From 831143a896ca0dcf7f4c97680e67b7752ef75403 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 9 May 2024 00:49:56 +0800 Subject: [PATCH 1/2] Update for certificate renewal --- README.md | 24 +++++++++++++++++++++--- docker-entrypoint.sh | 15 +++++++++++++-- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 84b4555..bdc94ee 100644 --- a/README.md +++ b/README.md @@ -38,11 +38,29 @@ More usage examples can be found in the [Dockerfile](Dockerfile) and the [docker ## Certificates Renewal -The docker file is not configured to renew certificates automatically. Since the renewal process requires the ss-server or ss-manager to restart to be aware of the new certificates, thus the more appropriate way to renew certificates is to restart the container. +acme.sh always sets up a daily cron job to check and renew the certificates automatically. -A new certificate will be issued if the container is restarted. To automate the renewal process, you can use a cron job to restart the container periodically. +```sh +# crontab -l | grep acme.sh +10 21 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null +``` + +For now, acme.sh certificates have a maximum 90-day validity period, and will be renewed automatically on the 60th day. + +This project sets up a renew hook command `reboot` at the certificate issue time, as long as the `ss-server` and `ss-manager` commands handle the `SIGINT` signal properly, and combined with the `--restart=always` option, the container will be restarted automatically after the certificate renewal. + +As a result, the container handles the certificate renewal automatically without interfering with the host. + +However, if you are running the container with the `ss-manager` command, after the container is restarted, all the ports created by the multi-user API will be lost, and you are responsible for re-creating them. The project [shadowsocks-manager](https://github.com/alexzhangs/shadowsocks-manager) uses heartbeat to monitor the `ss-manager` service and re-create the ports automatically. -For now, acme.sh certificates have a maximum 90-day validity period. + +## Certificate Management + +List all the certificates inside the container: + +```sh +acme.sh --list +``` Run below command to check the certificate details inside the container: diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index dbc513f..b3028c2 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -69,12 +69,20 @@ function issue-tls-cert () { exit 255 fi + declare done_file=~/.issue-tls-cert-done + + if [[ -f $done_file ]]; then + echo "INFO: TLS certificate has been issued for the domain $DOMAIN." + return + fi + acme.sh --version # Register an account with acme.sh acme.sh --register-account -m "acme@$DOMAIN" declare -a acme_common_opts=(--force-color --domain "$DOMAIN") + declare -a acme_issue_opts=("${acme_common_opts[@]}" --renew-hook reboot --dns) # Setup DNS hook if DNS is set if [[ -n $DNS ]]; then @@ -94,10 +102,10 @@ function issue-tls-cert () { done # Issue a certificate for the domain with acme.sh, using DNS hook - acme.sh --issue "${acme_common_opts[@]}" --dns "$DNS" + acme.sh --issue "${acme_issue_opts[@]}" "$DNS" else # Issue a certificate for the domain with acme.sh, using manual mode, ignoring the non-zero exit code - acme.sh --issue "${acme_common_opts[@]}" --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please || : + acme.sh --issue "${acme_issue_opts[@]}" --yes-I-know-dns-manual-mode-enough-go-ahead-please || : while true; do echo "Sleeping for 60 seconds to allow the DNS record to propagate ..." @@ -112,6 +120,9 @@ function issue-tls-cert () { # Create a symbolic link for the certificate directory, v2ray-plugin seaches only the path without the _ecc suffix ln -s "${DOMAIN}_ecc" "/root/.acme.sh/${DOMAIN}" + + # Create the cert done file + touch "$done_file" } function main () { From 1ca72731d9130f25ddb6a9addd858a96aa8e5003 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 9 May 2024 00:50:01 +0800 Subject: [PATCH 2/2] Fix Dockerfile to verify acme.sh installation --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 000ca58..d58640a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -82,6 +82,9 @@ RUN curl -sL https://get.acme.sh | sh # Set the PATH for acme.sh ENV PATH=$PATH:/root/.acme.sh +# Verify that acme.sh is installed +RUN acme.sh --version + # Install Go 1.16 (v2ray-plugin requires Go 1.16) RUN <