From 42d996a60dc4633670b0e4dbb963ae2ee24f49e6 Mon Sep 17 00:00:00 2001 From: Evgeniy Antonyuk Date: Wed, 6 Sep 2023 17:49:13 +0500 Subject: [PATCH] Add webroot when creating a certificate and use letsencrypt.conf for all installations --- .../install/OneClickInstall/install-Docker.sh | 14 +++++------- build/install/common/product-ssl-setup | 9 ++++---- .../install/deb/debian/product-proxy.install | 1 + build/install/deb/debian/rules | 3 ++- .../install/docker/config/docspace-ssl-setup | 22 +++++++++++++++---- .../docker/config/nginx/letsencrypt.conf | 4 ++-- .../config/nginx/onlyoffice-proxy-ssl.conf | 4 ++-- .../docker/config/nginx/onlyoffice-proxy.conf | 4 ++-- build/install/docker/proxy-ssl.yml | 3 +++ build/install/docker/proxy.yml | 3 +++ build/install/rpm/SPECS/build.spec | 3 ++- build/install/rpm/SPECS/install.spec | 1 + build/install/win/build-batch.bat | 2 +- 13 files changed, 48 insertions(+), 25 deletions(-) diff --git a/build/install/OneClickInstall/install-Docker.sh b/build/install/OneClickInstall/install-Docker.sh index 85cb49a66c..77fc043293 100644 --- a/build/install/OneClickInstall/install-Docker.sh +++ b/build/install/OneClickInstall/install-Docker.sh @@ -1336,19 +1336,17 @@ install_product () { reconfigure APP_URL_PORTAL "${APP_URL_PORTAL:-"http://${PACKAGE_SYSNAME}-router:8092"}" reconfigure EXTERNAL_PORT ${EXTERNAL_PORT} - if [ ! -z "${CERTIFICATE_PATH}" ] && [ ! -z "${CERTIFICATE_KEY_PATH}" ]; then - bash $BASE_DIR/config/${PRODUCT}-ssl-setup -f "${CERTIFICATE_PATH}" "${CERTIFICATE_KEY_PATH}" - PROXY_YML="${BASE_DIR}/proxy-ssl.yml" - elif [ ! -z "${LETS_ENCRYPT_DOMAIN}" ] && [ ! -z "${LETS_ENCRYPT_MAIL}" ]; then - bash $BASE_DIR/config/${PRODUCT}-ssl-setup "${LETS_ENCRYPT_MAIL}" "${LETS_ENCRYPT_DOMAIN}" - PROXY_YML="${BASE_DIR}/proxy-ssl.yml" - fi - docker-compose -f $BASE_DIR/migration-runner.yml up -d docker-compose -f $BASE_DIR/${PRODUCT}.yml up -d docker-compose -f ${PROXY_YML} up -d docker-compose -f $BASE_DIR/notify.yml up -d docker-compose -f $BASE_DIR/healthchecks.yml up -d + + if [ ! -z "${CERTIFICATE_PATH}" ] && [ ! -z "${CERTIFICATE_KEY_PATH}" ]; then + bash $BASE_DIR/config/${PRODUCT}-ssl-setup -f "${CERTIFICATE_PATH}" "${CERTIFICATE_KEY_PATH}" + elif [ ! -z "${LETS_ENCRYPT_DOMAIN}" ] && [ ! -z "${LETS_ENCRYPT_MAIL}" ]; then + bash $BASE_DIR/config/${PRODUCT}-ssl-setup "${LETS_ENCRYPT_MAIL}" "${LETS_ENCRYPT_DOMAIN}" + fi } make_swap () { diff --git a/build/install/common/product-ssl-setup b/build/install/common/product-ssl-setup index 4097dd519b..3728e3cf96 100644 --- a/build/install/common/product-ssl-setup +++ b/build/install/common/product-ssl-setup @@ -7,6 +7,7 @@ DIR="/usr/bin" LETSENCRYPT="/etc/letsencrypt/live"; NGINX="/etc/nginx/conf.d" DHPARAM_FILE="/etc/ssl/certs/dhparam.pem" +WEBROOT_PATH="/var/www/${PRODUCT}" if [ "$#" -ge "2" ]; then if [ "$1" != "-f" ]; then @@ -27,8 +28,8 @@ if [ "$#" -ge "2" ]; then echo "Generating Let's Encrypt SSL Certificates..." # Request and generate Let's Encrypt SSL certificate - echo certbot certonly --expand --webroot --noninteractive --agree-tos --email ${MAIL} -d ${DOMAIN} > /var/log/le-start.log - certbot certonly --expand --webroot --noninteractive --agree-tos --email ${MAIL} -d ${DOMAIN} > /var/log/le-new.log + echo certbot certonly --expand --webroot -w ${WEBROOT_PATH} --cert-name ${PRODUCT} --noninteractive --agree-tos --email ${MAIL} -d ${DOMAIN} > /var/log/le-start.log + certbot certonly --expand --webroot -w ${WEBROOT_PATH} --cert-name ${PRODUCT} --noninteractive --agree-tos --email ${MAIL} -d ${DOMAIN} > /var/log/le-new.log else echo "Using specified files to configure SSL..." @@ -38,8 +39,8 @@ if [ "$#" -ge "2" ]; then [[ ! -f "${DHPARAM_FILE}" ]] && openssl dhparam -out ${DHPARAM_FILE} 4096 - CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${DOMAIN}/fullchain.pem"}" - PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${DOMAIN}/privkey.pem"}" + CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${PRODUCT}/fullchain.pem"}" + PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${PRODUCT}/privkey.pem"}" if [ -f "${CERTIFICATE_FILE}" -a -f ${PRIVATEKEY_FILE} ]; then if [ -f "${NGINX}/onlyoffice-proxy-ssl.conf.template" ]; then diff --git a/build/install/deb/debian/product-proxy.install b/build/install/deb/debian/product-proxy.install index 723d0a2393..3e8885d7d6 100644 --- a/build/install/deb/debian/product-proxy.install +++ b/build/install/deb/debian/product-proxy.install @@ -3,6 +3,7 @@ ../../../build/install/docker/config/nginx/templates/*.template etc/onlyoffice/{{product}}/nginx ../../../build/install/docker/config/nginx/onlyoffice* etc/nginx/conf.d ../../../config/nginx/onlyoffice*.conf etc/nginx/conf.d +../../../build/install/docker/config/nginx/letsencrypt* etc/nginx/includes ../../../config/nginx/includes/onlyoffice*.conf etc/nginx/includes ../../../build/deploy/public/* var/www/{{product}}/public ../../../build/deploy/client/* var/www/{{product}}/client diff --git a/build/install/deb/debian/rules b/build/install/deb/debian/rules index 1d60159a35..6f26983de0 100755 --- a/build/install/deb/debian/rules +++ b/build/install/deb/debian/rules @@ -50,7 +50,8 @@ override_dh_auto_build: sed 's_\(minlevel=\)".*"_\1"Warn"_g' -i ${SRC_PATH}/config/nlog.config sed 's/teamlab.info/onlyoffice.com/g' -i ${SRC_PATH}/config/autofac.consumers.json - sed -e 's/$$router_host/127.0.0.1/g' -e '/proxy_set_header/d' -i ${SRC_PATH}/build/install/docker/config/nginx/onlyoffice-proxy*.conf + sed -e 's/$$router_host/127.0.0.1/g' -e '/proxy_set_header/d' -e 's|includes|/etc/nginx/includes|g' -i ${SRC_PATH}/build/install/docker/config/nginx/onlyoffice-proxy*.conf + sed "s|\(.*root\).