Fix jwt-token

2025-09-13 08:54:16 +02:00
parent a2403ab5cd
commit 22d925d14a
11 changed files with 585 additions and 0 deletions
--- a/docker/certbot/scripts/check-and-renew.sh
+++ b/docker/certbot/scripts/check-and-renew.sh
@@ -0,0 +1,173 @@
+#!/bin/bash
+
+# Main certificate renewal script
+set -e
+
+DOMAIN="${DOMAIN:-dev.uggla.uamils.com}"
+EMAIL="${EMAIL:-admin@uggla.uamils.com}"
+RENEWAL_DAYS="${RENEWAL_DAYS:-10}"
+LOG_FILE="/var/log/certbot/renewal.log"
+
+log() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
+}
+
+check_certificate_expiry() {
+    local cert_path="/etc/letsencrypt/live/$DOMAIN/cert.pem"
+    
+    if [[ ! -f "$cert_path" ]]; then
+        log "Certificate not found at $cert_path - will attempt to obtain new certificate"
+        return 1
+    fi
+    
+    # Get certificate expiry date
+    local expiry_date=$(openssl x509 -in "$cert_path" -noout -enddate | cut -d= -f2)
+    local expiry_epoch=$(date -d "$expiry_date" +%s)
+    local current_epoch=$(date +%s)
+    local days_until_expiry=$(( (expiry_epoch - current_epoch) / 86400 ))
+    
+    log "Certificate expires in $days_until_expiry days"
+    
+    if [[ $days_until_expiry -le $RENEWAL_DAYS ]]; then
+        log "Certificate expires in $days_until_expiry days - renewal needed"
+        return 1
+    else
+        log "Certificate is valid for $days_until_expiry more days - no renewal needed"
+        return 0
+    fi
+}
+
+attempt_dns_challenge() {
+    log "Attempting DNS challenge with Loopia API..."
+    
+    if [[ -z "$LOOPIA_USER" || -z "$LOOPIA_PASSWORD" ]]; then
+        log "LOOPIA_USER or LOOPIA_PASSWORD not set - skipping DNS challenge"
+        return 1
+    fi
+    
+    # Try with dns-lexicon
+    if command -v lexicon >/dev/null 2>&1; then
+        log "Using dns-lexicon for DNS challenge..."
+        certbot certonly \
+            --dns-lexicon \
+            --dns-lexicon-provider loopia \
+            --dns-lexicon-loopia-username="$LOOPIA_USER" \
+            --dns-lexicon-loopia-password="$LOOPIA_PASSWORD" \
+            --email "$EMAIL" \
+            --agree-tos \
+            --non-interactive \
+            --expand \
+            -d "$DOMAIN" \
+            -d "*.$DOMAIN"
+        return $?
+    fi
+    
+    # Fallback: Manual DNS with custom hook
+    if [[ -f "/app/scripts/loopia-hook.sh" ]]; then
+        log "Using custom Loopia hook for DNS challenge..."
+        certbot certonly \
+            --manual \
+            --preferred-challenges dns \
+            --manual-auth-hook "/app/scripts/loopia-hook.sh auth" \
+            --manual-cleanup-hook "/app/scripts/loopia-hook.sh cleanup" \
+            --email "$EMAIL" \
+            --agree-tos \
+            --non-interactive \
+            --expand \
+            -d "$DOMAIN" \
+            -d "*.$DOMAIN"
+        return $?
+    fi
+    
+    return 1
+}
+
+attempt_http_challenge() {
+    log "Attempting HTTP challenge..."
+    
+    # Start nginx for HTTP challenge
+    nginx -t && nginx
+    
+    certbot certonly \
+        --webroot \
+        --webroot-path=/var/www/html \
+        --email "$EMAIL" \
+        --agree-tos \
+        --non-interactive \
+        --expand \
+        -d "$DOMAIN"
+    
+    local result=$?
+    
+    # Stop nginx
+    nginx -s quit || true
+    
+    return $result
+}
+
+reload_nginx() {
+    log "Copying certificates to shared directory..."
+    
+    # Copy certificates to shared SSL directory
+    if [[ -d "/etc/letsencrypt/live/$DOMAIN" ]]; then
+        mkdir -p /shared/ssl
+        cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "/shared/ssl/fullchain.pem" || log "Could not copy fullchain.pem"
+        cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "/shared/ssl/privkey.pem" || log "Could not copy privkey.pem"
+        chmod 644 /shared/ssl/fullchain.pem
+        chmod 600 /shared/ssl/privkey.pem
+        log "Certificates copied to /shared/ssl/"
+    fi
+    
+    log "Reloading nginx configuration..."
+    
+    # Check if nginx container exists and reload it
+    if command -v docker >/dev/null 2>&1; then
+        if docker ps --format "table {{.Names}}" | grep -q "nginx\|proxy"; then
+            log "Reloading nginx container..."
+            docker exec nginx nginx -s reload 2>/dev/null || \
+            docker exec drone-detection-nginx nginx -s reload 2>/dev/null || \
+            log "Could not reload nginx container - manual reload may be required"
+        fi
+    fi
+    
+    # Also try to reload host nginx if running
+    if pgrep nginx >/dev/null; then
+        log "Reloading host nginx..."
+        nginx -s reload || log "Could not reload host nginx"
+    fi
+}
+
+main() {
+    log "Starting certificate renewal check for $DOMAIN"
+    
+    # Check if renewal is needed
+    if check_certificate_expiry; then
+        log "Certificate is still valid - no action needed"
+        exit 0
+    fi
+    
+    log "Certificate renewal required - attempting to renew..."
+    
+    # Try DNS challenge first (for wildcard support)
+    if attempt_dns_challenge; then
+        log "DNS challenge successful!"
+        reload_nginx
+        log "Certificate renewal completed successfully"
+        exit 0
+    fi
+    
+    # Fallback to HTTP challenge (for main domain only)
+    log "DNS challenge failed - falling back to HTTP challenge"
+    if attempt_http_challenge; then
+        log "HTTP challenge successful!"
+        reload_nginx
+        log "Certificate renewal completed successfully"
+        exit 0
+    fi
+    
+    log "ERROR: All certificate renewal attempts failed"
+    exit 1
+}
+
+# Run main function
+main "$@"