Mercurial Hosting > luan
changeset 2083:39d4215259ec ssltesting
tabs instead of spaces
| author | Violet7 |
|---|---|
| date | Tue, 09 Dec 2025 22:12:51 -0800 |
| parents | cdc9a31c6f71 |
| children | 9e0d28433e25 |
| files | host/renewSsl.sh host/startup/nginx/nginx.acme_setup.conf.luan host/startup/nginx/nginx.conf.luan src/luan/host/https.luan |
| diffstat | 4 files changed, 91 insertions(+), 91 deletions(-) [+] |
line wrap: on
line diff
--- a/host/renewSsl.sh Tue Dec 09 17:53:16 2025 -0800 +++ b/host/renewSsl.sh Tue Dec 09 22:12:51 2025 -0800 @@ -2,7 +2,7 @@ set -e if [ -n "$1" ]; then - cd "$1" || echo "no first argument passed, staying in cwd" + cd "$1" || echo "no first argument passed, staying in cwd" fi ROOTPWD=$(pwd) @@ -12,58 +12,58 @@ # change to owner of host/ if running as root # prevents nginx being unable to read files owned by root if [ "$(id -u)" -eq 0 ]; then - echo "switching to $ROOTPWDOWNER in order to preserve permissions" - exec sudo -u $ROOTPWDOWNER "$0" "$@" + echo "switching to $ROOTPWDOWNER in order to preserve permissions" + exec sudo -u $ROOTPWDOWNER "$0" "$@" fi KEYFILE="$ROOTPWD/local/tiny_account.key" for SITEROOT in "$ROOTPWD"/sites/*; do - { - # Skip if not a directory - [ -d "$SITEROOT" ] || continue + { + # Skip if not a directory + [ -d "$SITEROOT" ] || continue - DOMAIN=$(basename "$SITEROOT") - SSLDIR="$SITEROOT/ssl" - CSRFILE="$SSLDIR/$DOMAIN.csr" - FULLCHAIN="$SSLDIR/fullchain.cer" - CHALLENGEDIR="$SITEROOT/.well-known/acme-challenge" - TMPOUT="$SSLDIR/$DOMAIN.crt.tmp" - echo "Processing domain: $DOMAIN" + DOMAIN=$(basename "$SITEROOT") + SSLDIR="$SITEROOT/ssl" + CSRFILE="$SSLDIR/$DOMAIN.csr" + FULLCHAIN="$SSLDIR/fullchain.cer" + CHALLENGEDIR="$SITEROOT/.well-known/acme-challenge" + TMPOUT="$SSLDIR/$DOMAIN.crt.tmp" + echo "Processing domain: $DOMAIN" - # local_https.sh does not create a csr file, assume - # it is a self-signed local cert if it doesn't exist - if [ ! -f "$CSRFILE" ]; then - echo "CSR file not found, assuming self-signed and skipping." - continue - fi + # local_https.sh does not create a csr file, assume + # it is a self-signed local cert if it doesn't exist + if [ ! -f "$CSRFILE" ]; then + echo "CSR file not found, assuming self-signed and skipping." + continue + fi - mkdir -p "$CHALLENGEDIR" + mkdir -p "$CHALLENGEDIR" - "$ROOTPWD/acme_tiny" \ - --account-key "$KEYFILE" \ - --csr "$CSRFILE" \ - --acme-dir "$CHALLENGEDIR" \ - >"$TMPOUT" + "$ROOTPWD/acme_tiny" \ + --account-key "$KEYFILE" \ + --csr "$CSRFILE" \ + --acme-dir "$CHALLENGEDIR" \ + >"$TMPOUT" - # If TMPOUT is empty, something failed. - # Do not modify the current fullchain. - if [ ! -s "$TMPOUT" ]; then - echo "Error: $TMPOUT is empty - please see previous output for details.\nContinuing to next domain..." - rm -f "$TMPOUT" - continue - fi + # If TMPOUT is empty, something failed. + # Do not modify the current fullchain. + if [ ! -s "$TMPOUT" ]; then + echo "Error: $TMPOUT is empty - please see previous output for details.\nContinuing to next domain..." + rm -f "$TMPOUT" + continue + fi - # check if exists - if [ -f "$FULLCHAIN" ]; then - mv $FULLCHAIN "$FULLCHAIN.old" - fi + # check if exists + if [ -f "$FULLCHAIN" ]; then + mv $FULLCHAIN "$FULLCHAIN.old" + fi - mv "$TMPOUT" "$FULLCHAIN" + mv "$TMPOUT" "$FULLCHAIN" - echo "Renewed certificate for $DOMAIN" - } || { - echo "Error processing $SITEROOT — skipping." - } + echo "Renewed certificate for $DOMAIN" + } || { + echo "Error processing $SITEROOT — skipping." + } done sudo /usr/local/bin/nginx -s reload -c "$(pwd)/local/nginx.conf"
