diff --git a/config/.env.sample b/config/.env.sample index 8b5f225..1a32ecb 100644 --- a/config/.env.sample +++ b/config/.env.sample @@ -2,13 +2,13 @@ SSH_PASSWD= # Domain to server directly, with Let's Encrypt certificates -DOMAIN_LE=le.openfreemap.org +DOMAIN_LE=test.openfreemap.org # Let's Encrypt account email -LE_EMAIL=user@example.com +LE_EMAIL= # Domain via CloudFlare, using origin certificates -# Please put cf.key and cf.cert files in config/certs +# Please put ofm_cf.key and ofm_cf.cert files in config/certs DOMAIN_CF=tiles.openfreemap.org # Skip the full planet download, useful for testing (true/false) diff --git a/init-server.py b/init-server.py index 2abdec8..4292fb1 100755 --- a/init-server.py +++ b/init-server.py @@ -109,10 +109,15 @@ def upload_http_host_config(c): if domain_cf: if ( - not (CONFIG_DIR / 'certs' / 'cf.key').exists() - or not (CONFIG_DIR / 'certs' / 'cf.cert').exists() + not (CONFIG_DIR / 'certs' / 'ofm_cf.key').exists() + or not (CONFIG_DIR / 'certs' / 'ofm_cf.cert').exists() ): - sys.exit('When using DOMAIN_CF, please put cf.key and cf.cert files in config/certs') + sys.exit( + 'When using DOMAIN_CF, please put ofm_cf.key and ofm_cf.cert files in config/certs' + ) + + if domain_le and not le_email: + sys.exit('Please add your email to LE_EMAIL when using DOMAIN_LE') host_config = { 'domain_le': domain_le, diff --git a/scripts/http_host/http_host_lib/nginx.py b/scripts/http_host/http_host_lib/nginx.py index 69d55bc..46484cb 100644 --- a/scripts/http_host/http_host_lib/nginx.py +++ b/scripts/http_host/http_host_lib/nginx.py @@ -21,8 +21,8 @@ def write_nginx_config(): # processing Cloudflare config if domain_cf: - if not (CERTS_DIR / 'cf.cert').exists() or not (CERTS_DIR / 'cf.key').exists(): - sys.exit('cf.cert or cf.key missing') + if not (CERTS_DIR / 'ofm_cf.cert').is_file() or not (CERTS_DIR / 'ofm_cf.key').is_file(): + sys.exit('ofm_cf.cert or ofm_cf.key missing') curl_text_mix += create_nginx_conf( template_path=NGINX_DIR / 'cf.conf', @@ -32,10 +32,10 @@ def write_nginx_config(): # processing Let's Encrypt config if domain_le: - le_cert = CERTS_DIR / 'le.cert' - le_key = CERTS_DIR / 'le.key' + le_cert = CERTS_DIR / 'ofm_le.cert' + le_key = CERTS_DIR / 'ofm_le.key' - if not (CERTS_DIR / 'le.cert').exists() or not (CERTS_DIR / 'le.key').exists(): + if not le_cert.is_file() or not le_key.is_file(): shutil.copyfile(Path('/etc/nginx/ssl/dummy.crt'), le_cert) shutil.copyfile(Path('/etc/nginx/ssl/dummy.key'), le_key) @@ -50,26 +50,33 @@ def write_nginx_config(): subprocess.run( [ - 'lego', - '--accept-tos', - '--email', + 'certbot', + 'certonly', + '--webroot', + '--webroot-path=/data/nginx/acme-challenges', + '--noninteractive', + '-m', HOST_CONFIG['le_email'], - '--http', - '--http.webroot=/data/nginx/acme-challenges/', - '--domains', + '--agree-tos', + '--cert-name=ofm_le', + '--deploy-hook', + 'nginx -t && service nginx reload', + '-d', domain_le, - '--http-timeout=30', - '--path=/data/nginx/lego/', - 'run', ], check=True, ) - # link