170 lines
7.3 KiB
Bash
170 lines
7.3 KiB
Bash
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
PRODUCT="docspace"
|
|
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
|
DOCKERCOMPOSE=$(dirname "$DIR")
|
|
LETSENCRYPT="/etc/letsencrypt/live";
|
|
DHPARAM_FILE="/etc/ssl/certs/dhparam.pem"
|
|
WEBROOT_PATH="/letsencrypt"
|
|
|
|
# Check if configuration files are present
|
|
if [ -f "/app/onlyoffice/.env" -a -f "/app/onlyoffice/proxy.yml" -a -f "/app/onlyoffice/proxy-ssl.yml" ]; then
|
|
DOCKERCOMPOSE="/app/onlyoffice"
|
|
DIR="/app/onlyoffice/config"
|
|
elif [ -f "${DOCKERCOMPOSE}/.env" -a -f "${DOCKERCOMPOSE}/proxy.yml" -a -f "${DOCKERCOMPOSE}/proxy-ssl.yml" ]; then
|
|
:
|
|
else
|
|
echo "Error: configuration files not found." && exit 1
|
|
fi
|
|
|
|
help(){
|
|
echo ""
|
|
echo "This script provided to automatically setup SSL Certificates for DocSpace"
|
|
echo "Automatically get Let's Encrypt SSL Certificates:"
|
|
echo " docspace-ssl-setup EMAIL DOMAIN"
|
|
echo " EMAIL Email used for registration and recovery contact."
|
|
echo " Use comma to register multiple emails, ex:"
|
|
echo " u1@example.com,u2@example.com."
|
|
echo " DOMAIN Domain name to apply"
|
|
echo " Use comma to register multiple domains, ex:"
|
|
echo " example.com,s1.example.com,s2.example.com."
|
|
echo ""
|
|
echo "Using your own certificates via the -f or --file parameter:"
|
|
echo " docspace-ssl-setup --file DOMAIN CERTIFICATE PRIVATEKEY"
|
|
echo " DOMAIN Main domain name to apply."
|
|
echo " CERTIFICATE Path to the certificate file for the domain."
|
|
echo " PRIVATEKEY Path to the private key file for the certificate."
|
|
echo ""
|
|
echo "Return to the default proxy configuration using the -d or --default parameter:"
|
|
echo " docspace-ssl-setup --default"
|
|
echo ""
|
|
exit 0
|
|
}
|
|
|
|
case $1 in
|
|
-f | --file )
|
|
if [ -n "$2" ] && [ -n "$3" ] && [ -n "$4" ]; then
|
|
echo "Using specified files to configure SSL..."
|
|
DOMAIN=$2
|
|
CERTIFICATE_FILE=$3
|
|
PRIVATEKEY_FILE=$4
|
|
else
|
|
help
|
|
fi
|
|
;;
|
|
|
|
-d | --default )
|
|
echo "Return to the default proxy configuration..."
|
|
if [ -z "$(awk -F '=' '/^\s*DOCUMENT_SERVER_URL_EXTERNAL/{gsub(/^[[:space:]]*"|"[[:space:]]*$/, "", $2); print $2}' ${DOCKERCOMPOSE}/.env)" ]; then
|
|
sed "s#\(APP_URL_PORTAL=\).*#\1\"http://onlyoffice-router:8092\"#g" -i ${DOCKERCOMPOSE}/.env
|
|
else
|
|
sed "s#\(APP_URL_PORTAL=\).*#\1\"http://$(curl -s ifconfig.me)\"#g" -i ${DOCKERCOMPOSE}/.env
|
|
fi
|
|
|
|
[[ -f "${DIR}/${PRODUCT}-renew-letsencrypt" ]] && rm -rf "${DIR}/${PRODUCT}-renew-letsencrypt"
|
|
|
|
if docker ps -f "name=onlyoffice-proxy" --format '{{.Names}}' | grep -q "onlyoffice-proxy"; then
|
|
if docker ps -f "name=onlyoffice-proxy" --format "{{.Ports}}" | grep -q "443"; then
|
|
docker-compose -f ${DOCKERCOMPOSE}/proxy-ssl.yml down
|
|
fi
|
|
fi
|
|
|
|
if grep -q '${CERTIFICATE_PATH}:' ${DOCKERCOMPOSE}/docspace.yml; then
|
|
sed -i '/USE_UNAUTHORIZED_STORAGE/d' ${DOCKERCOMPOSE}/ds.yml
|
|
sed -i '/${CERTIFICATE_PATH}:/d' ${DOCKERCOMPOSE}/docspace.yml ${DOCKERCOMPOSE}/ds.yml
|
|
docker-compose -f ${DOCKERCOMPOSE}/docspace.yml up --force-recreate -d onlyoffice-doceditor onlyoffice-login onlyoffice-socket onlyoffice-ssoauth
|
|
docker-compose -f ${DOCKERCOMPOSE}/ds.yml up --force-recreate -d
|
|
fi
|
|
|
|
docker-compose -f ${DOCKERCOMPOSE}/proxy.yml up --force-recreate -d
|
|
docker-compose -f ${DOCKERCOMPOSE}/docspace.yml up --force-recreate -d onlyoffice-files
|
|
|
|
echo "OK"
|
|
exit 0
|
|
;;
|
|
|
|
* )
|
|
if [ "$#" -ge "2" ]; then
|
|
MAIL=$1
|
|
DOMAINS=$2
|
|
DOMAIN=$(cut -d ',' -f 1 <<< "$DOMAINS")
|
|
LETSENCRYPT_ENABLE="true"
|
|
|
|
if ! docker volume inspect "onlyoffice_webroot_path" &> /dev/null; then
|
|
echo "Error: missing webroot_path volume" && exit 1
|
|
fi
|
|
|
|
if ! docker ps -f "name=onlyoffice-proxy" --format '{{.Names}}' | grep -q "onlyoffice-proxy"; then
|
|
echo "Error: the proxy container is not running" && exit 1
|
|
fi
|
|
|
|
echo "Generating Let's Encrypt SSL Certificates..."
