci.yml | 20 +++++++++++++++++++- letsencrypt_authenticator.sh | 25 +++++++++++++++++++++++++ letsencrypt_cleanup.sh | 7 +++++++ letsencrypt_generate.sh | 19 +++++++++++++++++++ 4 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 letsencrypt_authenticator.sh create mode 100644 letsencrypt_cleanup.sh create mode 100644 letsencrypt_generate.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a22782d..4268e8b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,5 @@ -image: node:8.9 +image: node:8.12 pages: script: @@ -18,3 +18,21 @@ pages: only: - master + +cert-renewal: + only: + - schedules + variables: + CERTBOT_RENEWAL_GIT_TOKEN: $CERTBOT_RENEWAL_GIT_TOKEN + script: + - echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list + - apt-get update + - apt-get install certbot -t jessie-backports -y + - apt-get install git curl -y + - export PATH=$PATH:$CI_PROJECT_DIR + - git config --global user.name $GITLAB_USER_LOGIN + - git config --global user.email $GITLAB_USER_EMAIL + - chmod +x ./letsencrypt_generate.sh + - chmod +x ./letsencrypt_authenticator.sh + - chmod +x ./letsencrypt_cleanup.sh + - ./letsencrypt_generate.sh diff --git a/letsencrypt_authenticator.sh b/letsencrypt_authenticator.sh new file mode 100644 index 0000000..d26c84c --- /dev/null +++ b/letsencrypt_authenticator.sh @@ -0,0 +1,25 @@ + +#!/bin/bash +# source https://www.harenslak.nl/blog/https-letsencrypt-gitlab-hugo + +mkdir -p $CI_PROJECT_DIR/static/.well-known/acme-challenge +echo $CERTBOT_VALIDATION > $CI_PROJECT_DIR/static/.well-known/acme-challenge/$CERTBOT_TOKEN +git add $CI_PROJECT_DIR/static/.well-known/acme-challenge/$CERTBOT_TOKEN +git commit -m "GitLab runner - Added certbot challenge file for certificate renewal" +git push https://$GITLAB_USER_LOGIN:$CERTBOT_RENEWAL_GIT_TOKEN@gitlab.com/fediverse/fediverse.gitlab.io.git HEAD:master + +interval_sec=15 +max_tries=10 # ~3 minutes +n_tries=0 +while [ $n_tries -le $max_tries ] +do + status_code=$(curl -L --write-out "%{http_code}\n" --silent --output /dev/null https://fediverse.party/.well-known/acme-challenge/$CERTBOT_TOKEN) + if [[ $status_code -eq 200 ]]; then + exit 0 + fi + + n_tries=$((n_tries+1)) + sleep $interval_sec +done + +exit 1 diff --git a/letsencrypt_cleanup.sh b/letsencrypt_cleanup.sh new file mode 100644 index 0000000..008943c --- /dev/null +++ b/letsencrypt_cleanup.sh @@ -0,0 +1,7 @@ + +#!/bin/bash +# source https://www.harenslak.nl/blog/https-letsencrypt-gitlab-hugo + +git rm $CI_PROJECT_DIR/static/.well-known/acme-challenge/$CERTBOT_TOKEN +git commit -m "GitLab runner - Removed certbot challenge file" +git push https://$GITLAB_USER_LOGIN:$CERTBOT_RENEWAL_GIT_TOKEN@gitlab.com/fediverse/fediverse.gitlab.io.git HEAD:master diff --git a/letsencrypt_generate.sh b/letsencrypt_generate.sh new file mode 100644 index 0000000..51b92d4 --- /dev/null +++ b/letsencrypt_generate.sh @@ -0,0 +1,19 @@ + +#!/bin/bash +# source https://www.harenslak.nl/blog/https-letsencrypt-gitlab-hugo + +end_epoch=$(date -d "$(echo | openssl s_client -connect fediverse.party:443 -servername fediverse.party 2>/dev/null | openssl x509 -enddate -noout | cut -d'=' -f2)" "+%s") +current_epoch=$(date "+%s") +renew_days_threshold=30 +days_diff=$((($end_epoch - $current_epoch) / 60 / 60 / 24)) + +if [ $days_diff -lt $renew_days_threshold ]; then + ls + echo "Certificate is $days_diff days old, renewing now." + certbot certonly --manual --debug --preferred-challenges=http -m $GITLAB_USER_EMAIL --agree-tos --manual-auth-hook letsencrypt_authenticator.sh --manual-cleanup-hook letsencrypt_cleanup.sh --manual-public-ip-logging-ok -d fediverse.party -d www.fediverse.party + echo "Certbot finished. Updating GitLab Pages domains." + curl --request PUT --header "PRIVATE-TOKEN: $CERTBOT_RENEWAL_GIT_TOKEN" --form "certificate=@/etc/letsencrypt/live/fediverse.party/fullchain.pem" --form "key=@/etc/letsencrypt/live/fediverse.party/privkey.pem" https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/pages/domains/fediverse.party + curl --request PUT --header "PRIVATE-TOKEN: $CERTBOT_RENEWAL_GIT_TOKEN" --form "certificate=@/etc/letsencrypt/live/fediverse.party/fullchain.pem" --form "key=@/etc/letsencrypt/live/fediverse.party/privkey.pem" https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/pages/domains/www.fediverse.party +else + echo "Certificate still valid for $days_diff days, no renewal required." +fi