mirror of
https://github.com/hyperknot/openfreemap.git
synced 2026-05-21 14:02:15 +00:00
nginx letsencrypt works
This commit is contained in:
Zsolt Ero
@@ -2,13 +2,13 @@
|
|||||||
SSH_PASSWD=
|
SSH_PASSWD=
|
||||||
|
|
||||||
# Domain to server directly, with Let's Encrypt certificates
|
# Domain to server directly, with Let's Encrypt certificates
|
||||||
DOMAIN_LE=le.openfreemap.org
|
DOMAIN_LE=test.openfreemap.org
|
||||||
|
|
||||||
# Let's Encrypt account email
|
# Let's Encrypt account email
|
||||||
LE_EMAIL=user@example.com
|
LE_EMAIL=
|
||||||
|
|
||||||
# Domain via CloudFlare, using origin certificates
|
# Domain via CloudFlare, using origin certificates
|
||||||
# Please put cf.key and cf.cert files in config/certs
|
# Please put ofm_cf.key and ofm_cf.cert files in config/certs
|
||||||
DOMAIN_CF=tiles.openfreemap.org
|
DOMAIN_CF=tiles.openfreemap.org
|
||||||
|
|
||||||
# Skip the full planet download, useful for testing (true/false)
|
# Skip the full planet download, useful for testing (true/false)
|
||||||
|
|||||||
@@ -109,10 +109,15 @@ def upload_http_host_config(c):
|
|||||||
|
|
||||||
if domain_cf:
|
if domain_cf:
|
||||||
if (
|
if (
|
||||||
not (CONFIG_DIR / 'certs' / 'cf.key').exists()
|
not (CONFIG_DIR / 'certs' / 'ofm_cf.key').exists()
|
||||||
or not (CONFIG_DIR / 'certs' / 'cf.cert').exists()
|
or not (CONFIG_DIR / 'certs' / 'ofm_cf.cert').exists()
|
||||||
):
|
):
|
||||||
sys.exit('When using DOMAIN_CF, please put cf.key and cf.cert files in config/certs')
|
sys.exit(
|
||||||
|
'When using DOMAIN_CF, please put ofm_cf.key and ofm_cf.cert files in config/certs'
|
||||||
|
)
|
||||||
|
|
||||||
|
if domain_le and not le_email:
|
||||||
|
sys.exit('Please add your email to LE_EMAIL when using DOMAIN_LE')
|
||||||
|
|
||||||
host_config = {
|
host_config = {
|
||||||
'domain_le': domain_le,
|
'domain_le': domain_le,
|
||||||
|
|||||||
@@ -21,8 +21,8 @@ def write_nginx_config():
|
|||||||
|
|
||||||
# processing Cloudflare config
|
# processing Cloudflare config
|
||||||
if domain_cf:
|
if domain_cf:
|
||||||
if not (CERTS_DIR / 'cf.cert').exists() or not (CERTS_DIR / 'cf.key').exists():
|
if not (CERTS_DIR / 'ofm_cf.cert').is_file() or not (CERTS_DIR / 'ofm_cf.key').is_file():
|
||||||
sys.exit('cf.cert or cf.key missing')
|
sys.exit('ofm_cf.cert or ofm_cf.key missing')
|
||||||
|
|
||||||
curl_text_mix += create_nginx_conf(
|
curl_text_mix += create_nginx_conf(
|
||||||
template_path=NGINX_DIR / 'cf.conf',
|
template_path=NGINX_DIR / 'cf.conf',
|
||||||
@@ -32,10 +32,10 @@ def write_nginx_config():
|
|||||||
|
|
||||||
# processing Let's Encrypt config
|
# processing Let's Encrypt config
|
||||||
if domain_le:
|
if domain_le:
|
||||||
le_cert = CERTS_DIR / 'le.cert'
|
le_cert = CERTS_DIR / 'ofm_le.cert'
|
||||||
le_key = CERTS_DIR / 'le.key'
|
le_key = CERTS_DIR / 'ofm_le.key'
|
||||||
|
|
||||||
if not (CERTS_DIR / 'le.cert').exists() or not (CERTS_DIR / 'le.key').exists():
|
if not le_cert.is_file() or not le_key.is_file():
|
||||||
shutil.copyfile(Path('/etc/nginx/ssl/dummy.crt'), le_cert)
|
shutil.copyfile(Path('/etc/nginx/ssl/dummy.crt'), le_cert)
|
||||||
shutil.copyfile(Path('/etc/nginx/ssl/dummy.key'), le_key)
|
shutil.copyfile(Path('/etc/nginx/ssl/dummy.key'), le_key)
|
||||||
|
|
||||||
@@ -50,26 +50,33 @@ def write_nginx_config():
|
|||||||
|
|
||||||
subprocess.run(
|
subprocess.run(
|
||||||
[
|
[
|
||||||
'lego',
|
'certbot',
|
||||||
'--accept-tos',
|
'certonly',
|
||||||
'--email',
|
'--webroot',
|
||||||
|
'--webroot-path=/data/nginx/acme-challenges',
|
||||||
|
'--noninteractive',
|
||||||
|
'-m',
|
||||||
HOST_CONFIG['le_email'],
|
HOST_CONFIG['le_email'],
|
||||||
'--http',
|
'--agree-tos',
|
||||||
'--http.webroot=/data/nginx/acme-challenges/',
|
'--cert-name=ofm_le',
|
||||||
'--domains',
|
'--deploy-hook',
|
||||||
|
'nginx -t && service nginx reload',
|
||||||
|
'-d',
|
