44source /app/functions.sh
55
66seconds_to_wait=3600
7- ACME_CA_URI=" ${ACME_CA_URI:- https:// acme-v01 .api.letsencrypt.org/ directory} "
7+ ACME_CA_URI=" ${ACME_CA_URI:- https:// acme-v02 .api.letsencrypt.org/ directory} "
88DEFAULT_KEY_SIZE=4096
99REUSE_ACCOUNT_KEYS=" $( lc ${REUSE_ACCOUNT_KEYS:- true} ) "
1010REUSE_PRIVATE_KEYS=" $( lc ${REUSE_PRIVATE_KEYS:- false} ) "
@@ -158,7 +158,7 @@ function update_certs {
158158 fi
159159
160160 test_certificate_varname=" LETSENCRYPT_${cid} _TEST"
161- le_staging_uri=" https://acme-staging.api.letsencrypt.org/directory"
161+ le_staging_uri=" https://acme-staging-v02 .api.letsencrypt.org/directory"
162162 if [[ $( lc " ${! test_certificate_varname:- } " ) == true ]] || \
163163 [[ " $ACME_CA_URI " == " $le_staging_uri " ; then
164164 # Use staging Let's Encrypt ACME end point
@@ -215,27 +215,39 @@ function update_certs {
215215 add_location_configuration " $domain " || reload_nginx
216216 done
217217
218- # The ACME account key full path is derived from the endpoint URI
219- # + the account alias (set to 'default' if no alias is provided)
220- account_key_dir=" ../accounts/${acme_ca_uri#*:// } "
221- account_key_full_path=" ${account_key_dir} /${account_alias} .json"
218+ if [[ -e " ./account_key.json" && [[ ! -e " ./account_reg.json" ; then
219+ # If there is an account key present without account registration, this is
220+ # a leftover from the ACME v1 version of simp_le. Remove this account key.
221+ rm -f ./account_key.json
222+ [[ " $( lc $DEBUG ) " == true ]] \
223+ && echo " Debug: removed ACME v1 account key $certificate_dir /account_key.json"
224+ fi
225+
226+ # The ACME account key and registration full path are derived from the
227+ # endpoint URI + the account alias (set to 'default' if no alias is provided)
228+ account_dir=" ../accounts/${acme_ca_uri#*:// } "
222229 if [[ $REUSE_ACCOUNT_KEYS == true ]]; then
223- if [[ -f " $account_key_full_path " ; then
224- # If there is no symlink to the account key, create it
225- if [[ ! -L ./account_key.json ]]; then
226- ln -sf " $account_key_full_path "
227- && set_ownership_and_permissions ./account_key.json
228- # If the symlink target the wrong account key, replace it
229- elif [[ " $( readlink -f ./account_key.json) " != " $account_key_full_path " ; then
230- ln -sf " $account_key_full_path "
231- && set_ownership_and_permissions ./account_key.json
230+ for type in " key" " reg" ; do
231+ file_full_path=" ${account_dir} /${account_alias} _${type} .json"
232+ simp_le_file=" ./account_${type} .json"
233+ if [[ -f " $file_full_path " ; then
234+ # If there is no symlink to the account file, create it
235+ if [[ ! -L " $simp_le_file " ; then
236+ ln -sf " $file_full_path " " $simp_le_file "
237+ && set_ownership_and_permissions " $simp_le_file "
238+ # If the symlink target the wrong account file, replace it
239+ elif [[ " $( readlink -f " $simp_le_file " ) " != " $file_full_path " ; then
240+ ln -sf " $file_full_path " " $simp_le_file "
241+ && set_ownership_and_permissions " $simp_le_file "
242+ fi
232243 fi
233- fi
244+ done
234245 fi
235246
236247 echo " Creating/renewal $base_domain certificates... (${hosts_array_expanded[*]} )"
237248 /usr/bin/simp_le \
238- -f account_key.json -f key.pem -f chain.pem -f fullchain.pem -f cert.pem \
249+ -f account_key.json -f account_reg.json \
250+ -f key.pem -f chain.pem -f fullchain.pem -f cert.pem \
239251 $params_d_str \
240252 --cert_key_size=$cert_keysize \
241253 --server=$acme_ca_uri \
@@ -244,13 +256,17 @@ function update_certs {
244256 simp_le_return=$?
245257
246258 if [[ $REUSE_ACCOUNT_KEYS == true ]]; then
247- # If the account key to be reused does not exist yet, copy it
248- # from the CWD and replace the file in CWD with a symlink
249- if [[ ! -f " $account_key_full_path " && -f ./account_key.json ]]; then
250- mkdir -p " $account_key_dir "
251- cp ./account_key.json " $account_key_full_path "
252- ln -sf " $account_key_full_path "
253- fi
259+ mkdir -p " $account_dir "
260+ for type in " key" " reg" ; do
261+ file_full_path=" ${account_dir} /${account_alias} _${type} .json"
262+ simp_le_file=" ./account_${type} .json"
263+ # If the account file to be reused does not exist yet, copy it
264+ # from the CWD and replace the file in CWD with a symlink
265+ if [[ ! -f " $file_full_path " && -f " $simp_le_file " ; then
266+ cp " $simp_le_file " " $file_full_path "
267+ ln -sf " $file_full_path " " $simp_le_file "
268+ fi
269+ done
254270 fi
255271
256272 popd || return
@@ -262,20 +278,21 @@ function update_certs {
262278 else
263279 create_links " $base_domain " " $domain " && should_reload_nginx=' true' && should_restart_container=' true'
264280 fi
265- touch " ${certificate_dir} /.companion"
266- set_ownership_and_permissions " ${certificate_dir} /.companion"
267281 done
268- # Make private key root readable only
269- for file in cert.pem key.pem chain.pem fullchain.pem account_key.json; do
282+ touch " ${certificate_dir} /.companion"
283+ # Set ownership and permissions of the files inside $certificate_dir
284+ for file in .companion cert.pem key.pem chain.pem fullchain.pem account_key.json account_reg.json; do
270285 set_ownership_and_permissions " ${certificate_dir} /${file} "
271286 done
272- # Make the account key and its parent folders (up to
273- # /etc/nginx/certs/accounts included) root readable only
274- account_key_perm_path=" /etc/nginx/certs/accounts/${acme_ca_uri#*:// } /${account_alias} .json"
287+ # Set ownership and permissions of the ACME account key and its parent
288+ # folders (up to /etc/nginx/certs/accounts included)
289+ account_key_perm_path=" /etc/nginx/certs/accounts/${acme_ca_uri#*:// } /${account_alias} _key .json"
275290 until [[ " $account_key_perm_path " == /etc/nginx/certs ]]; do
276291 set_ownership_and_permissions " $account_key_perm_path "
277292 account_key_perm_path=" $( dirname " $account_key_perm_path " ) "
278293 done
294+ # Set ownership and permissions of the ACME account registration
295+ set_ownership_and_permissions " /etc/nginx/certs/accounts/${acme_ca_uri#*:// } /${account_alias} _reg.json"
279296 # Queue nginx reload if a certificate was issued or renewed
280297 [[ $simp_le_return -eq 0 ]] && should_reload_nginx=' true' && should_restart_container=' true'
281298 fi
0 commit comments