letsencrypt: use the latest github version

nextcloud · Jan 27, 2019 · 9a36ceb · 9a36ceb
1 parent 338da33
commit 9a36ceb
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 30 deletions.
diff --git a/bin/ncp/NETWORKING/letsencrypt.sh b/bin/ncp/NETWORKING/letsencrypt.sh
@@ -8,10 +8,10 @@
 # More at https://ownyourbits.com/2017/03/17/lets-encrypt-installer-for-apache/
 
 
-NCDIR=/var/www/nextcloud
-OCC="$NCDIR/occ"
-VHOSTCFG=/etc/apache2/sites-available/nextcloud.conf
-VHOSTCFG2=/etc/apache2/sites-available/ncp.conf
+ncdir=/var/www/nextcloud
+vhostcfg=/etc/apache2/sites-available/nextcloud.conf
+vhostcfg2=/etc/apache2/sites-available/ncp.conf
+letsencrypt=/etc/letsencrypt/letsencrypt-auto
 
 is_active()
 {
@@ -22,7 +22,13 @@ install()
 {
   cd /etc || return 1
   apt-get update
-  apt-get install --no-install-recommends -y letsencrypt
+  apt-get install --no-install-recommends -y python3-minimal
+  wget -O- --content-disposition https://github.com/letsencrypt/letsencrypt/archive/master/latest.tar.gz \
+  | tar -xz \
+  || exit 1
+  mv certbot-master letsencrypt
+  export VIRTUALENV_NO_DOWNLOAD=1          # temporal workaround for https://github.com/certbot/certbot/issues/6682
+  $letsencrypt --help                      # do not actually run certbot, only install packages
   mkdir -p /etc/letsencrypt/live
 
   [[ "$DOCKERBUILD" == 1 ]] && {
@@ -40,66 +46,79 @@ EOF
   return 0
 }
 
-# tested with certbot 0.10.2
+# tested with certbot 0.30.0
 configure() 
 {
   local DOMAIN_LOWERCASE="${DOMAIN,,}"
 
   [[ "$DOMAIN" == "" ]] && { echo "empty domain"; return 1; }
 
   # Configure Apache
-  grep -q ServerName $VHOSTCFG && \
-    sed -i "s|ServerName .*|ServerName $DOMAIN|" $VHOSTCFG || \
-    sed -i "/DocumentRoot/aServerName $DOMAIN" $VHOSTCFG 
+  grep -q ServerName $vhostcfg && \
+    sed -i "s|ServerName .*|ServerName $DOMAIN|" $vhostcfg || \
+    sed -i "/DocumentRoot/aServerName $DOMAIN" $vhostcfg
 
   # Do it
-  letsencrypt certonly -n --no-self-upgrade --webroot -w $NCDIR --hsts --agree-tos -m $EMAIL -d $DOMAIN && {
+  $letsencrypt certonly -n --no-self-upgrade --webroot -w $ncdir --hsts --agree-tos -m $EMAIL -d $DOMAIN && {
 
     # Set up auto-renewal
     cat > /etc/cron.weekly/letsencrypt-ncp <<EOF
 #!/bin/bash
 
 # renew and notify
-/usr/bin/certbot renew --quiet --renew-hook '
-  sudo -u www-data php $OCC notification:generate \
-                            $NOTIFYUSER "SSL renewal" \
-                            -l "Your SSL certificate(s) \$RENEWED_DOMAINS has been renewed for another 90 days"
+$letsencrypt renew --quiet --deploy-hook '
+  ncc notification:generate \
+    $NOTIFYUSER "SSL renewal" \
+    -l "Your SSL certificate(s) \$RENEWED_DOMAINS has been renewed for another 90 days"
   '
 
 # notify if fails
-[[ \$? -ne 0 ]] && sudo -u www-data php $OCC notification:generate \
-                                             $NOTIFYUSER "SSL renewal error" \
-                                             -l "SSL certificate renewal failed. See /var/log/letsencrypt/letsencrypt.log"
+[[ \$? -ne 0 ]] && ncc notification:generate \
+                     $NOTIFYUSER "SSL renewal error" \
+                     -l "SSL certificate renewal failed. See /var/log/letsencrypt/letsencrypt.log"
 