--- a/host/startup/nginx/nginx.acme_setup.conf.luan Tue Dec 09 17:53:16 2025 -0800 +++ b/host/startup/nginx/nginx.acme_setup.conf.luan Tue Dec 09 22:12:51 2025 -0800 @@ -12,19 +12,19 @@ error_log <%=rootDir%>/error.log; access_log <%=rootDir%>/access.log; - # this directive should be included in a per-site - # nginx conf. this only exists for nginx.ssl.conf - # as far as I am aware. Currently, this will cause - # conflict with the server block defined in that - # file, so this file should be deleted when the - # initial setup is finished, and this directive - # should be added to that file instead. + # this directive should be included in a per-site + # nginx conf. this only exists for nginx.ssl.conf + # as far as I am aware. Currently, this will cause + # conflict with the server block defined in that + # file, so this file should be deleted when the + # initial setup is finished, and this directive + # should be added to that file instead. location /.well-known/acme-challenge/ { - root <%=rootDir%>; - try_files $uri $uri/ =404; + root <%=rootDir%>; + try_files $uri $uri/ =404; } - include nginx.default.conf; + include nginx.default.conf; }
--- a/host/startup/nginx/nginx.conf.luan Tue Dec 09 17:53:16 2025 -0800 +++ b/host/startup/nginx/nginx.conf.luan Tue Dec 09 22:12:51 2025 -0800 @@ -1,12 +1,12 @@ local rootDir, user, group = ... %> -worker_processes 4; +worker_processes 4; user <%=user%> <%=group%>; pid <%=rootDir%>/local/nginx.pid; events { - worker_connections 4096; + worker_connections 4096; } http {
--- a/src/luan/host/https.luan Tue Dec 09 17:53:16 2025 -0800 +++ b/src/luan/host/https.luan Tue Dec 09 22:12:51 2025 -0800 @@ -22,15 +22,15 @@ local function do_set_https(is_https,domain,site_dir,luanhost_dir,dry_run) local nginx_file = site_dir.child("nginx.ssl.conf") - -- for storing csr and key, but not fullchain - -- TODO: store fullchain in here, - -- not done yet for backwards compatibility - local ssl_files_dir = site_dir.child("ssl/") - ssl_files_dir.mkdir() + -- for storing csr and key, but not fullchain + -- TODO: store fullchain in here, + -- not done yet for backwards compatibility + local ssl_files_dir = site_dir.child("ssl/") + ssl_files_dir.mkdir() - local key_file = ssl_files_dir.child(domain..".key") + local key_file = ssl_files_dir.child(domain..".key") local csr_file = ssl_files_dir.child(domain..".csr") - local tmp_cert_out = ssl_files_dir.child(domain..".crt.tmp") + local tmp_cert_out = ssl_files_dir.child(domain..".crt.tmp") local local_cer_file = ssl_files_dir.child("fullchain.cer") -- luan/host local luanhost_file = "file:"..luanhost_dir.to_string().."