*;|\1 \"/var/www/${PRODUCT}";|g" -i ${SRC_PATH}/build/install/docker/config/nginx/letsencrypt.conf sed -e '/.pid/d' -e '/temp_path/d' -i ${SRC_PATH}/build/install/docker/config/nginx/templates/nginx.conf.template mv -f ${SRC_PATH}/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf ${SRC_PATH}/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf.template diff --git a/build/install/docker/config/docspace-ssl-setup b/build/install/docker/config/docspace-ssl-setup index 357afa8bf4..5d311ff086 100644 --- a/build/install/docker/config/docspace-ssl-setup +++ b/build/install/docker/config/docspace-ssl-setup @@ -7,6 +7,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DOCKERCOMPOSE=$(dirname "$DIR") LETSENCRYPT="/etc/letsencrypt/live"; DHPARAM_FILE="/etc/ssl/certs/dhparam.pem" +WEBROOT_PATH="/letsencrypt" if [ "$#" -ge "2" ]; then if [ "$1" != "-f" ]; then @@ -15,7 +16,7 @@ if [ "$#" -ge "2" ]; then LETSENCRYPT_ENABLE="true" if [ -f "${DOCKERCOMPOSE}/proxy.yml" ]; then - docker-compose -f ${DOCKERCOMPOSE}/proxy.yml down + : elif [ -f "/app/onlyoffice/proxy.yml" ]; then DOCKERCOMPOSE="/app/onlyoffice" DIR="/app/onlyoffice/config" @@ -23,14 +24,25 @@ if [ "$#" -ge "2" ]; then echo "Error: proxy configuration file not found." && exit 1 fi + if ! docker ps -f "name=onlyoffice-proxy" --format '{{.Names}}' | grep -q "onlyoffice-proxy"; then + echo "Error: the proxy container is not running" && exit 1 + fi + + if ! docker volume inspect "onlyoffice_webroot_path" &> /dev/null; then + echo "Error: missing webroot_path volume" && exit 1 + fi + echo "Generating Let's Encrypt SSL Certificates..." # Request and generate Let's Encrypt SSL certificate docker run -it --rm \ -v /etc/letsencrypt:/etc/letsencrypt \ -v /var/lib/letsencrypt:/var/lib/letsencrypt \ + -v /var/log:/var/log \ + -v onlyoffice_webroot_path:${WEBROOT_PATH} \ certbot/certbot certonly \ - --webroot --non-interactive --agree-tos --email ${MAIL} -d ${DOMAIN} + --expand --webroot -w ${WEBROOT_PATH} \ + --cert-name ${PRODUCT} --non-interactive --agree-tos --email ${MAIL} -d ${DOMAIN} else echo "Using specified files to configure SSL..." @@ -40,11 +52,13 @@ if [ "$#" -ge "2" ]; then [[ ! -f "${DHPARAM_FILE}" ]] && openssl dhparam -out ${DHPARAM_FILE} 4096 - CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${DOMAIN}/fullchain.pem"}" - PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${DOMAIN}/privkey.pem"}" + CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${PRODUCT}/fullchain.pem"}" + PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${PRODUCT}/privkey.pem"}" if [ -f "${CERTIFICATE_FILE}" -a -f ${PRIVATEKEY_FILE} ]; then if [ -f ${DOCKERCOMPOSE}/.env -a -f ${DOCKERCOMPOSE}/proxy-ssl.yml ]; then + docker-compose -f ${DOCKERCOMPOSE}/proxy.yml down + sed -i "s~\(APP_URL_PORTAL=\).*~\1\"https://${DOMAIN:-$(hostname --fqdn)}\"~g" ${DOCKERCOMPOSE}/.env sed -i "s~\(CERTIFICATE_PATH=\).*~\1\"${CERTIFICATE_FILE}\"~g" ${DOCKERCOMPOSE}/.env sed -i "s~\(CERTIFICATE_KEY_PATH=\).*~\1\"${PRIVATEKEY_FILE}\"~g" ${DOCKERCOMPOSE}/.env diff --git a/build/install/docker/config/nginx/letsencrypt.conf b/build/install/docker/config/nginx/letsencrypt.conf index b57db4bd5c..279d4b5c50 100644 --- a/build/install/docker/config/nginx/letsencrypt.conf +++ b/build/install/docker/config/nginx/letsencrypt.conf @@ -1,4 +1,4 @@ location ~ /.well-known/acme-challenge { - root "{APPDIR}letsencrypt"; + root "/letsencrypt"; allow all; - } +} diff --git