Sprawdzanie daty wygaśnięcia (daysLeft):
Jeśli < 30 dni → certyfikat do odnowienia.
Obsługa pustych/uszkodzonych certyfikatów:
Jeśli openssl zwróci pusty wynik, skrypt uzna, że certyfikat jest
niepełny.
Zmienne środowiskowe dla e-maila:
Można ustawić LETSENCRYPT_EMAIL w Jenkinsie, w .env lub jako
parametr pipeline.
Czytelne logi:
W logu widać brakujące domeny i ile dni zostało do wygaśnięcia.
This commit is contained in:
parent
40fb1a7cf9
commit
837144a60b
|
|
@ -8,7 +8,97 @@ def domainsToCert = [
|
|||
// [ false, 'artikus.dynu.net', "mail", "stat", "www", "nextcloud" ]
|
||||
]
|
||||
|
||||
|
||||
def createCert(domains, repo) {
|
||||
echo "Server ENV = ${SERVER_ENV}"
|
||||
echo "Certbot image = ${CERTBOT_IMAGE}"
|
||||
|
||||
def toCreateDomains = []
|
||||
|
||||
for (domain in domains) {
|
||||
def force = domain[0]
|
||||
def name = domain[1]
|
||||
def fileName = "/_docker_data_/letsencrypt/live/${name}/cert.pem"
|
||||
|
||||
def currentDomains = []
|
||||
def daysLeft = null
|
||||
|
||||
// Pobierz dane z istniejącego certyfikatu, jeśli jest
|
||||
if (fileExists(fileName)) {
|
||||
def certInfo = sh(
|
||||
script: "openssl x509 -in ${fileName} -text -noout | grep -o 'DNS:[^,]*' | sed 's/DNS://g'",
|
||||
returnStdout: true
|
||||
).trim()
|
||||
|
||||
if (certInfo) {
|
||||
currentDomains = certInfo.split('\n').collect { it.trim() }
|
||||
}
|
||||
|
||||
// Oblicz ile dni zostało do wygaśnięcia
|
||||
def expiryUnix = sh(
|
||||
script: "openssl x509 -enddate -noout -in ${fileName} | cut -d= -f2 | xargs -I{} date -d {} +%s",
|
||||
returnStdout: true
|
||||
).trim()
|
||||
|
||||
if (expiryUnix.isNumber()) {
|
||||
def nowUnix = sh(script: "date +%s", returnStdout: true).trim().toLong()
|
||||
daysLeft = (expiryUnix.toLong() - nowUnix) / (60 * 60 * 24)
|
||||
}
|
||||
}
|
||||
|
||||
// Lista oczekiwanych domen
|
||||
def expectedDomains = [name]
|
||||
for (int i = 2; i < domain.size(); i++) {
|
||||
expectedDomains.add("${domain[i]}.${name}")
|
||||
}
|
||||
|
||||
// Czy trzeba odnowić certyfikat?
|
||||
def needsRenewal = force ||
|
||||
!fileExists(fileName) ||
|
||||
currentDomains.size() != expectedDomains.size() ||
|
||||
!currentDomains.containsAll(expectedDomains) ||
|
||||
(daysLeft != null && daysLeft < 30)
|
||||
|
||||
if (needsRenewal) {
|
||||
echo "Certificate for '${name}' needs renewal (force: ${force}, missing domains: ${expectedDomains - currentDomains}, expires in: ${daysLeft ?: 'unknown'} days)"
|
||||
toCreateDomains.add(domain)
|
||||
} else {
|
||||
echo "Certificate for '${name}' is OK (expires in ${daysLeft} days)"
|
||||
}
|
||||
}
|
||||
|
||||
echo "Certificates to create/renew: ${toCreateDomains.collect { it[1] }}"
|
||||
|
||||
if (toCreateDomains.isEmpty()) {
|
||||
echo "All certificates are up to date. Nothing to create/renew."
|
||||
return
|
||||
}
|
||||
|
||||
def lets_encrypt = "docker compose --file lets-encrypt.yml --env-file lets.env "
|
||||
|
||||
dir("/_programs_/${repo}/deploy-this/lets-encrypt") {
|
||||
for (domain in toCreateDomains) {
|
||||
def name = domain[1]
|
||||
|
||||
def run = " run --rm certbot certonly" +
|
||||
" --webroot -w /var/www/certbot" +
|
||||
" --cert-name='${name}'" +
|
||||
" --non-interactive --agree-tos" +
|
||||
" --preferred-challenges http" +
|
||||
" --email ${LETSENCRYPT_EMAIL ?: 'kusartur@gmail.com'}" +
|
||||
" -d ${name}"
|
||||
|
||||
for (int i = 2; i < domain.size(); i++) {
|
||||
run += " -d ${domain[i]}.${name}"
|
||||
}
|
||||
|
||||
sh(lets_encrypt + run)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
def createCertOld(domains, repo) {
|
||||
echo "Server ENV = ${SERVER_ENV}"
|
||||
echo "Cerbot image = ${CERTBOT_IMAGE}"
|
||||
|
||||
|
|
@ -76,7 +166,7 @@ def createCert(domains, repo) {
|
|||
}
|
||||
}
|
||||
|
||||
def createCertOld(domains, repo){
|
||||
def createCertOlder(domains, repo){
|
||||
|
||||
echo "Server ENV = ${SERVER_ENV}"
|
||||
echo "Cerbot image = ${CERTBOT_IMAGE} "
|
||||
|
|
|
|||
Loading…
Reference in New Issue