Automatic cert renew (#185)

2026-01-26 17:53:13 +00:00 · 2026-01-12 09:53:46 +01:00 · 2026-01-12 09:53:46 +01:00 · 020ee766c5
commit 020ee766c5
parent c071414ece
3 changed files with 103 additions and 23 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -32,7 +32,6 @@ services:
      - 30304:30304/udp
      - 9005:9005/udp
      - 127.0.0.1:8003:8003
-      - 80:80 #Let's Encrypt
      - 8000:8000/tcp #WSS
      - 127.0.0.1:8645:8645
    logging:
@ -60,6 +59,7 @@ services:
    command:
      - /opt/run_node.sh
    depends_on:
+      - certbot
      - postgres

  # TODO: Commented until ready
@ -74,6 +74,21 @@ services:
  #  depends_on:
  #    - nwaku

+  certbot:
+    image: certbot/certbot
+    restart: on-failure
+    ports:
+      - 80:80 # Let's Encrypt
+    environment:
+      DOMAIN: ${DOMAIN}
+    volumes:
+      - ./run_certbot.sh:/opt/run_certbot.sh:Z
+      - ${CERTS_DIR:-./certs}:/etc/letsencrypt/:Z
+      - ./certbot-challenges:/var/www/certbot
+    entrypoint: sh
+    command:
+      - /opt/run_certbot.sh
+
  prometheus:
    image: docker.io/prom/prometheus:latest
    volumes:
--- a/run_certbot.sh
+++ b/run_certbot.sh
@ -0,0 +1,60 @@
+#!/bin/sh
+set -e
+
+if [ -z "$DOMAIN" ]; then
+  echo "DOMAIN not set, skipping certbot"
+  exit 0
+fi
+
+# -------------------------------
+# Configuration
+# -------------------------------
+EMAIL="${EMAIL:-admin@${DOMAIN}}"      # Certbot email
+WEBROOT="${WEBROOT:-/var/www/certbot}" # Path served by HTTP for ACME
+SLEEP_INTERVAL="${SLEEP_INTERVAL:-12h}" # Renewal check interval
+
+# Ensure webroot directory exists
+mkdir -p "${WEBROOT}/.well-known/acme-challenge"
+
+# Path to cert folder
+LETSENCRYPT_PATH="/etc/letsencrypt/live/${DOMAIN}"
+
+# -------------------------------
+# Initial certificate issuance
+# -------------------------------
+if [ ! -d "${LETSENCRYPT_PATH}" ]; then
+    echo "[INFO] No certificate found for ${DOMAIN}, issuing a new one..."
+
+    # Install certbot if needed (Alpine example)
+    if ! command -v certbot >/dev/null 2>&1; then
+        echo "[INFO] Installing certbot..."
+        apk add --no-cache certbot
+    fi
+
+    certbot certonly\
+        --non-interactive\
+        --agree-tos\
+        --no-eff-email\
+        --no-redirect\
+        --email admin@${DOMAIN}\
+        -d ${DOMAIN}\
+        --standalone
+
+    echo "[INFO] Certificate issued successfully."
+else
+    echo "[INFO] Certificate already exists for ${DOMAIN}."
+fi
+
+# -------------------------------
+# Renewal loop
+# -------------------------------
+echo "[INFO] Starting renewal loop every ${SLEEP_INTERVAL}..."
+while true; do
+    echo "[INFO] Checking certificate renewal..."
+    certbot renew --standalone --quiet
+    # certbot renew --standalone ## Use this line instead to debug the output
+    echo "[INFO] Renewal check complete. Sleeping..."
+    sleep "${SLEEP_INTERVAL}"
+done
+
+
--- a/run_node.sh
+++ b/run_node.sh
@ -54,35 +54,40 @@ if [ -z "${DOMAIN}" ]; then
 fi

 if [ -n "${DOMAIN}" ]; then
+    ## A domain has been either set or inferred. Let's try to use it for websocket secure support.

-    LETSENCRYPT_PATH=/etc/letsencrypt/live/${DOMAIN}
+    apk add --no-cache openssl

-    if ! [ -d "${LETSENCRYPT_PATH}" ]; then
-        apk add --no-cache certbot
+    LETSENCRYPT_PATH="/etc/letsencrypt/live/${DOMAIN}"
+    CERT="${LETSENCRYPT_PATH}/fullchain.pem"
+    KEY="${LETSENCRYPT_PATH}/privkey.pem"

-        certbot certonly\
-            --non-interactive\
-            --agree-tos\
-            --no-eff-email\
-            --no-redirect\
-            --email admin@${DOMAIN}\
-            -d ${DOMAIN}\
-            --standalone
-    fi
+    echo "$(date '+%Y-%m-%d %H:%M:%S') [INFO] Waiting for a valid TLS certificate for ${DOMAIN}..."

-    if ! [ -e "${LETSENCRYPT_PATH}/privkey.pem" ]; then
-        echo "The certificate does not exist. Proceeding without supporting websocket"
-    else
-        WS_SUPPORT="--websocket-support=true"
-        WSS_SUPPORT="--websocket-secure-support=true"
-        WSS_KEY="--websocket-secure-key-path=${LETSENCRYPT_PATH}/privkey.pem"
-        WSS_CERT="--websocket-secure-cert-path=${LETSENCRYPT_PATH}/fullchain.pem"
-        DNS4_DOMAIN="--dns4-domain-name=${DOMAIN}"
+    while true; do
+        if [ ! -f "${CERT}" ] || [ ! -f "${KEY}" ]; then
+            echo "$(date '+%Y-%m-%d %H:%M:%S') [INFO] Certificate files not found yet. Waiting..."
+        elif ! openssl x509 -checkend 0 -noout -in "${CERT}" >/dev/null 2>&1; then
+            echo "$(date '+%Y-%m-%d %H:%M:%S') [WARN] Certificate exists but is expired. Waiting for renewal..."
+            echo "$(date '+%Y-%m-%d %H:%M:%S') [INFO] If that takes more than 15 minutes, please remove --quiet attr in run_certbot.sh so that you can see the reason why renewal is not working."
+        else
+            echo "$(date '+%Y-%m-%d %H:%M:%S') [INFO] Valid TLS certificate detected."
+            break
+        fi

-        DNS_WSS_CMD="${WS_SUPPORT} ${WSS_SUPPORT} ${WSS_CERT} ${WSS_KEY} ${DNS4_DOMAIN}" 
-    fi
+        sleep 60
+    done
+
+    WS_SUPPORT="--websocket-support=true"
+    WSS_SUPPORT="--websocket-secure-support=true"
+    WSS_KEY="--websocket-secure-key-path=${KEY}"
+    WSS_CERT="--websocket-secure-cert-path=${CERT}"
+    DNS4_DOMAIN="--dns4-domain-name=${DOMAIN}"
+
+    DNS_WSS_CMD="${WS_SUPPORT} ${WSS_SUPPORT} ${WSS_CERT} ${WSS_KEY} ${DNS4_DOMAIN}"
 fi

+
 if [ -n "${NODEKEY}" ]; then
    NODEKEY=--nodekey=${NODEKEY}
 fi