159 lines
7.0 KiB
Bash
159 lines
7.0 KiB
Bash
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
PRODUCT="docspace"
|
|
DIR="/usr/bin"
|
|
LETSENCRYPT="/etc/letsencrypt/live";
|
|
OPENRESTY="/etc/openresty/conf.d"
|
|
DHPARAM_FILE="/etc/ssl/certs/dhparam.pem"
|
|
WEBROOT_PATH="/var/www/${PRODUCT}"
|
|
CONFIG_DIR="/etc/onlyoffice/${PRODUCT}"
|
|
SYSTEMD_DIR=$(dirname $($(command -v dpkg-query &> /dev/null && echo "dpkg-query -L" || echo "rpm -ql") ${PRODUCT}-api | grep systemd/system/))
|
|
|
|
# Check if configuration files are present
|
|
if [ ! -f "${OPENRESTY}/onlyoffice-proxy-ssl.conf.template" -a ! -f "${OPENRESTY}/onlyoffice-proxy.conf.template" ]; then
|
|
echo "Error: proxy configuration file not found." && exit 1
|
|
fi
|
|
|
|
help(){
|
|
echo ""
|
|
echo "This script provided to automatically setup SSL Certificates for DocSpace"
|
|
echo "Automatically get Let's Encrypt SSL Certificates:"
|
|
echo " docspace-ssl-setup EMAIL DOMAIN"
|
|
echo " EMAIL Email used for registration and recovery contact."
|
|
echo " Use comma to register multiple emails, ex:"
|
|
echo " u1@example.com,u2@example.com."
|
|
echo " DOMAIN Domain name to apply"
|
|
echo " Use comma to register multiple domains, ex:"
|
|
echo " example.com,s1.example.com,s2.example.com."
|
|
echo ""
|
|
echo "Using your own certificates via the -f or --file parameter:"
|
|
echo " docspace-ssl-setup --file DOMAIN CERTIFICATE PRIVATEKEY"
|
|
echo " DOMAIN Main domain name to apply."
|
|
echo " CERTIFICATE Path to the certificate file for the domain."
|
|
echo " PRIVATEKEY Path to the private key file for the certificate."
|
|
echo ""
|
|
echo "Return to the default proxy configuration using the -d or --default parameter:"
|
|
echo " docspace-ssl-setup --default"
|
|
echo ""
|
|
exit 0
|
|
}
|
|
|
|
case $1 in
|
|
-f | --file )
|
|
if [ -n "$2" ] && [ -n "$3" ] && [ -n "$4" ]; then
|
|
echo "Using specified files to configure SSL..."
|
|
|
|
DOMAIN=$2
|
|
CERTIFICATE_FILE=$3
|
|
PRIVATEKEY_FILE=$4
|
|
|
|
[[ $DOMAIN =~ ^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}$ ]] || { echo "Error: domain name '$DOMAIN' is incorrect." >&2; exit 1; }
|
|
else
|
|
help
|
|
fi
|
|
;;
|
|
|
|
-d | --default )
|
|
echo "Return to the default proxy configuration..."
|
|
cp -f ${OPENRESTY}/onlyoffice-proxy.conf.template ${OPENRESTY}/onlyoffice-proxy.conf
|
|
sed "s!\(^worker_processes\).*;!\1 $(grep processor /proc/cpuinfo | wc -l);!" -i "${OPENRESTY}/onlyoffice-proxy.conf"
|
|
sed "s!\(worker_connections\).*;!\1 $(ulimit -n);!" -i "${OPENRESTY}/onlyoffice-proxy.conf"
|
|
[[ -f "${DIR}/${PRODUCT}-renew-letsencrypt" ]] && rm -rf "${DIR}/${PRODUCT}-renew-letsencrypt"
|
|
[ $(pgrep -x ""systemd"" | wc -l) -gt 0 ] && systemctl reload openresty || service openresty reload
|
|
sed -i "s/\(\"portal\":\).*/\1 \"http:\/\/localhost:80\"/" ${CONFIG_DIR}/appsettings.$(grep -oP 'ENVIRONMENT=\K.*' ${SYSTEMD_DIR}/${PRODUCT}-api.service).json
|
|
SYSTEMD_NODE_FILES=$(grep -l "NODE_EXTRA_CA_CERTS" ${SYSTEMD_DIR}/${PRODUCT}-*.service ${SYSTEMD_DIR}/ds-*.service || true)
|
|
if [ -n "$SYSTEMD_NODE_FILES" ]; then
|
|
sed -i '/NODE_EXTRA_CA_CERTS/d' ${SYSTEMD_NODE_FILES}
|
|
systemctl daemon-reload
|
|
echo "${SYSTEMD_NODE_FILES[@]}" | xargs -I % basename % | xargs systemctl restart
|
|
fi
|
|
|
|
echo "OK"
|
|
exit 0
|
|
;;
|
|
|
|
* )
|
|
if [ "$#" -ge "2" ]; then
|
|
MAIL=$1
|
|
DOMAINS=$2
|
|
DOMAIN=$(cut -d ',' -f 1 <<< "$DOMAINS")
|
|
LETSENCRYPT_ENABLE="true"
|
|
|
|
# Install certbot if not already installed
|
|
if ! type "certbot" &> /dev/null; then
|
|
if type "apt-get" &> /dev/null; then
|
|
apt-get -y update -qq
|
|
apt-get -y -q install certbot
|
|
elif type "yum" &> /dev/null; then
|
|
yum -y install certbot
|
|
fi
|
|
fi
|
|
|
|
echo "Generating Let's Encrypt SSL Certificates..."
