diff --git a/acme_tiny.py b/acme_tiny.py index f9d88f0..d262f06 100644 --- a/acme_tiny.py +++ b/acme_tiny.py @@ -6,8 +6,8 @@ try: except ImportError: # pragma: no cover from urllib2 import urlopen, Request # Python 2 -DEFAULT_CA = "https://LABCA_FQDN" # DEPRECATED! USE DEFAULT_DIRECTORY_URL INSTEAD -DEFAULT_DIRECTORY_URL = "https://LABCA_FQDN/directory" +DEFAULT_CA = "http://boulder:4001" # DEPRECATED! USE DEFAULT_DIRECTORY_URL INSTEAD +DEFAULT_DIRECTORY_URL = "http://boulder:4001/directory" LOGGER = logging.getLogger(__name__) LOGGER.addHandler(logging.StreamHandler()) diff --git a/backup b/backup index 73d64eb..ca2abed 100755 --- a/backup +++ b/backup @@ -10,23 +10,23 @@ fi BASE=${HOSTNAME}_${CRON}${NOW} TMPDIR=/tmp/$BASE mkdir -p $TMPDIR -mkdir -p /home/labca/backup +mkdir -p /backup -cd /home/labca/boulder +cd /boulder docker-compose exec -T bmysql mysqldump boulder_sa_integration >$TMPDIR/boulder_sa_integration.sql -cp -p /home/labca/nginx_data/ssl/*key* /home/labca/nginx_data/ssl/*cert.pem /home/labca/nginx_data/ssl/*.csr $TMPDIR/ +cp -p /etc/nginx/ssl/*key* /etc/nginx/ssl/*cert.pem /etc/nginx/ssl/*.csr $TMPDIR/ -cp -rp /home/labca/admin/data $TMPDIR/ +cp -rp /admin/data $TMPDIR/ cd /tmp -tar czf /home/labca/backup/$BASE.tgz $BASE +tar czf /backup/$BASE.tgz $BASE rm -rf $TMPDIR # housekeeping -find /home/labca/backup -name "*_cron_*.tgz" -mtime +31 -exec rm -rf {} \; +find /backup -name "*_cron_*.tgz" -mtime +31 -exec rm -rf {} \; if [ "$1" != "cron" ]; then - echo /home/labca/backup/$BASE.tgz + echo /backup/$BASE.tgz fi diff --git a/commander b/commander index 85d0d40..a4cf617 100755 --- a/commander +++ b/commander @@ -2,7 +2,7 @@ set -euo pipefail -LOGFILE=/home/labca/logs/commander.log +LOGFILE=/logs/commander.log err_report() { echo "ERROR! On line $1 in commander script" @@ -38,7 +38,7 @@ function wait_server() { read txt case $txt in "trust-store") - cp /home/labca/nginx_data/ssl/labca_cert.pem /usr/local/share/ca-certificates/labca_cert.crt + cp /etc/nginx/ssl/labca_cert.pem /usr/local/share/ca-certificates/labca_cert.crt cp ~labca/admin/data/root-ca.pem /usr/local/share/ca-certificates/root-ca.crt update-ca-certificates &>>$LOGFILE echo "Waiting for initial startup of the docker containers..." &>>$LOGFILE @@ -47,7 +47,7 @@ case $txt in wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "docker-restart") - cd /home/labca/boulder + cd /boulder docker-compose stop &>>$LOGFILE wait_down $PS_MYSQL &>>$LOGFILE wait_down $PS_LABCA &>>$LOGFILE @@ -58,41 +58,41 @@ case $txt in wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "acme-request") - cd /home/labca/nginx_data/ssl + cd /etc/nginx/ssl [ -e account.key ] || openssl genrsa 4096 > account.key [ -e labca_key.pem ] || openssl genrsa 4096 > labca_key.pem san=$(openssl x509 -noout -text -in labca_cert.pem | grep DNS:) openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > domain.csr - url=$(grep 'DEFAULT_DIRECTORY_URL =' /home/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') + url=$(grep 'DEFAULT_DIRECTORY_URL =' /acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') wait_server $url sleep 10 - /home/labca/labca/renew - ln -sf /home/labca/labca/cron_d /etc/cron.d/labca - ln -sf /home/labca/labca/logrotate_d /etc/logrotate.d/labca + /labca/renew + ln -sf /labca/cron_d /etc/cron.d/labca + ln -sf /labca/logrotate_d /etc/logrotate.d/labca ;; "acme-change") read fqdn - cd /home/labca/nginx_data/ssl + cd /etc/nginx/ssl openssl genrsa 4096 > labca_key.pem openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$fqdn")) > domain.csr - url=$(grep 