|
|
|
|
# Request and generate Let's Encrypt SSL certificate
|
|
docker run -it --rm \
|
|
-v /etc/letsencrypt:/etc/letsencrypt \
|
|
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
|
|
-v /var/log:/var/log \
|
|
-v onlyoffice_webroot_path:${WEBROOT_PATH} \
|
|
certbot/certbot certonly \
|
|
--expand --webroot -w ${WEBROOT_PATH} \
|
|
--cert-name ${PRODUCT} --non-interactive --agree-tos --email ${MAIL} -d ${DOMAINS[@]}
|
|
else
|
|
help
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
[[ ! -f "${DHPARAM_FILE}" ]] && openssl dhparam -out ${DHPARAM_FILE} 2048
|
|
CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${PRODUCT}/fullchain.pem"}"
|
|
PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${PRODUCT}/privkey.pem"}"
|
|
|
|
if [ -f "${CERTIFICATE_FILE}" ]; then
|
|
if [ -f "${PRIVATEKEY_FILE}" ]; then
|
|
sed -i "s~\(APP_URL_PORTAL=\).*~\1\"https://${DOMAIN}\"~g" ${DOCKERCOMPOSE}/.env
|
|
sed -i "s~\(CERTIFICATE_PATH=\).*~\1\"${CERTIFICATE_FILE}\"~g" ${DOCKERCOMPOSE}/.env
|
|
sed -i "s~\(CERTIFICATE_KEY_PATH=\).*~\1\"${PRIVATEKEY_FILE}\"~g" ${DOCKERCOMPOSE}/.env
|
|
sed -i "s~\(DHPARAM_PATH=\).*~\1\"${DHPARAM_FILE}\"~g" ${DOCKERCOMPOSE}/.env
|
|
|
|
if [[ "${LETSENCRYPT_ENABLE}" = "true" ]]; then
|
|
# Create and set permissions for docspace-renew-letsencrypt
|
|
echo '#!/bin/bash' > ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
echo "docker-compose -f ${DOCKERCOMPOSE}/proxy-ssl.yml down" >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
echo 'docker run -it --rm \' >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
echo ' -v /etc/letsencrypt:/etc/letsencrypt \' >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
echo ' -v /var/lib/letsencrypt:/var/lib/letsencrypt \' >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
echo ' certbot/certbot renew' >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
echo "docker-compose -f ${DOCKERCOMPOSE}/proxy-ssl.yml up -d" >> ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
|
|
chmod a+x ${DIR}/${PRODUCT}-renew-letsencrypt
|
|
|
|
# Add cron job if /etc/cron.d directory exists
|
|
if [ -d /etc/cron.d ]; then
|
|
echo -e "@weekly root ${DIR}/${PRODUCT}-renew-letsencrypt" | tee /etc/cron.d/${PRODUCT}-letsencrypt
|
|
fi
|
|
else
|
|
CERTIFICATE_SUBJECT=$(openssl x509 -subject -noout -in "${CERTIFICATE_FILE}" | sed -n 's/^.*CN *= *\([^,]*\).*$/\1/p' | awk -F. '{print $(NF-1)"."$NF}')
|
|
CERTIFICATE_ISSUER=$(openssl x509 -issuer -noout -in "${CERTIFICATE_FILE}" | sed -n 's/^.*CN *= *\([^,]*\).*$/\1/p' | awk -F. '{print $(NF-1)"."$NF}')
|
|
|
|
#Checking whether the certificate is self-signed
|
|
if [[ -n "$CERTIFICATE_SUBJECT" && -n "$CERTIFICATE_ISSUER" && "$CERTIFICATE_SUBJECT" == "$CERTIFICATE_ISSUER" ]]; then
|
|
sed -i '/app_data:\/.*/a \ - ${CERTIFICATE_PATH}:${CERTIFICATE_PATH}' ${DOCKERCOMPOSE}/docspace.yml
|
|
docker-compose -f ${DOCKERCOMPOSE}/docspace.yml up --force-recreate -d onlyoffice-doceditor onlyoffice-login onlyoffice-socket onlyoffice-ssoauth
|
|
sed -i '/app_data:\/.*/a \ - ${CERTIFICATE_PATH}:/var/www/onlyoffice/Data/certs/extra-ca-certs.pem' ${DOCKERCOMPOSE}/ds.yml
|
|
docker-compose -f ${DOCKERCOMPOSE}/ds.yml up --force-recreate -d
|
|
fi
|
|
fi
|
|
|
|
docker-compose -f ${DOCKERCOMPOSE}/proxy-ssl.yml up --force-recreate -d
|
|
docker-compose -f ${DOCKERCOMPOSE}/docspace.yml up --force-recreate -d onlyoffice-files
|
|
|
|
echo "OK"
|
|
else
|
|
echo "Error: private key file at path ${PRIVATEKEY_FILE} not found." && exit 1
|
|
fi
|
|
else
|
|
echo "Error: certificate file at path ${CERTIFICATE_FILE} not found." && exit 1
|
|
fi
|