|
|
|
|
# Request and generate Let's Encrypt SSL certificate
|
|
echo certbot certonly --expand --webroot -w ${WEBROOT_PATH} --key-type rsa --cert-name ${PRODUCT} --noninteractive --agree-tos --email ${MAIL} -d ${DOMAINS[@]} > /var/log/le-start.log
|
|
certbot certonly --expand --webroot -w ${WEBROOT_PATH} --key-type rsa --cert-name ${PRODUCT} --noninteractive --agree-tos --email ${MAIL} -d ${DOMAINS[@]} > /var/log/le-new.log
|
|
else
|
|
help
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
[[ ! -f "${DHPARAM_FILE}" ]] && openssl dhparam -out ${DHPARAM_FILE} 2048
|
|
CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${PRODUCT}/fullchain.pem"}"
|
|
PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${PRODUCT}/privkey.pem"}"
|
|
|
|
if [ -f "${CERTIFICATE_FILE}" ]; then
|
|
if [ -f "${PRIVATEKEY_FILE}" ]; then
|
|
cp -f ${OPENRESTY}/onlyoffice-proxy-ssl.conf.template ${OPENRESTY}/onlyoffice-proxy.conf
|
|
sed -i "s/\(\"portal\":\).*/\1 \"https:\/\/${DOMAIN}\"/" ${CONFIG_DIR}/appsettings.$(grep -oP 'ENVIRONMENT=\K.*' ${SYSTEMD_DIR}/${PRODUCT}-api.service).json
|
|
sed -i "s~\(ssl_certificate \).*;~\1${CERTIFICATE_FILE};~g" ${OPENRESTY}/onlyoffice-proxy.conf
|
|
sed -i "s~\(ssl_certificate_key \).*;~\1${PRIVATEKEY_FILE};~g" ${OPENRESTY}/onlyoffice-proxy.conf
|
|
sed -i "s~\(ssl_dhparam \).*;~\1${DHPARAM_FILE};~g" ${OPENRESTY}/onlyoffice-proxy.conf
|
|
|
|
if [[ "${LETSENCRYPT_ENABLE}" = "true" ]]; then
|
|
# Create and set permissions for ${PRODUCT}-renew-letsencrypt
|
|
echo '#!/bin/bash' > ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
echo "certbot renew >> /var/log/le-renew.log" >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
if [ $(pgrep -x ""systemd"" | wc -l) -gt 0 ]; then
|
|
echo 'systemctl reload openresty' >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
else
|
|
echo 'service openresty reload' >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
fi
|
|
|
|
chmod a+x ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
|
|
# Add cron job if /etc/cron.d directory exists
|
|
if [ -d /etc/cron.d ]; then
|
|
echo -e "@weekly root ${DIR}/${PRODUCT}-renew-letsencrypt" | tee /etc/cron.d/${PRODUCT}-letsencrypt
|
|
fi
|
|
else
|
|
CERTIFICATE_SUBJECT=$(openssl x509 -subject -noout -in "${CERTIFICATE_FILE}" | sed 's/subject=//')
|
|
CERTIFICATE_ISSUER=$(openssl x509 -issuer -noout -in "${CERTIFICATE_FILE}" | sed 's/issuer=//')
|
|
|
|
#Checking whether the certificate is self-signed
|
|
if [[ -n "$CERTIFICATE_SUBJECT" && -n "$CERTIFICATE_ISSUER" && "$CERTIFICATE_SUBJECT" == "$CERTIFICATE_ISSUER" ]]; then
|
|
SYSTEMD_NODE_FILES=$(grep -l "ExecStart=/usr/bin/node" ${SYSTEMD_DIR}/${PRODUCT}-*.service; ls ${SYSTEMD_DIR}/ds-*.service 2>/dev/null | grep -v "ds-example" || true)
|
|
for SYSTEMD_NODE_FILE in ${SYSTEMD_NODE_FILES}; do
|
|
if ! grep -q "NODE_EXTRA_CA_CERTS" "${SYSTEMD_NODE_FILE}"; then
|
|
sed -i "/ExecStart=/i Environment=NODE_EXTRA_CA_CERTS=${CERTIFICATE_FILE}" "${SYSTEMD_NODE_FILE}"
|
|
fi
|
|
done
|
|
systemctl daemon-reload
|
|
echo "${SYSTEMD_NODE_FILES[@]}" | xargs -I % basename % | xargs systemctl restart
|
|
fi
|
|
fi
|
|
|
|
[ $(pgrep -x ""systemd"" | wc -l) -gt 0 ] && systemctl reload openresty || service openresty reload
|
|
|
|
echo "OK"
|
|
else
|
|
echo "Error: private key file at path ${PRIVATEKEY_FILE} not found." && exit 1
|
|
fi
|
|
else
|
|
echo "Error: certificate file at path ${CERTIFICATE_FILE} not found." && exit 1
|
|
fi
|