'DEFAULT_DIRECTORY_URL =' /home/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') + url=$(grep 'DEFAULT_DIRECTORY_URL =' /acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') wait_server $url sleep 10 - /home/labca/labca/renew + /labca/renew ;; "nginx-remove-redirect") - perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /home/labca/nginx_data/conf.d/labca.conf + perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf ;; "nginx-reload") - cd /home/labca/boulder + cd /boulder docker-compose exec -T nginx nginx -s reload &>>$LOGFILE ;; "nginx-restart") - cd /home/labca/boulder + cd /boulder docker-compose restart nginx &>>$LOGFILE ;; "log-cert") - [ -f /home/labca/nginx_data/ssl/acme_tiny.log ] && tail -200 /home/labca/nginx_data/ssl/acme_tiny.log || /bin/true + [ -f /etc/nginx/ssl/acme_tiny.log ] && tail -200 /etc/nginx/ssl/acme_tiny.log || /bin/true exit 0 ;; "log-commander") @@ -100,30 +100,30 @@ case $txt in exit 0 ;; "log-boulder") - cd /home/labca/boulder + cd /boulder docker-compose logs -f --no-color --tail=50 boulder ;; "log-boulder-notail") - cd /home/labca/boulder + cd /boulder docker-compose logs --no-color --tail=50 boulder ;; "log-audit") - cd /home/labca/boulder + cd /boulder docker-compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling due to unexpected end of JSON input" | tail -50 docker-compose logs -f --no-color --tail=0 boulder | grep "\[AUDIT\]" ;; "log-activity") - cd /home/labca/boulder + cd /boulder echo "GMT" docker-compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling due to unexpected end of JSON input" | tail -15 exit 0 ;; "log-labca") - cd /home/labca/boulder + cd /boulder docker-compose logs -f --no-color --tail=50 labca ;; "log-labca-notail") - cd /home/labca/boulder + cd /boulder docker-compose logs --no-color --tail=50 labca ;; "log-labca-err") @@ -131,16 +131,15 @@ case $txt in exit 0 ;; "log-web") - cd /home/labca/boulder + cd /boulder docker-compose logs -f --no-color --tail=50 nginx ;; "log-components") - timezone=$(cat /etc/timezone) - nginx=$(ps -eo lstart,args | grep nginx | grep master | grep -v grep | cut -c 5-24) - svc=$(ps -eo lstart,args | grep tcpserver | grep sudo | grep -v grep | cut -c 5-24) - boulder=$(ps -eo lstart,args | grep bin/boulder-wfe2 | grep -v grep | cut -c 5-24) - labca=$(ps -eo lstart,args | grep bin/labca | grep -v grep | head -1 | cut -c 5-24) - echo "$timezone|$nginx|$svc|$boulder|$labca" + nginx=$(docker ps --format "{{.CreatedAt}}|{{.Names}}" | grep _nginx_ | grep -v grep | cut -d "|" -f1) + svc=$(docker ps --format "{{.CreatedAt}}|{{.Names}}" | grep _control_ | grep -v grep | cut -d "|" -f1) + boulder=$(docker ps --format "{{.CreatedAt}}|{{.Names}}" | grep _boulder_ | grep -v grep | cut -d "|" -f1) + labca=$(docker ps --format "{{.CreatedAt}}|{{.Names}}" | grep _labca_ | grep -v grep | cut -d "|" -f1) + echo "$nginx|$svc|$boulder|$labca" exit 0 ;; "log-stats") @@ -156,30 +155,30 @@ case $txt in "revoke-cert") read serial read reasonCode - cd /home/labca/boulder + cd /boulder docker-compose exec -T boulder bin/admin-revoker serial-revoke --config labca/config/admin-revoker.json $serial $reasonCode 2>&1 ;; "test-email") read recipient - cd /home/labca/boulder + cd /boulder docker-compose exec -T boulder bin/mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1 ;; "boulder-start") - cd /home/labca/boulder + cd /boulder COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d bmysql COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d boulder wait_up $PS_MYSQL &>>$LOGFILE wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "boulder-stop") - cd /home/labca/boulder + cd /boulder docker-compose stop boulder docker-compose stop bmysql wait_down $PS_MYSQL &>>$LOGFILE wait_down $PS_BOULDER &>>$LOGFILE ;; "boulder-restart") - cd /home/labca/boulder + cd /boulder docker-compose stop boulder docker-compose stop bmysql wait_down $PS_MYSQL &>>$LOGFILE @@ -190,33 +189,33 @@ case $txt in wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "labca-restart") - cd /home/labca/boulder + cd /boulder docker-compose stop labca wait_down $PS_LABCA &>>$LOGFILE COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d labca wait_up $PS_LABCA &>>$LOGFILE ;; "svc-restart") - service labca stop - wait_down $PS_SERVICE &>>$LOGFILE - service labca start - wait_up $PS_SERVICE &>>$LOGFILE + cd /boulder + set +e + docker-compose restart control + set -e ;; "log-backups") - ls -1tr /home/labca/backup || /bin/true + ls -1tr /backup || /bin/true exit 0 ;; "log-server-backup") - /home/labca/labca/backup + /labca/backup exit 0 ;; "backup-delete") read backup - rm -f /home/labca/backup/$backup + rm -f /backup/$backup ;; "backup-restore") read backup - /home/labca/labca/restore $backup + /labca/restore $backup ;; "server-restart") reboot @@ -228,9 +227,9 @@ case $txt in cd $dn branch="$(git symbolic-ref --short HEAD 2>/dev/null)" || branch="(none)" if [ "$branch" == "master" ] || [ "$branch" == "main" ] || [ "$branch" == "(none)" ]; then - nohup /home/labca/labca/install &>>$LOGFILE + nohup /labca/install &>>$LOGFILE else - nohup /home/labca/labca/install -b $branch &>>$LOGFILE + nohup /labca/install -b $branch &>>$LOGFILE fi ;; *) diff --git a/control.sh b/control.sh new file mode 100755 index 0000000..33d879a --- /dev/null +++ b/control.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +set -e + +get_fqdn() { + local file_fqdn="" + if [ -e /admin/data/config.json ]; then + file_fqdn=$(grep fqdn /admin/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",") + fi + if [ "$file_fqdn" == "" ]; then + if [ "$LABCA_FQDN" == "notset" ]; then + echo "ERROR: environment variable LABCA_FQDN is not set!" + exit 1 + else + echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /admin/data/config.json + fi + elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then + echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..." + export LABCA_FQDN=$file_fqdn + fi +} + +# TODO: install docker should be done in pre-baked image +install_docker() { + apt update + apt install -y apt-transport-https ca-certificates curl software-properties-common + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - + add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable" + apt install -y docker-ce + + dockerComposeVersion="1.28.5" + local dcver="" + [ -x /usr/local/bin/docker-compose ] && dcver="`/usr/local/bin/docker-compose --version`" + local vercmp=${dcver/$dockerComposeVersion/} + if [ "$dcver" == "" ] || [ "$dcver" == "$vercmp" ]; then + curl -sSL https://github.com/docker/compose/releases/download/$dockerComposeVersion/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose + chmod +x /usr/local/bin/docker-compose + fi +} + +selfsigned_cert() { + pushd /etc/nginx/ssl >/dev/null + openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \ + -subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \ + -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN")) + popd >/dev/null +} + +renew_near_expiry() { + pushd /etc/nginx/ssl >/dev/null + if ! expires=$(openssl x509 -checkend 86400 -noout -in /etc/nginx/ssl/labca_cert.pem); then + hash=$(openssl x509 -hash -noout -in /etc/nginx/ssl/labca_cert.pem) + issuer_hash=$(openssl x509 -issuer_hash -noout -in /etc/nginx/ssl/labca_cert.pem) + if [ "$hash" == "$issuer_hash" ]; then + selfsigned_cert + else + echo "acme-request" | /labca/commander + fi + fi + popd >/dev/null +} + +# TODO: install cron should be done in pre-baked image +start_cron() { + apt update + apt install -y cron + service cron start +} + +# TODO: install ucspi-tcp should be done in pre-baked image +serve_commander() { + apt update + apt install -y ucspi-tcp + echo "Start serving commander script..." + tcpserver 0.0.0.0 3030 /labca/commander +} + +main() { + get_fqdn + + docker ps >/dev/null || install_docker + + [ -e /etc/nginx/ssl/labca_cert.pem ] || selfsigned_cert + renew_near_expiry + + mkdir -p /logs + + start_cron + + serve_commander +} + +main "$@" diff --git a/cron_d b/cron_d index f8f281e..8170f16 100644 --- a/cron_d +++ b/cron_d @@ -2,6 +2,6 @@ SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -1 6 * * Mon root /home/labca/labca/backup cron -1 7 * * * root /home/labca/labca/mailer -5 7 * * * root /home/labca/labca/smartrenew +1 6 * * Mon root /labca/backup cron +1 7 * * * root /labca/mailer +5 7 * * * root /labca/smartrenew diff --git a/gui/dashboard.go b/gui/dashboard.go index 47fd3e5..5b1406b 100644 --- a/gui/dashboard.go +++ b/gui/dashboard.go @@ -122,6 +122,9 @@ func _parseActivity(data string) []Activity { lines := strings.Split(data, "\n") + if lines[0] == "/UTC" { + lines[0] = "Etc/UTC" + } loc, err := time.LoadLocation(lines[0]) if err != nil { log.Printf("Could not determine location: %s\n", err) @@ -155,13 +158,7 @@ func _parseComponents(data string) []Component { parts := strings.Split(data, "|") - loc, err := time.LoadLocation(parts[0]) - if err != nil { - log.Printf("Could not determine location: %s\n", err) - loc = time.Local - } - - nginx, err := time.ParseInLocation("Jan _2 15:04:05 2006", parts[1], loc) + nginx, err := time.Parse("2006-01-02 15:04:05 -0700 MST", parts[0]) nginxReal := "" nginxNice := "stopped" nginxClass := "error" @@ -171,7 +168,7 @@ func _parseComponents(data string) []Component { nginxClass = "" } - svc, err := time.ParseInLocation("Jan _2 15:04:05 2006", parts[2], loc) + svc, err := time.Parse("2006-01-02 15:04:05 -0700 MST", parts[1]) svcReal := "" svcNice := "stopped" svcClass := "error" @@ -181,7 +178,7 @@ func _parseComponents(data string) []Component { svcClass = "" } - boulder, err := time.ParseInLocation("Jan _2 15:04:05 2006", parts[3], loc) + boulder, err := time.Parse("2006-01-02 15:04:05 -0700 MST", parts[2]) boulderReal := "" boulderNice := "stopped" boulderClass := "error" @@ -191,7 +188,7 @@ func _parseComponents(data string) []Component { boulderClass = "" } - labca, err := time.ParseInLocation("Jan _2 15:04:05 2006", parts[4], loc) + labca, err := time.Parse("2006-01-02 15:04:05 -0700 MST", parts[3]) labcaReal := "" labcaNice := "stopped" labcaClass := "error" @@ -226,6 +223,9 @@ func _parseStats(data string) []Stat { parts := strings.Split(data, "|") + if parts[0] == "/UTC" { + parts[0] = "Etc/UTC" + } loc, err := time.LoadLocation(parts[0]) if err != nil { log.Printf("Could not determine location: %s\n", err) diff --git a/gui/main.go b/gui/main.go index 3d81fc8..4fa5fb0 100644 --- a/gui/main.go +++ b/gui/main.go @@ -1207,13 +1207,7 @@ func logsHandler(w http.ResponseWriter, r *http.Request) { } func getLog(w http.ResponseWriter, r *http.Request, logType string) string { - ip, err := _discoverGateway() - if err != nil { - errorHandler(w, r, err, http.StatusInternalServerError) - return "" - } - - conn, err := net.Dial("tcp", ip.String()+":3030") + conn, err := net.Dial("tcp", "control:3030") if err != nil { errorHandler(w, r, err, http.StatusInternalServerError) return "" @@ -1245,13 +1239,7 @@ func wsErrorHandler(err error) { } func showLog(ws *websocket.Conn, logType string) { - ip, err := _discoverGateway() - if err != nil { - wsErrorHandler(err) - return - } - - conn, err := net.Dial("tcp", ip.String()+":3030") + conn, err := net.Dial("tcp", "control:3030") if err != nil { wsErrorHandler(err) return @@ -1482,31 +1470,8 @@ func _parseLinuxIPRouteShow(output []byte) (net.IP, error) { return nil, errors.New("no gateway found") } -func _discoverGateway() (net.IP, error) { - if isDev { - ip := net.ParseIP("127.0.0.1") - if ip != nil { - return ip, nil - } - } - - routeCmd := exec.Command("ip", "route", "show") - output, err := routeCmd.CombinedOutput() - if err != nil { - return nil, err - } - - return _parseLinuxIPRouteShow(output) -} - func _hostCommand(w http.ResponseWriter, r *http.Request, command string, params ...string) bool { - ip, err := _discoverGateway() - if err != nil { - errorHandler(w, r, err, http.StatusInternalServerError) - return false - } - - conn, err := net.Dial("tcp", ip.String()+":3030") + conn, err := net.Dial("tcp", "control:3030") if err != nil { errorHandler(w, r, err, http.StatusInternalServerError) return false diff --git a/install b/install index 1e69df2..758e150 100755 --- a/install +++ b/install @@ -369,6 +369,9 @@ copy_admin() { chown -R labca:labca $baseDir chown root:root "$cloneDir/cron_d" + [ -e /etc/cron.d/labca ] && rm /etc/cron.d/labca || true + [ -e /etc/logrotate.d/labca ] && rm /etc/logrotate.d/labca || true + git add --all &>/dev/null || true git commit --all --quiet -m "LabCA after update $runId" &>>$installLog || true @@ -746,15 +749,12 @@ startup() { for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do [ -z "$(docker ps -a | grep -e "$ct\$")" ] || docker rm -f $ct &>>$installLog done - COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d &>>$installLog - [ -h "/etc/init.d/labca" ] || ln -s "$cloneDir/init_d" /etc/init.d/labca - update-rc.d labca defaults &>>$installLog - update-rc.d labca enable &>>$installLog service labca stop &>>$installLog || true - wait_down $PS_SERVICE &>>$installLog - service labca start &>>$installLog - wait_up $PS_SERVICE &>>$installLog + update-rc.d labca disable &>>$installLog || true + [ -e "/etc/init.d/labca" ] && rm /etc/init.d/labca || true + + COMPOSE_HTTP_TIMEOUT=120 docker-compose up -d &>>$installLog wait_up $PS_MYSQL &>>$installLog wait_up $PS_LABCA &>>$installLog diff --git a/logrotate_d b/logrotate_d index 978c567..a3fb0af 100644 --- a/logrotate_d +++ b/logrotate_d @@ -1,5 +1,5 @@ -/home/labca/nginx_data/ssl/*.log -/home/labca/logs/cron-*.log +/etc/nginx/ssl/*.log +/logs/cron-*.log { rotate 4 monthly diff --git a/mailer b/mailer index d0a8c08..138f9af 100755 --- a/mailer +++ b/mailer @@ -3,7 +3,7 @@ set -e TODAY=`date '+%Y_%m_%d'` -LOGFILE=/home/labca/logs/cron-mailer.log +LOGFILE=/logs/cron-mailer.log echo $TODAY >>$LOGFILE cd /home/labca/boulder diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index 394c9c3..c19067c 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index b7e5656c5..51393c181 100644 +index b7e5656c5..3b82e8651 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,7 +8,7 @@ services: @@ -50,7 +50,7 @@ index b7e5656c5..51393c181 100644 networks: bluenet: aliases: -@@ -56,21 +65,51 @@ services: +@@ -56,21 +65,71 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -64,20 +64,14 @@ index