 # cleanup
-rm -rf $NCDIR/.well-known
+rm -rf $ncdir/.well-known
 EOF
-    chmod +x /etc/cron.weekly/letsencrypt-ncp
+    chmod 755 /etc/cron.weekly/letsencrypt-ncp
 
     # Configure Apache
-    sed -i "s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/fullchain.pem|" $VHOSTCFG
-    sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/privkey.pem|" $VHOSTCFG
+    sed -i "s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/fullchain.pem|" $vhostcfg
+    sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/privkey.pem|" $vhostcfg
 
-    sed -i "s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/fullchain.pem|" $VHOSTCFG2
-    sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/privkey.pem|" $VHOSTCFG2
+    sed -i "s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/fullchain.pem|" $vhostcfg2
+    sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/privkey.pem|" $vhostcfg2
 
     # Configure Nextcloud
-    sudo -u www-data php $OCC config:system:set trusted_domains 4 --value=$DOMAIN
-    sudo -u www-data php $OCC config:system:set overwrite.cli.url --value=https://"$DOMAIN"/
+    ncc config:system:set trusted_domains 4 --value=$DOMAIN
+    ncc config:system:set overwrite.cli.url --value=https://"$DOMAIN"/
 
     # delayed in bg so it does not kill the connection, and we get AJAX response
     bash -c "sleep 2 && service apache2 reload" &>/dev/null &
-    rm -rf $NCDIR/.well-known
+    rm -rf $ncdir/.well-known
 
     # Update configuration
     [[ "$DOCKERBUILD" == 1 ]] && update-rc.d letsencrypt enable
 
     return 0
   }
-  rm -rf $NCDIR/.well-known
+  rm -rf $ncdir/.well-known
   return 1
 }
 
+cleanup()
+{
+  apt-get purge -y \
+    augeas-lenses \
+    libpython-dev \
+    libpython2.7-dev \
+    libssl-dev \
+    python-dev \
+    python2.7-dev \
+    python-pip-whl
+}
+
+
 # License
 #
 # This script is free software; you can redistribute it and/or modify it

diff --git a/changelog.md b/changelog.md
@@ -1,7 +1,9 @@
 
-[v1.4.8](https://github.com/nextcloud/nextcloudpi/commit/ea9a1ea) (2019-01-26) ncp-update-nc: fix unnecessary quotes
+[v1.4.9](https://github.com/nextcloud/nextcloudpi/commit/c0f4b78) (2019-01-25) letsencrypt: use the latest github version
 
-[v1.4.7](https://github.com/nextcloud/nextcloudpi/commit/ffc1fa5) (2019-01-25) ncp-config: fix local variables
+[v1.4.8](https://github.com/nextcloud/nextcloudpi/commit/338da33) (2019-01-26) ncp-update-nc: fix unnecessary quotes
+
+[v1.4.7  ](https://github.com/nextcloud/nextcloudpi/commit/ffc1fa5) (2019-01-25) ncp-config: fix local variables
 
 [v1.4.6  ](https://github.com/nextcloud/nextcloudpi/commit/b338ede) (2019-01-24) ncp-config: fix missing variable
 

diff --git a/docker-armhf/nextcloudpi/Dockerfile b/docker-armhf/nextcloudpi/Dockerfile
@@ -46,6 +46,33 @@ rm /.ncp-image; \
 source /usr/local/etc/library.sh; \
 find /usr/local/bin/ncp -name '*.sh' | while read l; do cleanup_script $l; done; \
 