/" @@ -66,26 +66,26 @@ -- Clean out old temp files temp_dir.delete() - -- CHANGEME - dry_run = true + -- CHANGEME + dry_run = true - -- make the challenge dir. note that this is - -- directly under sites/DOMAIN, and *not* under - -- sites/DOMAIN/site. - local wellknown = site_dir.child(".well-known/") - wellknown.mkdir() - local acme_challenges = wellknown.child("acme-challenge/") - acme_challenges.mkdir() + -- make the challenge dir. note that this is + -- directly under sites/DOMAIN, and *not* under + -- sites/DOMAIN/site. + local wellknown = site_dir.child(".well-known/") + wellknown.mkdir() + local acme_challenges = wellknown.child("acme-challenge/") + acme_challenges.mkdir() - -- generate and write the conf - -- TODO: maybe store this in the ssl files dir? + -- generate and write the conf + -- TODO: maybe store this in the ssl files dir? local conf = load_file(luanhost_file.."startup/nginx/nginx.acme_setup.conf.luan") local acme_nginx = ` conf(site_dir.canonical().to_string(),domain) ` - local outfile = site_dir.child("nginx.acme_setup.conf") - outfile.write(acme_nginx) + local outfile = site_dir.child("nginx.acme_setup.conf") + outfile.write(acme_nginx) - -- reload nginx - local cmd = [[ + -- reload nginx + local cmd = [[ sudo $(which nginx) -t -c "]]..luanhost_dir_str..[[/local/nginx.conf" && \ sudo $(which nginx) -s reload -c "]]..luanhost_dir_str..[[/local/nginx.conf"; ]] @@ -111,31 +111,31 @@ --acme-dir ]]..acme_challenges.canonical().to_string()..[[ \ ]] - -- TODO: this often doesn't work and I don't know if it's - -- because of this code or because of letsencrypt. - -- fix if broken. + -- TODO: this often doesn't work and I don't know if it's + -- because of this code or because of letsencrypt. + -- fix if broken. if dry_run then local dry_run_dir_url = "https://acme-staging-v02.api.letsencrypt.org/directory" cmd = cmd.." --directory-url "..dry_run_dir_url end cmd = cmd.." > "..tmp_cert_out.canonical().to_string() - logger.info("acme-tiny commandline:\n") + logger.info("acme-tiny commandline:\n") local s = uri("bash:"..cmd).read_text() logger.info("get cert signed by letsencrypt\n"..s) - if tmp_cert_out.length() == 0 then - -- TODO: this should fail non-gracefully, - -- all failures here are almost certainly bugs. - logger.error("FAILED getting cert from letsencrypt.\nSee previous output.\nNot writing to fullchain.cer") - else - local tmp_out_str = tmp_cert_out.canonical().to_string() - local local_cer_file_str = local_cer_file.canonical().to_string() + if tmp_cert_out.length() == 0 then + -- TODO: this should fail non-gracefully, + -- all failures here are almost certainly bugs. + logger.error("FAILED getting cert from letsencrypt.\nSee previous output.\nNot writing to fullchain.cer") + else + local tmp_out_str = tmp_cert_out.canonical().to_string() + local local_cer_file_str = local_cer_file.canonical().to_string() - local cmd = "mv "..tmp_out_str.." "..local_cer_file_str - local s = uri("bash:"..cmd).read_text() - logger.info("move temp output to fullchain.cer\n"..s) - end + local cmd = "mv "..tmp_out_str.." "..local_cer_file_str + local s = uri("bash:"..cmd).read_text() + logger.info("move temp output to fullchain.cer\n"..s) + end catch e logger.error("Error setting up ACME: "..e) @@ -181,7 +181,7 @@ end --logger.info "done" end -Hosted.do_set_https = do_set_https -- for testing +Hosted.do_set_https = do_set_https -- for testing function Hosted.set_https(is_https) if Http.did_init() then