diff --git a/Dockerfile b/Dockerfile index 53d8003..69aa45e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ LABEL maintainer="Maksim Stojkovic " \ org.label-schema.vcs-url="https://github.com/maksimstojkovic/docker-letsencrypt" # Install tools required -RUN apk --no-cache add certbot curl +RUN apk --no-cache add bash certbot curl # Copy scripts WORKDIR /scripts @@ -14,4 +14,4 @@ COPY ./scripts /scripts RUN chmod -R +x /scripts # Image starting command -CMD ["/bin/sh", "/scripts/start.sh"] +CMD ["/bin/bash", "/scripts/start.sh"] diff --git a/README.md b/README.md index 8e5b849..5ad5f4a 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ Automatically generates Let's Encrypt certificates using a lightweight Docker co * `LETSENCRYPT_DOMAIN`: Domain to generate SSL cert for. By default the SSL certificate is generated for `DUCKDNS_DOMAIN` (optional) * `LETSENCRYPT_WILDCARD`: `true` or `false`, indicating whether the SSL certificate should be for subdomains *only* of `LETSENCRYPT_DOMAIN` (i.e. `*.test.duckdns.org`), or for the main domain *only* (i.e. `test.duckdns.org`) (optional, default: `false`) * `LETSENCRYPT_EMAIL`: Email used for certificate renewal notifications (optional) +* `LETSENCRYPT_CHAIN`: Preferred certificate chain (e.g. `ISRG Root X1`, see [https://letsencrypt.org/certificates](https://letsencrypt.org/certificates/) for more details) (optional) * `TESTING`: `true` or `false`, indicating whether a staging SSL certificate should be generated or not (optional, default: `false`) * `UID`: User ID to apply to Let's Encrypt files generated (optional, recommended, default: `0` - root) * `GID`: Group ID to apply to Let's Encrypt files generated (optional, recommended, default: `0` - root) diff --git a/scripts/start.sh b/scripts/start.sh index 0227112..c08df48 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -30,6 +30,12 @@ else LETSENCRYPT_WILDCARD="false" fi +# Set default preferred chain if no value specified +if [ -z "$LETSENCRYPT_CHAIN" ]; then + "INFO: LETSENCRYPT_CHAIN is unset, using default chain" + LETSENCRYPT_CHAIN="default" +fi + # Set user and group ID's for files if [ -z "$UID" ]; then echo "INFO: No UID specified, using root UID of 0" @@ -47,6 +53,7 @@ echo "DUCKDNS_DOMAIN: $DUCKDNS_DOMAIN" echo "LETSENCRYPT_DOMAIN: $LETSENCRYPT_DOMAIN" echo "LETSENCRYPT_EMAIL: $LETSENCRYPT_EMAIL" echo "LETSENCRYPT_WILDCARD: $LETSENCRYPT_WILDCARD" +echo "LETSENCRYPT_CHAIN: $LETSENCRYPT_CHAIN" echo "TESTING: $TESTING" echo "UID: $UID" echo "GID: $GID" @@ -57,6 +64,12 @@ else EMAIL_PARAM="-m $LETSENCRYPT_EMAIL --no-eff-email" fi +if [ "$LETSENCRYPT_CHAIN" = "default" ]; then + unset CHAIN_PARAM +else + CHAIN_PARAM=( --preferred-chain "$LETSENCRYPT_CHAIN" ) +fi + if [ "$TESTING" = "true" ]; then echo "INFO: Generating staging certificate" TEST_PARAM="--test-cert" @@ -67,14 +80,14 @@ fi echo "certbot certonly --manual --preferred-challenges dns \ --manual-auth-hook /scripts/auth.sh \ --manual-cleanup-hook /scripts/cleanup.sh \ - $EMAIL_PARAM -d $LETSENCRYPT_DOMAIN \ + ${CHAIN_PARAM[@]} $EMAIL_PARAM -d $LETSENCRYPT_DOMAIN \ --agree-tos --manual-public-ip-logging-ok --keep $TEST_PARAM" # Create certificates certbot certonly --manual --preferred-challenges dns \ --manual-auth-hook /scripts/auth.sh \ --manual-cleanup-hook /scripts/cleanup.sh \ - $EMAIL_PARAM -d $LETSENCRYPT_DOMAIN \ + "${CHAIN_PARAM[@]}" $EMAIL_PARAM -d $LETSENCRYPT_DOMAIN \ --agree-tos --manual-public-ip-logging-ok --keep $TEST_PARAM chown -R $UID:$GID /etc/letsencrypt