+# letsencrypt build artifacts cleanup
+apt-get purge -y \
+  make \
+  binutils \
+  cpp \
+  cpp-6 \
+  gcc \
+  gcc-6 \
+  libasan3 \
+  libaugeas0 \
+  libc-dev-bin \
+  libc6-dev \
+  libcc1-0 \
+  libexpat1-dev \
+  libffi-dev \
+  libgcc-6-dev \
+  libgomp1 \
+  libisl15 \
+  libmpc3 \
+  libubsan0 \
+  linux-libc-dev \
+  python-virtualenv \
+  python-pkg-resources \
+  python3-pkg-resources \
+  python3-virtualenv \
+  virtualenv; \
+
 # should be cleaned up in no-ip.sh, but breaks udiskie.
 # safe to do it here since no automount in docker
 apt-get purge -y make gcc libc-dev; \

diff --git a/docker/nextcloudpi/Dockerfile b/docker/nextcloudpi/Dockerfile
@@ -46,6 +46,33 @@ rm /.ncp-image; \
 source /usr/local/etc/library.sh; \
 find /usr/local/bin/ncp -name '*.sh' | while read l; do cleanup_script $l; done; \
 
+# letsencrypt build artifacts cleanup
+apt-get purge -y \
+  make \
+  binutils \
+  cpp \
+  cpp-6 \
+  gcc \
+  gcc-6 \
+  libasan3 \
+  libaugeas0 \
+  libc-dev-bin \
+  libc6-dev \
+  libcc1-0 \
+  libexpat1-dev \
+  libffi-dev \
+  libgcc-6-dev \
+  libgomp1 \
+  libisl15 \
+  libmpc3 \
+  libubsan0 \
+  linux-libc-dev \
+  python-virtualenv \
+  python-pkg-resources \
+  python3-pkg-resources \
+  python3-virtualenv \
+  virtualenv; \
+
 # should be cleaned up in no-ip.sh, but breaks udiskie.
 # safe to do it here since no automount in docker
 apt-get purge -y make gcc libc-dev; \

diff --git a/etc/ncp-config.d/freeDNS.cfg b/etc/ncp-config.d/freeDNS.cfg
@@ -2,7 +2,7 @@
   "id": "freeDNS",
   "name": "Dynamic DNS from freeDNS",
   "title": "freeDNS",
-  "description": "DynamicDNS service from FreeDNS client (need account from https://freedns.afraid.org/)",
+  "description": "FreeDNS DynamicDNS service (need account from https://freedns.afraid.org/)",
   "info": "",
   "infotitle": "",
   "params": [

diff --git a/update.sh b/update.sh
@@ -276,6 +276,20 @@ EOF
   [[ "$( ls -1 /etc/cron.daily/ |  wc -l )" -gt 0 ]] && chmod 755 /etc/cron.daily/*
   [[ "$( ls -1 /etc/cron.hourly/ |  wc -l )" -gt 0 ]] && chmod 755 /etc/cron.hourly/*
 
+  # change letsencrypt from package based to git based
+  [[ -f /etc/letsencrypt/certbot-auto ]] || {
+    echo "updating letsencrypt..."
+    [[ -f /.docker-image ]] && mv "$(readlink /etc/letsencrypt)" /etc/letsencrypt-old
+    [[ -f /.docker-image ]] || mv /etc/letsencrypt /etc/letsencrypt-old
+    rm -f /etc/letsencrypt
+    apt-get remove -y letsencrypt
+    apt-get autoremove -y
+    install_app letsencrypt
+    cp -raT /etc/letsencrypt-old/live /etc/letsencrypt/live
+    [[ -f /.docker-image ]] && persistent_cfg /etc/letsencrypt
+    [[ -f /etc/cron.weekly/letsencrypt-ncp ]] && run_app letsencrypt
+  }
+
   # remove redundant opcache configuration. Leave until update bug is fixed -> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815968
   # Bug #416 reappeared after we moved to php7.2 and debian buster packages. (keep last)
   [[ "$( ls -l /etc/php/7.2/fpm/conf.d/*-opcache.ini |  wc -l )" -gt 1 ]] && rm "$( ls /etc/php/7.2/fpm/conf.d/*-opcache.ini | tail -1 )"