diff --git a/docker/defaults.env b/docker/defaults.env index 02411af9c..fb050370e 100644 --- a/docker/defaults.env +++ b/docker/defaults.env @@ -26,6 +26,12 @@ LETSENCRYPT_STAGING=0 # email address to use for letsencrypt contact LETSENCRYPT_EMAIL= +# specify ACME server +CERTBOT_SERVER= +# credentials for ACME with EAB +CERTBOT_EAB_KID= +CERTBOT_EAB_HMAC_KEY= + # list of comma separated domains that are also served but redirect to the primary domain name REDIRECT_DOMAINS= diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 55a538f27..0175d8843 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -40,6 +40,9 @@ services: - IPV4_IP_PROMETHEUS_INTERNAL - LETSENCRYPT_STAGING - LETSENCRYPT_EMAIL + - CERTBOT_SERVER + - CERTBOT_EAB_KID + - CERTBOT_EAB_HMAC_KEY - REDIRECT_DOMAINS - NGINX_PROXY_CACHE - INTERNETNL_BRANDING diff --git a/docker/webserver/certbot.sh b/docker/webserver/certbot.sh index 2ac2fd16f..866c8dbda 100755 --- a/docker/webserver/certbot.sh +++ b/docker/webserver/certbot.sh @@ -14,6 +14,19 @@ else email="--register-unsafely-without-email" fi +if [ ! -z $CERTBOT_SERVER ]; then + server="--server=$CERTBOT_SERVER" +fi + + +if [ ! -z $CERTBOT_EAB_KID ]; then + eab_kid="--eab-kid=$CERTBOT_EAB_KID" +fi + +if [ ! -z $CERTBOT_EAB_HMAC_KEY ]; then + eab_hmac_key="--eab-hmac-key=$CERTBOT_EAB_HMAC_KEY" +fi + domain=$INTERNETNL_DOMAINNAME subdomains="nl.$domain,en.$domain,www.$domain,ipv6.$domain,conn.$domain,en.conn.$domain,nl.conn.$domain,www.conn.$domain" if [ ! -z $REDIRECT_DOMAINS ];then @@ -40,6 +53,9 @@ configure_letsencrypt() { --webroot \ $staging \ $email \ + $server \ + $eab_kid \ + $eab_hmac_key \ --cert-name $domain \ -d $domain cert_acquired=$? @@ -67,6 +83,9 @@ configure_letsencrypt() { --webroot \ $staging \ $email \ + $server \ + $eab_kid \ + $eab_hmac_key \ --cert-name $domain \ -d $domain \ -d $subdomains \