Allow injecting root certificate validity via env and also validity f…

…or new certs, when using USE_LOCAL_CA=1
JonasAlfredsson · Feb 19, 2024 · 1d2891c · 1d2891c
1 parent c799f6c
commit 1d2891c
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -80,6 +80,9 @@ instructions, from `@staticfloat`'s image, can be found
 - `CERTBOT_DNS_PROPAGATION_SECONDS`: The number of seconds to wait for the DNS challenge to [propagate](.docs/certbot_authenticators.md#troubleshooting-tips) (default: certbot's default)
 - `DEBUG`: Set to `1` to enable debug messages and use the [`nginx-debug`][10] binary (default: `0`)
 - `USE_LOCAL_CA`: Set to `1` to enable the use of a [local certificate authority](./docs/advanced_usage.md#local-ca) (default: `0`)
+- `LOCAL_CA_DIR`: Set to a path to use as the [local CA directory](./docs/advanced_usage.md#local-ca) (default: `/etc/local_ca`)
+- `ROOT_CERT_LOCAL_CA_VALIDITY`: The number of days the [root certificate](./docs/advanced_usage.md#local-ca) should be valid (default: `30` days)
+- `NEW_CERT_LOCAL_CA_VALIDITY`: The number of days the [issued certificates](./docs/advanced_usage.md#local-ca) should be valid (default: `30` days)
 
 
 ## Volumes
@@ -115,6 +118,21 @@ the scripts and Nginx to reload everything.
 docker kill --signal=HUP <container_name>
 ```
 
+Example of how to start the container with a local CA(advanced usage):
+
+```bash
+docker run -it -p 80:80 -p 443:443 \
+    --env [email protected] \
+    -v $(pwd)/nginx_secrets:/etc/letsencrypt \
+    -v $(pwd)/user_conf.d:/etc/nginx/user_conf.d:ro \
+    -v $(pwd)/local_ca:/etc/local_ca_custom:rw \
+    --env USE_LOCAL_CA=1 \
+    --env LOCAL_CA_DIR=/etc/local_ca_custom \
+    --env ROOT_CERT_LOCAL_CA_VALIDITY=3650 \
+    --env NEW_CERT_LOCAL_CA_VALIDITY=365 \
+    --name nginx-certbot jonasal/nginx-certbot:latest
+```
+
 
 ## Run with `docker-compose`
 An example of a [`docker-compose.yaml`](./examples/docker-compose.yml) file can
@@ -211,4 +229,4 @@ a look and see if one of these helps or inspires you to do something similar:
 [13]: https://portforward.com/router.htm
 [14]: https://github.com/JonasAlfredsson/docker-nginx-certbot/issues/28
 [15]: https://security.stackexchange.com/a/104991
-[16]: https://github.com/bats-core/bats-core
+[16]: https://github.com/bats-core/bats-core
diff --git a/docs/advanced_usage.md b/docs/advanced_usage.md
@@ -198,8 +198,7 @@ these files. By then taking the `caCert.pem` and [importing][9] it in your
 browser you will be able to visit these sites without the error stating that
 the certificate is signed by an unknown authority.
 
-> The validity period for the automatically created CA is only 30 days, and the
-  reason for this is to deter people from using this solution in production.
+The validity of the root certificate can be changed(from `30 days` default), by setting the `ROOT_CERT_LOCAL_CA_VALIDITY` environment variable when running the script. The certificates that are signed by the CA will have a validity period of `30 days` by default, but this can be changed by setting the `NEW_CERT_LOCAL_CA_VALIDITY` environment variable when running the script.
 
 An important thing to know is that these files are only created if they do
 not exist. What this enables is an even more advanced usecase where you might

diff --git a/examples/nginx-certbot.env b/examples/nginx-certbot.env
@@ -14,3 +14,6 @@ CERTBOT_AUTHENTICATOR=webroot
 CERTBOT_DNS_PROPAGATION_SECONDS=""
 DEBUG=0
 USE_LOCAL_CA=0
+LOCAL_CA_DIR=""
+ROOT_CERT_LOCAL_CA_VALIDITY=""
+NEW_CERT_LOCAL_CA_VALIDITY=""
diff --git a/src/scripts/run_local_ca.sh b/src/scripts/run_local_ca.sh
@@ -11,10 +11,13 @@ LOCAL_CA_DB="${LOCAL_CA_DIR}/index.txt"
 LOCAL_CA_SRL="${LOCAL_CA_DIR}/serial.txt"
 LOCAL_CA_CRT_DIR="${LOCAL_CA_DIR}/new_certs"
 
+: ${NEW_CERT_LOCAL_CA_VALIDITY:="30"}
+: ${ROOT_CERT_LOCAL_CA_VALIDITY:="30"}
+
 # Source in util.sh so we can have our nice tools.
 . "$(cd "$(dirname "$0")"; pwd)/util.sh"
 
-info "Starting certificate renewal process with local CA"
+info "Starting certificate renewal process with local CA with LOCAL_CA_DIR='${LOCAL_CA_DIR}', NEW_CERT_LOCAL_CA_VALIDITY=${NEW_CERT_LOCAL_CA_VALIDITY} and ROOT_CERT_LOCAL_CA_VALIDITY=${ROOT_CERT_LOCAL_CA_VALIDITY}"
 
 # We require an email to be set here as well, in order to simulate how it would
 # be in the real certbot case.
@@ -44,7 +47,7 @@ certificate             = ${LOCAL_CA_CRT}
 database                = ${LOCAL_CA_DB}
 serial                  = ${LOCAL_CA_SRL}
 new_certs_dir           = ${LOCAL_CA_CRT_DIR}
-default_days            = 30
+default_days            = ${NEW_CERT_LOCAL_CA_VALIDITY}
 default_md              = sha256
 email_in_dn             = yes
 unique_subject          = no
@@ -128,7 +131,7 @@ generate_ca() {
                               "emailAddress            = ${CERTBOT_EMAIL}" \
                               ) \
                     -extensions ca_cert \
-                    -days 30 \
+                    -days ${ROOT_CERT_LOCAL_CA_VALIDITY} \
                     -key "${LOCAL_CA_KEY}" \
                     -out "${LOCAL_CA_CRT}"
     fi