Use default config for empty DEFAULT_EMAIL only

Then there is no more need to update the default config accounts
on DEFAULT_EMAIL changes.

No more need for LE_ACMESH_CONFIG either

Doc acme.sh.md

Author: pini-gh

Dockerfile

@@ -38,7 +38,7 @@ RUN apk add --update \
 # Install docker-gen from build stage
 COPY --from=go-builder /go/src/github.com/jwilder/docker-gen/docker-gen /usr/local/bin/
 
-# Install simp_le
+# Install acme.sh
 COPY /install_acme.sh /app/install_acme.sh
 RUN chmod +rx /app/install_acme.sh \
     && sync \

app/entrypoint.sh

@@ -5,13 +5,6 @@ set -u
 # shellcheck source=functions.sh
 source /app/functions.sh
 
-function check_deprecated_env_var {
-    if [[ -n "${ACME_TOS_HASH:-}" ]]; then
-        echo "Info: the ACME_TOS_HASH environment variable is no longer used by simp_le and has been deprecated."
-        echo "simp_le now implicitly agree to the ACME CA ToS."
-    fi
-}
-
 function check_docker_socket {
     if [[ $DOCKER_HOST == unix://* ]]; then
         socket_file=${DOCKER_HOST#unix://}
@@ -134,23 +127,13 @@ function check_default_cert_key {
     set_ownership_and_permissions "/etc/nginx/certs/default.crt"
 }
 
-function configure_default_email {
-    # Configure the email used by the default config
-    [[ -d /etc/acme.sh/default ]] || mkdir -p /etc/acme.sh/default
+function check_default_account {
+    # The default account is now for empty account email
     if [[ -f /etc/acme.sh/default/account.conf ]]; then
-        if [[ -f /etc/acme.sh/default/ca/acme-v01.api.letsencrypt.org/account.json ]]; then
-            acme.sh --update-account --accountemail "${DEFAULT_EMAIL:-}"
-            return 0
-        elif grep -q ACCOUNT_EMAIL /etc/acme.sh/default/account.conf; then
-            if grep -q "${DEFAULT_EMAIL:-}" /etc/acme.sh/default/account.conf; then
-                return 0
-            else
-                sed -i "s/^ACCOUNT_EMAIL=.*$/ACCOUNT_EMAIL='${DEFAULT_EMAIL:-}'/g" /etc/acme.sh/default/account.conf
-                return 0
-            fi
+        if grep -q ACCOUNT_EMAIL /etc/acme.sh/default/account.conf; then
+            sed -i '/ACCOUNT_EMAIL/d' /etc/acme.sh/default/account.conf
         fi
     fi
-    echo "ACCOUNT_EMAIL='${DEFAULT_EMAIL:-}'" >> /etc/acme.sh/default/account.conf
 }
 
 if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
@@ -177,7 +160,7 @@ if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
     check_default_cert_key
     check_dh_group
     reload_nginx
-    [[ -n ${DEFAULT_EMAIL:-} ]] && configure_default_email
+    check_default_account
 fi
 
 exec "$@"

app/letsencrypt_service

@@ -5,6 +5,7 @@ source /app/functions.sh
 
 seconds_to_wait=3600
 ACME_CA_URI="${ACME_CA_URI:-https://acme-v02.api.letsencrypt.org/directory}"
+ACME_CA_TEST_URI="https://acme-staging-v02.api.letsencrypt.org/directory"
 DEFAULT_KEY_SIZE="${DEFAULT_KEY_SIZE:-4096}"
 RENEW_PRIVATE_KEYS="$(lc "${RENEW_PRIVATE_KEYS:-true}")"
 
@@ -169,26 +170,37 @@ function update_certs {
             cert_keysize=$DEFAULT_KEY_SIZE
         fi
 
-        test_certificate_varname="LETSENCRYPT_${cid}_TEST"
-        le_staging_uri="https://acme-staging-v02.api.letsencrypt.org/directory"
-        if [[ $(lc "${!test_certificate_varname:-}") == true ]] || \
-          [[ "$ACME_CA_URI" == "$le_staging_uri" ]]; then
-            # Use staging Let's Encrypt ACME end point
-            acme_ca_uri="$le_staging_uri"
-            # Prefix test certificate directory with _test_
-            certificate_dir="/etc/nginx/certs/_test_$base_domain"
-        else
+        accountemail_varname="LETSENCRYPT_${cid}_EMAIL"
+        accountemail="${!accountemail_varname:-"<no-value>"}"
+        if [[ "$accountemail" == "<no value>" ]]; then
+            accountemail="${DEFAULT_EMAIL:-}"
+        fi
+        config_name="${accountemail:-default}"
+
+        acme_ca_uri_varname="LETSENCRYPT_${cid}_ACME_CA_URI"
+        acme_ca_uri="${!acme_ca_uri_varname}"
+        if [[ "$acme_ca_uri" == "<no value>" ]]; then
             # Use default or user provided ACME end point
             acme_ca_uri="$ACME_CA_URI"
-            certificate_dir="/etc/nginx/certs/$base_domain"
         fi
 
