Merge pull request #2 from alexzhangs/develop

Dockerfile

@@ -82,6 +82,9 @@ RUN curl -sL https://get.acme.sh | sh
 # Set the PATH for acme.sh
 ENV PATH=$PATH:/root/.acme.sh
 
+# Verify that acme.sh is installed
+RUN acme.sh --version
+
 # Install Go 1.16 (v2ray-plugin requires Go 1.16)
 RUN <<EOF
     set -ex

README.md

@@ -38,11 +38,29 @@ More usage examples can be found in the [Dockerfile](Dockerfile) and the [docker
 
 ## Certificates Renewal
 
-The docker file is not configured to renew certificates automatically. Since the renewal process requires the ss-server or ss-manager to restart to be aware of the new certificates, thus the more appropriate way to renew certificates is to restart the container.
+acme.sh always sets up a daily cron job to check and renew the certificates automatically.
 
-A new certificate will be issued if the container is restarted. To automate the renewal process, you can use a cron job to restart the container periodically.
+```sh
+# crontab -l | grep acme.sh
+10 21 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
+```
+
+For now, acme.sh certificates have a maximum 90-day validity period, and will be renewed automatically on the 60th day.
+
+This project sets up a renew hook command `reboot` at the certificate issue time, as long as the `ss-server` and `ss-manager` commands handle the `SIGINT` signal properly, and combined with the `--restart=always` option, the container will be restarted automatically after the certificate renewal.
+
+As a result, the container handles the certificate renewal automatically without interfering with the host.
+
+However, if you are running the container with the `ss-manager` command, after the container is restarted, all the ports created by the multi-user API will be lost, and you are responsible for re-creating them. The project [shadowsocks-manager](https://github.com/alexzhangs/shadowsocks-manager) uses heartbeat to monitor the `ss-manager` service and re-create the ports automatically.
 
-For now, acme.sh certificates have a maximum 90-day validity period.
+
+## Certificate Management
+
+List all the certificates inside the container:
+
+```sh
+acme.sh --list
+```
 
 Run below command to check the certificate details inside the container:
 

docker-entrypoint.sh

@@ -69,12 +69,20 @@ function issue-tls-cert () {
         exit 255
     fi
 
+    declare done_file=~/.issue-tls-cert-done
+
+    if [[ -f $done_file ]]; then
+        echo "INFO: TLS certificate has been issued for the domain $DOMAIN."
+        return
+    fi
+
     acme.sh --version
 
     # Register an account with acme.sh
     acme.sh --register-account -m "acme@$DOMAIN"
 
     declare -a acme_common_opts=(--force-color --domain "$DOMAIN")
+    declare -a acme_issue_opts=("${acme_common_opts[@]}" --renew-hook reboot --dns)
 
     # Setup DNS hook if DNS is set
     if [[ -n $DNS ]]; then
@@ -94,10 +102,10 @@ function issue-tls-cert () {
         done
 
         # Issue a certificate for the domain with acme.sh, using DNS hook
-        acme.sh --issue "${acme_common_opts[@]}" --dns "$DNS"
+        acme.sh --issue "${acme_issue_opts[@]}" "$DNS"
     else
         # Issue a certificate for the domain with acme.sh, using manual mode, ignoring the non-zero exit code
-        acme.sh --issue "${acme_common_opts[@]}" --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please || :
+        acme.sh --issue "${acme_issue_opts[@]}" --yes-I-know-dns-manual-mode-enough-go-ahead-please || :
 
         while true; do
             echo "Sleeping for 60 seconds to allow the DNS record to propagate ..."
@@ -112,6 +120,9 @@ function issue-tls-cert () {
 
     # Create a symbolic link for the certificate directory, v2ray-plugin seaches only the path without the _ecc suffix
     ln -s "${DOMAIN}_ecc" "/root/.acme.sh/${DOMAIN}"
+
+    # Create the cert done file
+    touch "$done_file"
 }
 
 function main () {