a/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf b/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf index ecbd6f404b..93bf41d589 100644 --- a/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf +++ b/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf @@ -57,6 +57,6 @@ server { location / { proxy_pass http://$router_host:8092; } - # The letsencrypt.conf is used for SSL configuration on Windows - # include includes/letsencrypt.conf; + + include includes/letsencrypt.conf; } diff --git a/build/install/docker/config/nginx/onlyoffice-proxy.conf b/build/install/docker/config/nginx/onlyoffice-proxy.conf index 0d551147d1..60eb068026 100644 --- a/build/install/docker/config/nginx/onlyoffice-proxy.conf +++ b/build/install/docker/config/nginx/onlyoffice-proxy.conf @@ -12,6 +12,6 @@ server { location / { proxy_pass http://$router_host:8092; } - # The letsencrypt.conf is used for SSL configuration on Windows - # include includes/letsencrypt.conf; + + include includes/letsencrypt.conf; } diff --git a/build/install/docker/proxy-ssl.yml b/build/install/docker/proxy-ssl.yml index 4802fcc437..35f2a503af 100644 --- a/build/install/docker/proxy-ssl.yml +++ b/build/install/docker/proxy-ssl.yml @@ -21,8 +21,10 @@ services: environment: - ROUTER_HOST=${ROUTER_HOST} volumes: + - webroot_path:/letsencrypt - proxy_log:/var/log/nginx - ./config/nginx/templates/nginx.conf.template:/etc/nginx/nginx.conf + - ./config/nginx/letsencrypt.conf:/etc/nginx/includes/letsencrypt.conf - ./config/nginx/templates/proxy.upstream.conf.template:/etc/nginx/templates/proxy.upstream.conf.template:ro - ./config/nginx/onlyoffice-proxy-ssl.conf:/etc/nginx/conf.d/default.conf - ${CERTIFICATE_PATH}:/usr/local/share/ca-certificates/tls.crt @@ -36,3 +38,4 @@ networks: volumes: proxy_log: + webroot_path: diff --git a/build/install/docker/proxy.yml b/build/install/docker/proxy.yml index e22bb758f9..2bc51a6b4c 100644 --- a/build/install/docker/proxy.yml +++ b/build/install/docker/proxy.yml @@ -20,8 +20,10 @@ services: environment: - ROUTER_HOST=${ROUTER_HOST} volumes: + - webroot_path:/letsencrypt - proxy_log:/var/log/nginx - ./config/nginx/templates/nginx.conf.template:/etc/nginx/nginx.conf + - ./config/nginx/letsencrypt.conf:/etc/nginx/includes/letsencrypt.conf - ./config/nginx/templates/proxy.upstream.conf.template:/etc/nginx/templates/proxy.upstream.conf.template:ro - ./config/nginx/onlyoffice-proxy.conf:/etc/nginx/conf.d/default.conf @@ -32,3 +34,4 @@ networks: volumes: proxy_log: + webroot_path: diff --git a/build/install/rpm/SPECS/build.spec b/build/install/rpm/SPECS/build.spec index d76b292db3..bab10ead5f 100644 --- a/build/install/rpm/SPECS/build.spec +++ b/build/install/rpm/SPECS/build.spec @@ -21,8 +21,9 @@ json -I -f %{_builddir}/%{sourcename}/config/apisystem.json -e "this.core.notify sed 's_\(minlevel=\)".