Merge pull request #16 from JonasAlfredsson/renew_checker_fix

JonasAlfredsson · web-flow · commit 02b37cdc9b3e · 2020-03-05T22:20:02.000Z
Renew checker fix
diff --git a/README.md b/README.md
@@ -47,6 +47,22 @@ files).
    [Docker](https://www.docker.com/) to function.
 
 
+## Available Environment Variables
+
+### Reuired
+- `CERTBOT_EMAIL`: Your e-mail address. Used by Let's Encrypt to contact you in
+                   case of security issues.
+
+### Optional
+- `STAGING`: Set to `1` to use Let's Encrypt's
+             [staging servers](#initial-testing) (default: `0`)
+- `DHPARAM_SIZE`: The size of the
+                  [Diffie-Hellman parameters](#diffie-hellman-parameters)
+                  (default: `2048`)
+- `RSA_KEY_SIZE`: The size of the RSA encryption keys (default: `2048`)
+- `RENEWAL_INTERVAL`: Time interval between certbot's
+                      [renewal checks](#renewal-check-interval) (default: `8d`)
+
 ## Run with `docker run`
 
 ### Build it yourself
@@ -103,6 +119,7 @@ services:
         - STAGING=0
         - DHPARAM_SIZE=2048
         - RSA_KEY_SIZE=2048
+        - RENEWAL_INTERVAL=8d
     ports:
       - 80:80
       - 443:443
@@ -193,6 +210,36 @@ certificate request from the above file will then become something like this
 certbot ... -d yourdomain.org -d www.yourdomain.org -d sub.yourdomain.org
 ```
 
+### Renewal check interval
+This container will automatically start a certbot certificate renewal check
+after the time duration that is defined in the environmental variable
+`RENEWAL_INTERVAL` has passed. After certbot has done its stuff, the code will
+return and wait the defined time before triggering again.
+
+This process is very simple, and is just a `while [ true ];` loop with a `sleep`
+at the end:
+
+```bash
+while [ true ]; do
+    # Run certbot...
+    sleep "$RENEWAL_INTERVAL"
+done
+```
+
+So when setting the environmental variable, it is possible to use any string
+that is recognized by `sleep`, e.g. `3600` or `60m` or `1h`. Read more about
+which values that are allowed in its
+[manual](http://man7.org/linux/man-pages/man1/sleep.1.html).
+
+The default is `8d`, since this allows for multiple retries per month, while
+keeping the output in the logs at a very low level. If nothing needs to be
+renewed certbot won't do anything, so it should be no problem setting it lower
+if you want to. The only thing to think about is to not to make it longer than
+one month, because then you would
+[miss the window](https://community.letsencrypt.org/t/solved-how-often-to-renew/13678)
+where certbot would deem it necessary to update the certificates.
+
+
 ### Diffie-Hellman parameters
 Regarding the Diffie-Hellman parameter it is recommended that you have one for
 your server. However, you can make a config file without it and Nginx will work
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
@@ -9,6 +9,7 @@ services:
         - STAGING
         - DHPARAM_SIZE
         - RSA_KEY_SIZE
+        - RENEWAL_INTERVAL
     ports:
       - 80:80
       - 443:443
diff --git a/src/.env b/src/.env
@@ -5,3 +5,4 @@ CERTBOT_EMAIL=your@email.org
 STAGING=0
 DHPARAM_SIZE=2048
 RSA_KEY_SIZE=2048
+RENEWAL_INTERVAL=8d
diff --git a/src/scripts/entrypoint.sh b/src/scripts/entrypoint.sh
@@ -25,6 +25,12 @@ echo "Starting the Nginx service"
 nginx -g "daemon off;" &
 NGINX_PID=$!
 
+# Make sure a renewal interval is set before continuing.
+if [ -z "$RENEWAL_INTERVAL" ]; then
+    echo "RENEWAL_INTERVAL unset, using default of '8d'"
+    RENEWAL_INTERVAL='8d'
+fi
+
 # Instead of trying to run 'cron' or something like that, just sleep and
 # execute the 'certbot' script.
 (
@@ -33,8 +39,8 @@ while [ true ]; do
     echo "Run certbot!"
     /scripts/run_certbot.sh
 
-    echo "Certbot will now sleep for 8 days..."
-    sleep 8d
+    echo "Certbot will now sleep..."
+    sleep "$RENEWAL_INTERVAL"
 done
 ) &
 
diff --git a/src/scripts/run_certbot.sh b/src/scripts/run_certbot.sh
@@ -14,24 +14,20 @@ exit_code=0
 # the certificate request.
 for conf_file in /etc/nginx/conf.d/*.conf*; do
     for primary_domain in $(parse_primary_domains $conf_file); do
-        if is_renewal_required $primary_domain; then
-            # Renewal required for this domain!
-            # The last one happened over a week ago (or never)
-
-            # At minimum we will make a request for the primary domain
-            domain_request="-d $primary_domain"
-
-            # Find all 'server_names' in this .conf file
-            for server_name in $(parse_server_names $conf_file); do
-                domain_request="$domain_request -d $server_name"
-            done
-
-            if ! get_certificate $primary_domain $CERTBOT_EMAIL "$domain_request"; then
-                error "Certbot failed for $primary_domain. Check the logs for details."
-                exit_code=1
-            fi
-        else
-            echo "Not running certbot for $primary_domain; last renewal happened just recently."
+        # At minimum we will make a request for the primary domain.
+        domain_request="-d $primary_domain"
+
+        # Find all 'server_names' in this .conf file and add them to the same
+        # request.
+        for server_name in $(parse_server_names $conf_file); do
+            domain_request="$domain_request -d $server_name"
+        done
+
+        # Hand over all the info required for the certificate request, and let
+        # certbot decide if it is necessary to update the certificate.
+        if ! get_certificate $primary_domain $CERTBOT_EMAIL "$domain_request"; then
+            error "Certbot failed for $primary_domain. Check the logs for details."
+            exit_code=1
         fi
     done
 done
diff --git a/src/scripts/util.sh b/src/scripts/util.sh
@@ -161,19 +161,3 @@ get_certificate() {
         $3 \
         --debug
 }
-
-# Given a domain name, return true if a renewal is required (last renewal
-# ran over a week ago or never happened yet), otherwise return false.
-is_renewal_required() {
-    # If the file does not exist assume a renewal is required
-    last_renewal_file="/etc/letsencrypt/live/$1/privkey.pem"
-    [ ! -e "$last_renewal_file" ] && return;
-
-    # If the file exists, check if the last renewal was more than a week ago
-    one_week_sec=604800
-    now_sec=$(date -d now +%s)
-    last_renewal_sec=$(stat -c %Y "$last_renewal_file")
-    last_renewal_delta_sec=$(( ($now_sec - $last_renewal_sec) ))
-    is_finshed_week_sec=$(( ($one_week_sec - $last_renewal_delta_sec) ))
-    [ $is_finshed_week_sec -lt 0 ]
-}
