The '--staging' argument to certbot has now been changed
to '--test-cert'. We previously only allowed using the
dockersetup.py tool to create Staging environment certs,
which are still marked as invalid by browsers. Add a
'--letsencrypt-production' knob to allow for valid, trusted
certs to be created. If they already exist in the workspace
and have not expired, re-use them (to avoid hitting rate
limits). Continue to '--force-renewal' for staging certs.
NOTE:
If you have previously created staging certs in your
workspace, you will want to clean docker/certs before
creating production certs for the same domain. Certbot
will not overwrite those staging certs and the newly
created ones will not be in the path passed in by
dockersetup.py.
Signed-off-by: Tim Orling <tim.orl...@konsulko.com>
---
dockersetup.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/dockersetup.py b/dockersetup.py
index d6e8f33..56458d3 100755
--- a/dockersetup.py
+++ b/dockersetup.py
@@ -66,6 +66,7 @@ def get_args():
parser.add_argument('--cert', type=str, help='Existing SSL certificate to
use for HTTPS web serving', required=False)
parser.add_argument('--cert-key', type=str, help='Existing SSL certificate
key to use for HTTPS web serving', required=False)
parser.add_argument('--letsencrypt', action="store_true", default=False,
help='Use Let\'s Encrypt for HTTPS')
+ parser.add_argument('--letsencrypt-production', action="store_true",
default=False, help='Use Production server for Let\'s Encrypt. Default is
%(default)s')
parser.add_argument('--no-migrate', action="store_true", default=False,
help='Skip running database migrations')
parser.add_argument('--no-admin-user', action="store_true", default=False,
help='Skip adding admin user')
parser.add_argument('--no-connectivity', action="store_true",
default=False, help='Skip checking external network connectivity')
@@ -473,7 +474,7 @@ def edit_dockerfile_web(hostname, no_https):
writefile("Dockerfile.web", ''.join(newlines))
-def setup_https(hostname, http_port, https_port, letsencrypt, cert, cert_key,
emailaddr):
+def setup_https(hostname, http_port, https_port, letsencrypt,
letsencrypt_production, cert, cert_key, emailaddr):
local_cert_dir = os.path.abspath('docker/certs')
container_cert_dir = '/opt/cert'
if letsencrypt:
@@ -548,7 +549,7 @@ def setup_https(hostname, http_port, https_port,
letsencrypt, cert, cert_key, em
shutil.rmtree(tempdir)
# Now run certbot to register SSL certificate
- staging_arg = '--staging'
+ staging_arg = '--force-renewal --test-cert' if not
letsencrypt_production else '--keep-until-expiring'
if emailaddr:
email_arg = '--email %s' % quote(emailaddr)
else:
@@ -560,7 +561,7 @@ def setup_https(hostname, http_port, https_port,
letsencrypt, cert, cert_key, em
-d %s \
--rsa-key-size 4096 \
--agree-tos \
- --force-renewal" layerscertbot' % (staging_arg, email_arg,
quote(hostname)), shell=True)
+ " layerscertbot' % (staging_arg, email_arg, quote(hostname)), shell=True)
if return_code != 0:
print("Running certbot failed")
sys.exit(1)
@@ -757,7 +758,7 @@ else:
edit_options_file(args.project_name)
if not args.no_https:
- setup_https(args.hostname, http_port, https_port, args.letsencrypt,
args.cert, args.cert_key, emailaddr)
+ setup_https(args.hostname, http_port, https_port, args.letsencrypt,
args.letsencrypt_production, args.cert, args.cert_key, emailaddr)
## Start up containers
return_code = subprocess.call(['docker-compose', 'up', '-d', '--build'],
shell=False)
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#62055): https://lists.yoctoproject.org/g/yocto/message/62055
Mute This Topic: https://lists.yoctoproject.org/mt/103428522/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