b7e5656c5..51393c181 100644 - netaccess: + labca: - image: *boulder_image -- environment: -- GO111MODULE: "on" -- GOFLAGS: -mod=vendor -- BOULDER_CONFIG_DIR: test/config - networks: - - bluenet - volumes: ++ image: *boulder_image ++ networks: ++ - bluenet ++ volumes: + - /home/labca/admin:/go/src/labca + - ./.gocache:/root/.cache/go-build + - /home/labca/nginx_data/static:/wwwstatic - - .:/boulder -- working_dir: *boulder_working_dir -- entrypoint: test/entrypoint-netaccess.sh ++ - .:/boulder + - /home/labca/boulder_labca:/boulder/labca + expose: + - 3000 @@ -105,6 +99,32 @@ index b7e5656c5..51393c181 100644 + - /home/labca/nginx_data/ssl:/etc/nginx/ssl + - /home/labca/nginx_data/static:/var/www/html + ++ control: + image: *boulder_image +- environment: +- GO111MODULE: "on" +- GOFLAGS: -mod=vendor +- BOULDER_CONFIG_DIR: test/config + networks: + - bluenet + volumes: ++ - /var/run/docker.sock:/var/run/docker.sock ++ - /home/labca/admin:/admin ++ - /home/labca/labca:/labca + - .:/boulder +- working_dir: *boulder_working_dir +- entrypoint: test/entrypoint-netaccess.sh ++ - /home/labca/boulder_labca:/boulder/labca ++ - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d ++ - /home/labca/nginx_data/ssl:/etc/nginx/ssl ++ - /home/labca/nginx_data/static:/var/www/html ++ expose: ++ - 3030 ++ environment: ++ LABCA_FQDN: ${LABCA_FQDN:-notset} ++ working_dir: /labca ++ command: ./control.sh ++ +volumes: + dbdata: diff --git a/renew b/renew index 2b3f184..9123eab 100755 --- a/renew +++ b/renew @@ -2,10 +2,10 @@ set -e -cd /home/labca/nginx_data/ssl +cd /etc/nginx/ssl date >> acme_tiny.log -python ~labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/labca/nginx_data/static/.well-known/acme-challenge/ > domain_chain.crt 2>> acme_tiny.log || exit 1 +python3 /labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/html/.well-known/acme-challenge/ > domain_chain.crt 2>> acme_tiny.log || exit 1 mv domain_chain.crt labca_cert.pem -cd /home/labca/boulder +cd /boulder docker-compose restart nginx diff --git a/restore b/restore index ffd9e07..96656f3 100755 --- a/restore +++ b/restore @@ -2,7 +2,7 @@ set -e -FILE=/home/labca/backup/$1 +FILE=/backup/$1 [ "$1" != "" ] || (echo "You must provide a backup file name to restore"; exit 1) [ -f $FILE ] || (echo "Backup file '$FILE' not found"; exit 1) @@ -13,11 +13,11 @@ TMPDIR=/tmp/$BASE cd /tmp tar xzf $FILE -cd /home/labca/boulder +cd /boulder docker-compose exec -T bmysql mysql boulder_sa_integration <$TMPDIR/boulder_sa_integration.sql -mv -f $TMPDIR/*key* $TMPDIR/*cert.pem $TMPDIR/*.csr /home/labca/nginx_data/ssl/ +mv -f $TMPDIR/*key* $TMPDIR/*cert.pem $TMPDIR/*.csr /etc/nginx/ssl/ -rm -rf /home/labca/admin/data && mv $TMPDIR/data /home/labca/admin/ +rm -rf /admin/data && mv $TMPDIR/data /admin/ rm -rf $TMPDIR diff --git a/smartrenew b/smartrenew index 6a04ec9..cdbee9b 100755 --- a/smartrenew +++ b/smartrenew @@ -5,10 +5,10 @@ set -e RENEW=30 TODAY=`date '+%Y_%m_%d'` -echo $TODAY >> /home/labca/nginx_data/ssl/cron.log +echo $TODAY >> /etc/nginx/ssl/cron.log -if ! expires=`openssl x509 -checkend $[ 86400 * $RENEW ] -noout -in /home/labca/nginx_data/ssl/labca_cert.pem`; then - echo " renewing!" >> /home/labca/nginx_data/ssl/cron.log - cp /home/labca/nginx_data/ssl/labca_cert.pem /home/labca/nginx_data/ssl/labca_cert_$TODAY.pem - ~labca/labca/renew +if ! expires=`openssl x509 -checkend $[ 86400 * $RENEW ] -noout -in /etc/nginx/ssl/labca_cert.pem`; then + echo " renewing!" >> /etc/nginx/ssl/cron.log + cp /etc/nginx/ssl/labca_cert.pem /etc/nginx/ssl/labca_cert_$TODAY.pem + /labca/renew fi