*"_\1"Warn"_g' -i %{_builddir}/%{sourcename}/config/nlog.config sed 's/teamlab.info/onlyoffice.com/g' -i %{_builddir}/%{sourcename}/config/autofac.consumers.json -sed -e 's/$router_host/127.0.0.1/g' -e '/proxy_set_header/d' -i %{_builddir}/%{sourcename}/build/install/docker/config/nginx/onlyoffice-proxy*.conf +sed -e 's/$router_host/127.0.0.1/g' -e '/proxy_set_header/d' -e 's|includes|/etc/nginx/includes|g' -i %{_builddir}/%{sourcename}/build/install/docker/config/nginx/onlyoffice-proxy*.conf sed -e '/.pid/d' -e '/temp_path/d' -i %{_builddir}/%{sourcename}/build/install/docker/config/nginx/templates/nginx.conf.template +sed -i "s|\(.*root\).*;|\1 \"/var/www/%{product}";|g" -i %{_builddir}/%{sourcename}/build/install/docker/config/nginx/letsencrypt.conf find %{_builddir}/%{sourcename}/publish/ \ %{_builddir}/%{sourcename}/ASC.Migration.Runner \ diff --git a/build/install/rpm/SPECS/install.spec b/build/install/rpm/SPECS/install.spec index 26a31edda1..2ea3d5f577 100644 --- a/build/install/rpm/SPECS/install.spec +++ b/build/install/rpm/SPECS/install.spec @@ -62,5 +62,6 @@ cp -rf %{_builddir}/%{sourcename}/publish/services/ASC.Web.HealthChecks.UI/servi cp -rf %{_builddir}/%{sourcename}/publish/services/ASC.Web.Studio/service/* "%{buildroot}%{buildpath}/studio/ASC.Web.Studio/" cp -rf %{_builddir}/%{sourcename}/build/install/docker/config/nginx/onlyoffice-proxy.conf "%{buildroot}%{_sysconfdir}/nginx/conf.d/onlyoffice-proxy.conf" cp -rf %{_builddir}/%{sourcename}/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf "%{buildroot}%{_sysconfdir}/nginx/conf.d/onlyoffice-proxy-ssl.conf.template" +cp -rf %{_builddir}/%{sourcename}/build/install/docker/config/nginx/letsencrypt.conf "%{buildroot}%{_sysconfdir}/nginx/includes/letsencrypt.conf" cp -rf %{_builddir}/%{sourcename}/build/install/docker/config/nginx/templates/nginx.conf.template "%{buildroot}%{_sysconfdir}/onlyoffice/%{product}/nginx/nginx.conf.template" cp -rf %{_builddir}/%{sourcename}/build/install/common/%{product}-ssl-setup "%{buildroot}%{_bindir}/%{product}-ssl-setup" diff --git a/build/install/win/build-batch.bat b/build/install/win/build-batch.bat index 0f723846bf..f87aed8690 100644 --- a/build/install/win/build-batch.bat +++ b/build/install/win/build-batch.bat @@ -41,7 +41,7 @@ REM echo ######## SSL configs ######## %sed% -i "s/the_host/host/g" build\install\win\Files\nginx\conf\onlyoffice-proxy.conf build\install\win\Files\nginx\conf\onlyoffice-proxy-ssl.conf.tmpl %sed% -i "s/the_scheme/scheme/g" build\install\win\Files\nginx\conf\onlyoffice-proxy.conf build\install\win\Files\nginx\conf\onlyoffice-proxy-ssl.conf.tmpl %sed% -i "s/ssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;/#ssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;/" build\install\win\Files\nginx\conf\onlyoffice-proxy-ssl.conf.tmpl -%sed% -i "s/# include includes\/letsencrypt.conf/include includes\/letsencrypt.conf/" build\install\win\Files\nginx\conf\onlyoffice-proxy.conf build\install\win\Files\nginx\conf\onlyoffice-proxy-ssl.conf.tmpl +%sed% -i "s|\(.*root\).*;|\1 \"{APPDIR}letsencrypt\";|g" -i build\install\win\Files\nginx\conf\includes\letsencrypt.conf REM echo ######## Delete test and dev configs ######## del /f /q build\install\win\Files\config\*.test.json