diff --git a/helpers/command.py b/helpers/command.py index 8063d03..8ac5414 100644 --- a/helpers/command.py +++ b/helpers/command.py @@ -370,7 +370,7 @@ def start(cls, frontend_only=False, force_setup=False): # Start reverse proxy if user uses it. if config.use_letsencrypt: - if force_setup: + if force_setup or not config.is_certs_path_updated: # Let's Encrypt NGINX container needs kobo-docker NGINX # container to be started first config.init_letsencrypt() diff --git a/helpers/config.py b/helpers/config.py index ee6bb04..2228dbc 100644 --- a/helpers/config.py +++ b/helpers/config.py @@ -230,6 +230,10 @@ def get_upgraded_dict(self): upgraded_dict = Upgrading.set_compose_version(upgraded_dict) + upgraded_dict = Upgrading.letsencrypt_certs_path( + upgraded_dict, self.use_letsencrypt + ) + return upgraded_dict @property @@ -358,6 +362,7 @@ def get_template(cls): 'local_interface': Network.get_primary_interface(), 'local_interface_ip': primary_ip, 'letsencrypt_email': 'support@kobo.local', + 'letsencrypt_certs_path_updated': False, 'maintenance_date_iso': '', 'maintenance_date_str': '', 'maintenance_email': 'support@kobo.local', @@ -458,6 +463,14 @@ def get_template(cls): def is_secure(self): return self.__dict['https'] is True + @property + def is_letsencrypt_certs_path_updated(self): + value = self.__dict['letsencrypt_certs_path_updated'] + if not value: + print('IS_LETSENCRYPT PATH UPDATED', flush=True) + self.__dict['letsencrypt_certs_path_updated'] = True + return value + def init_letsencrypt(self): if self.frontend and self.use_letsencrypt: reverse_proxy_path = self.get_letsencrypt_repo_path() @@ -675,6 +688,9 @@ def write_config(self): """ Writes config to file `Config.CONFIG_FILE`. """ + + print('WRITE CONFIG', flush=True) + # Adds `date_created`. This field will be use to determine # first usage of the setup option. if self.__dict.get('date_created') is None: diff --git a/helpers/upgrading.py b/helpers/upgrading.py index 3b58a06..c636990 100644 --- a/helpers/upgrading.py +++ b/helpers/upgrading.py @@ -11,6 +11,17 @@ class Upgrading: + # @staticmethod + # def letsencrypt_certs_path(upgraded_dict: dict, use_letsencrypt) -> dict: + # if not use_letsencrypt: + # upgraded_dict['letsencrypt_certs_path'] = False + # return upgraded_dict + # + # if 'letsencrypt_certs_path_upgraded' not in upgraded_dict: + # upgraded_dict['letsencrypt_certs_path'] = False + # + # return upgraded_dict + @staticmethod def migrate_single_to_two_databases(config: 'helpers.Config'): """ diff --git a/templates/nginx-certbot/data/nginx/app.conf.tpl b/templates/nginx-certbot/data/nginx/app.conf.tpl index 5afb26a..8b8c991 100644 --- a/templates/nginx-certbot/data/nginx/app.conf.tpl +++ b/templates/nginx-certbot/data/nginx/app.conf.tpl @@ -17,8 +17,8 @@ server { server_name ${KOBOFORM_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME} ${KOBOCAT_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME} ${ENKETO_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}; server_tokens off; - ssl_certificate /etc/letsencrypt/live/${KOBOFORM_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${KOBOFORM_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}/privkey.pem; + ssl_certificate /etc/letsencrypt/live/${KOBOFORM_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${KOBOFORM_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; diff --git a/templates/nginx-certbot/init-letsencrypt.sh.tpl b/templates/nginx-certbot/init-letsencrypt.sh.tpl index 3d2b1f6..a18df84 100644 --- a/templates/nginx-certbot/init-letsencrypt.sh.tpl +++ b/templates/nginx-certbot/init-letsencrypt.sh.tpl @@ -4,6 +4,7 @@ function join_by { local d=$$1; shift; echo -n "$$1"; shift; printf "%s" "$${@/# DOMAINS=(${KOBOFORM_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME} ${KOBOCAT_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME} ${ENKETO_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}) DOMAINS_CSV=$$(join_by , "$${DOMAINS[@]}") +DOMAINS_FOLDER="${KOBOFORM_SUBDOMAIN}-${KOBOCAT_SUBDOMAIN}-${ENKETO_SUBDOMAIN}.${PUBLIC_DOMAIN_NAME}" RSA_KEY_SIZE=4096 DATA_PATH="./data/certbot" EMAIL="" # Adding a valid address is strongly recommended @@ -13,7 +14,7 @@ DOCKER_COMPOSE_CMD="$$(which ${DOCKER_COMPOSE_CMD})" CURL_CMD=$$(which curl) -if [ -d "$$DATA_PATH" ]; then +if [ -d "$$DATA_PATH/conf/live/$$DOMAINS_FOLDER" ]; then read -p "Existing data found for $$DOMAINS_CSV. Continue and replace existing certificate? (y/N) " decision if [ "$$decision" != "Y" ] && [ "$$decision" != "y" ]; then exit @@ -29,8 +30,8 @@ if [ ! -e "$$DATA_PATH/conf/options-ssl-nginx.conf" ] || [ ! -e "$$DATA_PATH/con fi echo "### Creating dummy certificate for $${DOMAINS_CSV} ..." -DOMAINS_PATH="/etc/letsencrypt/live/$$DOMAINS" -$$MKDIR_CMD -p "$$DATA_PATH/conf/live/$$DOMAINS" +DOMAINS_PATH="/etc/letsencrypt/live/$$DOMAINS_FOLDER" +$$MKDIR_CMD -p "$$DATA_PATH/conf/live/$$DOMAINS_FOLDER" $$DOCKER_COMPOSE_CMD ${DOCKER_COMPOSE_SUFFIX} run --rm --entrypoint "\ openssl req -x509 -nodes -newkey rsa:1024 -days 1\ -keyout '$$DOMAINS_PATH/privkey.pem' \ @@ -45,9 +46,9 @@ echo echo "### Deleting dummy certificate for $${DOMAINS_CSV} ..." $$DOCKER_COMPOSE_CMD ${DOCKER_COMPOSE_SUFFIX} run --rm --entrypoint "\ - rm -Rf /etc/letsencrypt/live/$$DOMAINS && \ - rm -Rf /etc/letsencrypt/archive/$$DOMAINS && \ - rm -Rf /etc/letsencrypt/renewal/$$DOMAINS.conf" certbot + rm -Rf /etc/letsencrypt/live/$$DOMAINS_FOLDER && \ + rm -Rf /etc/letsencrypt/archive/$$DOMAINS_FOLDER && \ + rm -Rf /etc/letsencrypt/renewal/$$DOMAINS_FOLDER.conf" certbot echo