lego certs to nginx dir + # link certs to nginx dir le_cert.unlink() le_key.unlink() - le_cert.symlink_to(Path(f'/data/nginx/lego/certificates/{domain_le}.crt')) - le_key.symlink_to(Path(f'/data/nginx/lego/certificates/{domain_le}.key')) + + etc_cert = Path('/etc/letsencrypt/live/ofm_le/fullchain.pem') + etc_key = Path('/etc/letsencrypt/live/ofm_le/privkey.pem') + assert etc_cert.is_file() + assert etc_key.is_file() + le_cert.symlink_to(etc_cert) + le_key.symlink_to(etc_key) subprocess.run(['nginx', '-t'], check=True) subprocess.run(['systemctl', 'reload', 'nginx'], check=True) @@ -189,7 +196,7 @@ def create_latest_locations() -> str: run_dir = DEFAULT_RUNS_DIR / area / version tilejson_path = run_dir / 'tilejson-tiles-org.json' - assert tilejson_path.exists() + assert tilejson_path.is_file() location_str += f""" location = /{area} {{ # no trailing slash diff --git a/scripts/http_host/http_host_lib/nginx/cf.conf b/scripts/http_host/http_host_lib/nginx/cf.conf index 73179ae..bca5582 100644 --- a/scripts/http_host/http_host_lib/nginx/cf.conf +++ b/scripts/http_host/http_host_lib/nginx/cf.conf @@ -9,8 +9,8 @@ server { listen [::]:443 ssl; http2 on; - ssl_certificate /data/nginx/certs/cf.cert; - ssl_certificate_key /data/nginx/certs/cf.key; + ssl_certificate /data/nginx/certs/ofm_cf.cert; + ssl_certificate_key /data/nginx/certs/ofm_cf.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions diff --git a/scripts/http_host/http_host_lib/nginx/le.conf b/scripts/http_host/http_host_lib/nginx/le.conf index 9203663..093d1f2 100644 --- a/scripts/http_host/http_host_lib/nginx/le.conf +++ b/scripts/http_host/http_host_lib/nginx/le.conf @@ -8,8 +8,8 @@ server { listen [::]:443 ssl; http2 on; - ssl_certificate /data/nginx/certs/le.cert; - ssl_certificate_key /data/nginx/certs/le.key; + ssl_certificate /data/nginx/certs/ofm_le.cert; + ssl_certificate_key /data/nginx/certs/ofm_le.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions diff --git a/ssh_lib/nginx.py b/ssh_lib/nginx.py index cd9e943..fb7c1fe 100644 --- a/ssh_lib/nginx.py +++ b/ssh_lib/nginx.py @@ -36,6 +36,7 @@ def nginx(c): c.sudo('mkdir -p /data/nginx/logs') c.sudo('mkdir -p /data/nginx/sites') + c.sudo('mkdir -p /data/nginx/acme-challenges') if not exists(c, '/etc/nginx/ssl/dummy.crt'): c.sudo('mkdir -p /etc/nginx/ssl') @@ -75,14 +76,12 @@ def lego(c): url = f'https://github.com/go-acme/lego/releases/download/{lego_version}/lego_{lego_version}_linux_amd64.tar.gz' - c.run('rm -rf /tmp/lego*') - c.run('mkdir -p /tmp/lego') - c.run( + c.sudo('rm -rf /tmp/lego*') + c.sudo('mkdir -p /tmp/lego') + c.sudo( f'wget -q "{url}" -O /tmp/lego/out.tar.gz', ) - c.run('tar xzvf /tmp/lego/out.tar.gz -C /tmp/lego') - c.run('chmod +x /tmp/lego/lego') - c.run('mv /tmp/lego/lego /usr/local/bin') - c.run('rm -rf /tmp/lego*') - - c.run('mkdir -p /data/nginx/acme-challenges/') + c.sudo('tar xzvf /tmp/lego/out.tar.gz -C /tmp/lego') + c.sudo('chmod +x /tmp/lego/lego') + c.sudo('mv /tmp/lego/lego /usr/local/bin') + c.sudo('rm -rf /tmp/lego*')