From 1d2891c2798d5d55673a04a68f5f8fe30202862d Mon Sep 17 00:00:00 2001 From: Hreniuc Cristian-Alexandru Date: Mon, 19 Feb 2024 10:25:50 +0200 Subject: [PATCH] Allow injecting root certificate validity via env and also validity for new certs, when using USE_LOCAL_CA=1 --- README.md | 20 +++++++++++++++++++- docs/advanced_usage.md | 3 +-- examples/nginx-certbot.env | 3 +++ src/scripts/run_local_ca.sh | 9 ++++++--- 4 files changed, 29 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b5bef9c..ac24155 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,9 @@ instructions, from `@staticfloat`'s image, can be found - `CERTBOT_DNS_PROPAGATION_SECONDS`: The number of seconds to wait for the DNS challenge to [propagate](.docs/certbot_authenticators.md#troubleshooting-tips) (default: certbot's default) - `DEBUG`: Set to `1` to enable debug messages and use the [`nginx-debug`][10] binary (default: `0`) - `USE_LOCAL_CA`: Set to `1` to enable the use of a [local certificate authority](./docs/advanced_usage.md#local-ca) (default: `0`) +- `LOCAL_CA_DIR`: Set to a path to use as the [local CA directory](./docs/advanced_usage.md#local-ca) (default: `/etc/local_ca`) +- `ROOT_CERT_LOCAL_CA_VALIDITY`: The number of days the [root certificate](./docs/advanced_usage.md#local-ca) should be valid (default: `30` days) +- `NEW_CERT_LOCAL_CA_VALIDITY`: The number of days the [issued certificates](./docs/advanced_usage.md#local-ca) should be valid (default: `30` days) ## Volumes @@ -115,6 +118,21 @@ the scripts and Nginx to reload everything. docker kill --signal=HUP ``` +Example of how to start the container with a local CA(advanced usage): + +```bash +docker run -it -p 80:80 -p 443:443 \ + --env CERTBOT_EMAIL=your@email.org \ + -v $(pwd)/nginx_secrets:/etc/letsencrypt \ + -v $(pwd)/user_conf.d:/etc/nginx/user_conf.d:ro \ + -v $(pwd)/local_ca:/etc/local_ca_custom:rw \ + --env USE_LOCAL_CA=1 \ + --env LOCAL_CA_DIR=/etc/local_ca_custom \ + --env ROOT_CERT_LOCAL_CA_VALIDITY=3650 \ + --env NEW_CERT_LOCAL_CA_VALIDITY=365 \ + --name nginx-certbot jonasal/nginx-certbot:latest +``` + ## Run with `docker-compose` An example of a [`docker-compose.yaml`](./examples/docker-compose.yml) file can @@ -211,4 +229,4 @@ a look and see if one of these helps or inspires you to do something similar: [13]: https://portforward.com/router.htm [14]: https://github.com/JonasAlfredsson/docker-nginx-certbot/issues/28 [15]: https://security.stackexchange.com/a/104991 -[16]: https://github.com/bats-core/bats-core +[16]: https://github.com/bats-core/bats-core \ No newline at end of file diff --git a/docs/advanced_usage.md b/docs/advanced_usage.md index 9247283..9b8905b 100644 --- a/docs/advanced_usage.md +++ b/docs/advanced_usage.md @@ -198,8 +198,7 @@ these files. By then taking the `caCert.pem` and [importing][9] it in your browser you will be able to visit these sites without the error stating that the certificate is signed by an unknown authority. -> The validity period for the automatically created CA is only 30 days, and the - reason for this is to deter people from using this solution in production. +The validity of the root certificate can be changed(from `30 days` default), by setting the `ROOT_CERT_LOCAL_CA_VALIDITY` environment variable when running the script. The certificates that are signed by the CA will have a validity period of `30 days` by default, but this can be changed by setting the `NEW_CERT_LOCAL_CA_VALIDITY` environment variable when running the script. An important thing to know is that these files are only created if they do not exist. What this enables is an even more advanced usecase where you might diff --git a/examples/nginx-certbot.env b/examples/nginx-certbot.env index ca9067c..fa6a0b5 100644 --- a/examples/nginx-certbot.env +++ b/examples/nginx-certbot.env @@ -14,3 +14,6 @@ CERTBOT_AUTHENTICATOR=webroot CERTBOT_DNS_PROPAGATION_SECONDS="" DEBUG=0 USE_LOCAL_CA=0 +LOCAL_CA_DIR="" +ROOT_CERT_LOCAL_CA_VALIDITY="" +NEW_CERT_LOCAL_CA_VALIDITY="" \ No newline at end of file diff --git a/src/scripts/run_local_ca.sh b/src/scripts/run_local_ca.sh index d903454..e0c9e9b 100644 --- a/src/scripts/run_local_ca.sh +++ b/src/scripts/run_local_ca.sh @@ -11,10 +11,13 @@ LOCAL_CA_DB="${LOCAL_CA_DIR}/index.txt" LOCAL_CA_SRL="${LOCAL_CA_DIR}/serial.txt" LOCAL_CA_CRT_DIR="${LOCAL_CA_DIR}/new_certs" +: ${NEW_CERT_LOCAL_CA_VALIDITY:="30"} +: ${ROOT_CERT_LOCAL_CA_VALIDITY:="30"} + # Source in util.sh so we can have our nice tools. . "$(cd "$(dirname "$0")"; pwd)/util.sh" -info "Starting certificate renewal process with local CA" +info "Starting certificate renewal process with local CA with LOCAL_CA_DIR='${LOCAL_CA_DIR}', NEW_CERT_LOCAL_CA_VALIDITY=${NEW_CERT_LOCAL_CA_VALIDITY} and ROOT_CERT_LOCAL_CA_VALIDITY=${ROOT_CERT_LOCAL_CA_VALIDITY}" # We require an email to be set here as well, in order to simulate how it would # be in the real certbot case. @@ -44,7 +47,7 @@ certificate = ${LOCAL_CA_CRT} database = ${LOCAL_CA_DB} serial = ${LOCAL_CA_SRL} new_certs_dir = ${LOCAL_CA_CRT_DIR} -default_days = 30 +default_days = ${NEW_CERT_LOCAL_CA_VALIDITY} default_md = sha256 email_in_dn = yes unique_subject = no @@ -128,7 +131,7 @@ generate_ca() { "emailAddress = ${CERTBOT_EMAIL}" \ ) \ -extensions ca_cert \ - -days 30 \ + -days ${ROOT_CERT_LOCAL_CA_VALIDITY} \ -key "${LOCAL_CA_KEY}" \ -out "${LOCAL_CA_CRT}" fi