-        config_varname="LETSENCRYPT_${cid}_ACMESH_CONFIG"
-        config_name="${!config_varname:-"<no value>"}"
-        if [[ "$config_name" == "<no value>" ]]; then
-            config_name=default
+        test_certificate_varname="LETSENCRYPT_${cid}_TEST"
+        if [[ $(lc "${!test_certificate_varname:-}") == true || "$acme_ca_uri" == "$ACME_CA_TEST_URI" ]]; then
+            # Use Let's Encrypt ACME V2 staging end point
+            # Unset accountemail
+            # force config dir to 'staging'
+            acme_ca_uri="ACME_CA_TEST_URI"
+            accountemail=
+            config_name=staging
+        fi
+
+	[[ -z "$accountemail" ]] || params_d_arr+=("--accountemail" "$accountemail")
+        [[ ! -d "/etc/acme.sh/$config_name" ]] && mkdir -p "/etc/acme.sh/$config_name"
+
+        if [[ $acme_ca_uri =~ ^https://acme-staging.* ]]; then
+            certificate_dir="/etc/nginx/certs/_test_$base_domain"
         else
-            [[ ! -d "/etc/acme.sh/$config_name" ]] && mkdir -p "/etc/acme.sh/$config_name"
+            certificate_dir="/etc/nginx/certs/$base_domain"
         fi
 
         [[ "$DEBUG" == 1 ]] && params_d_arr+=("--debug")

app/letsencrypt_service_data.tmpl

@@ -27,14 +27,16 @@ LETSENCRYPT_CONTAINERS=(
                 LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_HOST=('{{ $host }}')
                 LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
                 LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
-                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_ACMESH_CONFIG="{{ $container.Env.LETSENCRYPT_ACMESH_CONFIG }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
+                LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_ACME_CA_URI="{{ $container.Env.LETSENCRYPT_ACME_CA_URI }}"
                 LETSENCRYPT_{{ $cid }}_{{ $hostHash }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
             {{ end }}
         {{ else }}
             LETSENCRYPT_{{ $cid }}_HOST=( {{ range $host := split $hosts "," }}{{ $host := trim $host }}{{ $host := trimSuffix "." $host }}'{{ $host }}' {{ end }})
             LETSENCRYPT_{{ $cid }}_KEYSIZE="{{ $container.Env.LETSENCRYPT_KEYSIZE }}"
             LETSENCRYPT_{{ $cid }}_TEST="{{ $container.Env.LETSENCRYPT_TEST }}"
-            LETSENCRYPT_{{ $cid }}_ACMESH_CONFIG="{{ $container.Env.LETSENCRYPT_ACMESH_CONFIG }}"
+            LETSENCRYPT_{{ $cid }}_EMAIL="{{ $container.Env.LETSENCRYPT_EMAIL }}"
+            LETSENCRYPT_{{ $cid }}_ACME_CA_URI="{{ $container.Env.LETSENCRYPT_ACME_CA_URI }}"
             LETSENCRYPT_{{ $cid }}_RESTART_CONTAINER="{{ $container.Env.LETSENCRYPT_RESTART_CONTAINER }}"
         {{ end }}
     {{ end }}

docs/acme.sh.md

@@ -0,0 +1,8 @@
+### Design decisions:
+
+1. Use one acme.sh configuration directory (`--config-home`) per account email address
+1. Each acme.sh configuration directory can hold several accounts on different ACME service providers. But only one per servie provider.
+1. The `defaut`configuration directory holds the configuration for empty account email address
+1. When in testing mode (`LETSENCRYPT_TEST=true`):
+   1. The directory URL is forced to The Let's Encrypt v2 staging one (`ACME_CA_URI`is ignored)
+   1. The account email address is forced empty (`DEFAULT_EMAIL`and `LETSENCRYPT_EMAIL` are ignored)

install_acme.sh

@@ -15,6 +15,7 @@ git checkout "$tag"
 # Install acme.sh in /app
 ./acme.sh --install \
   --nocron \
+  --noprofile \
   --auto-upgrade 0 \
   --home /app \
   --config-home /etc/acme.sh/default