||||||
domain_le,
|
domain_le,
|
||||||
'--http-timeout=30',
|
|
||||||
'--path=/data/nginx/lego/',
|
|
||||||
'run',
|
|
||||||
],
|
],
|
||||||
check=True,
|
check=True,
|
||||||
)
|
)
|
||||||
|
|
||||||
# link lego certs to nginx dir
|
# link certs to nginx dir
|
||||||
le_cert.unlink()
|
le_cert.unlink()
|
||||||
le_key.unlink()
|
le_key.unlink()
|
||||||
le_cert.symlink_to(Path(f'/data/nginx/lego/certificates/{domain_le}.crt'))
|
|
||||||
le_key.symlink_to(Path(f'/data/nginx/lego/certificates/{domain_le}.key'))
|
etc_cert = Path('/etc/letsencrypt/live/ofm_le/fullchain.pem')
|
||||||
|
etc_key = Path('/etc/letsencrypt/live/ofm_le/privkey.pem')
|
||||||
|
assert etc_cert.is_file()
|
||||||
|
assert etc_key.is_file()
|
||||||
|
le_cert.symlink_to(etc_cert)
|
||||||
|
le_key.symlink_to(etc_key)
|
||||||
|
|
||||||
subprocess.run(['nginx', '-t'], check=True)
|
subprocess.run(['nginx', '-t'], check=True)
|
||||||
subprocess.run(['systemctl', 'reload', 'nginx'], check=True)
|
subprocess.run(['systemctl', 'reload', 'nginx'], check=True)
|
||||||
@@ -189,7 +196,7 @@ def create_latest_locations() -> str:
|
|||||||
|
|
||||||
run_dir = DEFAULT_RUNS_DIR / area / version
|
run_dir = DEFAULT_RUNS_DIR / area / version
|
||||||
tilejson_path = run_dir / 'tilejson-tiles-org.json'
|
tilejson_path = run_dir / 'tilejson-tiles-org.json'
|
||||||
assert tilejson_path.exists()
|
assert tilejson_path.is_file()
|
||||||
|
|
||||||
location_str += f"""
|
location_str += f"""
|
||||||
location = /{area} {{ # no trailing slash
|
location = /{area} {{ # no trailing slash
|
||||||
|
|||||||
@@ -9,8 +9,8 @@ server {
|
|||||||
listen [::]:443 ssl;
|
listen [::]:443 ssl;
|
||||||
http2 on;
|
http2 on;
|
||||||
|
|
||||||
ssl_certificate /data/nginx/certs/cf.cert;
|
ssl_certificate /data/nginx/certs/ofm_cf.cert;
|
||||||
ssl_certificate_key /data/nginx/certs/cf.key;
|
ssl_certificate_key /data/nginx/certs/ofm_cf.key;
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
|
|||||||
@@ -8,8 +8,8 @@ server {
|
|||||||
listen [::]:443 ssl;
|
listen [::]:443 ssl;
|
||||||
http2 on;
|
http2 on;
|
||||||
|
|
||||||
ssl_certificate /data/nginx/certs/le.cert;
|
ssl_certificate /data/nginx/certs/ofm_le.cert;
|
||||||
ssl_certificate_key /data/nginx/certs/le.key;
|
ssl_certificate_key /data/nginx/certs/ofm_le.key;
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
|
|||||||
@@ -36,6 +36,7 @@ def nginx(c):
|
|||||||
c.sudo('mkdir -p /data/nginx/logs')
|
c.sudo('mkdir -p /data/nginx/logs')
|
||||||
|
|
||||||
c.sudo('mkdir -p /data/nginx/sites')
|
c.sudo('mkdir -p /data/nginx/sites')
|
||||||
|
c.sudo('mkdir -p /data/nginx/acme-challenges')
|
||||||
|
|
||||||
if not exists(c, '/etc/nginx/ssl/dummy.crt'):
|
if not exists(c, '/etc/nginx/ssl/dummy.crt'):
|
||||||
c.sudo('mkdir -p /etc/nginx/ssl')
|
c.sudo('mkdir -p /etc/nginx/ssl')
|
||||||
@@ -75,14 +76,12 @@ def lego(c):
|
|||||||
|
|
||||||
url = f'https://github.com/go-acme/lego/releases/download/{lego_version}/lego_{lego_version}_linux_amd64.tar.gz'
|
url = f'https://github.com/go-acme/lego/releases/download/{lego_version}/lego_{lego_version}_linux_amd64.tar.gz'
|
||||||
|
|
||||||
c.run('rm -rf /tmp/lego*')
|
c.sudo('rm -rf /tmp/lego*')
|
||||||
c.run('mkdir -p /tmp/lego')
|
c.sudo('mkdir -p /tmp/lego')
|
||||||
c.run(
|
c.sudo(
|
||||||
f'wget -q "{url}" -O /tmp/lego/out.tar.gz',
|
f'wget -q "{url}" -O /tmp/lego/out.tar.gz',
|
||||||
)
|
)
|
||||||
c.run('tar xzvf /tmp/lego/out.tar.gz -C /tmp/lego')
|
c.sudo('tar xzvf /tmp/lego/out.tar.gz -C /tmp/lego')
|
||||||
c.run('chmod +x /tmp/lego/lego')
|
c.sudo('chmod +x /tmp/lego/lego')
|
||||||
c.run('mv /tmp/lego/lego /usr/local/bin')
|
c.sudo('mv /tmp/lego/lego /usr/local/bin')
|
||||||
c.run('rm -rf /tmp/lego*')
|
c.sudo('rm -rf /tmp/lego*')
|
||||||
|
|
||||||
c.run('mkdir -p /data/nginx/acme-challenges/')
|
|
||||||
|
|||||||
Reference in New Issue
Block a user