#!/bin/bash # SSL Setup Script for Let's Encrypt # This script sets up SSL certificates using Let's Encrypt set -e # Configuration DOMAIN="${DOMAIN:-localhost}" EMAIL="${EMAIL:-admin@${DOMAIN}}" NGINX_CONTAINER="bots_nginx" CERTBOT_IMAGE="certbot/certbot:latest" # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # Logging function log() { echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}" } warn() { echo -e "${YELLOW}[$(date +'%Y-%m-%d %H:%M:%S')] WARNING: $1${NC}" } error() { echo -e "${RED}[$(date +'%Y-%m-%d %H:%M:%S')] ERROR: $1${NC}" exit 1 } # Check if running as root if [[ $EUID -eq 0 ]]; then error "This script should not be run as root for security reasons" fi # Check if domain is localhost if [[ "$DOMAIN" == "localhost" ]]; then warn "Domain is set to localhost. Let's Encrypt certificates cannot be issued for localhost." warn "Please set the DOMAIN environment variable to your actual domain name." warn "Example: DOMAIN=example.com ./scripts/setup-ssl.sh" exit 1 fi # Check if Docker is running if ! docker info > /dev/null 2>&1; then error "Docker is not running. Please start Docker and try again." fi # Check if nginx container is running if ! docker ps | grep -q "$NGINX_CONTAINER"; then error "Nginx container ($NGINX_CONTAINER) is not running. Please start it first with 'docker-compose up -d nginx'" fi log "Setting up SSL certificates for domain: $DOMAIN" log "Email for Let's Encrypt: $EMAIL" # Create necessary directories log "Creating Let's Encrypt directories..." sudo mkdir -p /etc/letsencrypt/live sudo mkdir -p /etc/letsencrypt/archive sudo mkdir -p /etc/letsencrypt/renewal sudo chmod 755 /etc/letsencrypt # Stop nginx temporarily for certificate generation log "Stopping nginx container for certificate generation..." docker stop "$NGINX_CONTAINER" || true # Generate certificate using certbot log "Generating SSL certificate using Let's Encrypt..." docker run --rm \ -v /etc/letsencrypt:/etc/letsencrypt \ -v /var/lib/letsencrypt:/var/lib/letsencrypt \ -p 80:80 \ -p 443:443 \ "$CERTBOT_IMAGE" certonly \ --standalone \ --non-interactive \ --agree-tos \ --email "$EMAIL" \ --domains "$DOMAIN" \ --expand # Check if certificate was generated successfully if [[ ! -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then error "Failed to generate SSL certificate for $DOMAIN" fi log "SSL certificate generated successfully!" # Set proper permissions log "Setting proper permissions for SSL certificates..." sudo chmod 755 /etc/letsencrypt/live sudo chmod 755 /etc/letsencrypt/archive sudo chmod 644 /etc/letsencrypt/live/"$DOMAIN"/*.pem sudo chmod 600 /etc/letsencrypt/live/"$DOMAIN"/privkey.pem # Update nginx configuration to use Let's Encrypt certificates log "Updating nginx configuration..." if [[ -f "infra/nginx/ssl/letsencrypt.conf" ]]; then # Replace domain placeholder in letsencrypt.conf sed "s/{{DOMAIN}}/$DOMAIN/g" infra/nginx/ssl/letsencrypt.conf > /tmp/letsencrypt.conf sudo cp /tmp/letsencrypt.conf /etc/letsencrypt/live/"$DOMAIN"/letsencrypt.conf rm /tmp/letsencrypt.conf fi # Start nginx container log "Starting nginx container..." docker start "$NGINX_CONTAINER" # Wait for nginx to start log "Waiting for nginx to start..." sleep 10 # Test SSL certificate log "Testing SSL certificate..." if curl -k -s "https://$DOMAIN" > /dev/null; then log "SSL certificate is working correctly!" else warn "SSL certificate test failed. Please check nginx configuration." fi # Set up automatic renewal log "Setting up automatic certificate renewal..." cat > /tmp/ssl-renewal.sh << EOF #!/bin/bash # SSL Certificate Renewal Script set -e DOMAIN="$DOMAIN" NGINX_CONTAINER="$NGINX_CONTAINER" CERTBOT_IMAGE="$CERTBOT_IMAGE" # Renew certificates docker run --rm \\ -v /etc/letsencrypt:/etc/letsencrypt \\ -v /var/lib/letsencrypt:/var/lib/letsencrypt \\ "$CERTBOT_IMAGE" renew --quiet # Reload nginx docker exec "\$NGINX_CONTAINER" nginx -s reload echo "\$(date): SSL certificates renewed successfully" >> /var/log/ssl-renewal.log EOF sudo mv /tmp/ssl-renewal.sh /usr/local/bin/ssl-renewal.sh sudo chmod +x /usr/local/bin/ssl-renewal.sh # Add cron job for automatic renewal (every Monday at 2 AM) log "Adding cron job for automatic renewal..." (crontab -l 2>/dev/null; echo "0 2 * * 1 /usr/local/bin/ssl-renewal.sh") | crontab - log "SSL setup completed successfully!" log "Certificate location: /etc/letsencrypt/live/$DOMAIN/" log "Automatic renewal is configured to run every Monday at 2 AM" log "You can test the renewal manually with: sudo /usr/local/bin/ssl-renewal.sh" # Display certificate information log "Certificate information:" openssl x509 -in "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" -text -noout | grep -E "(Subject:|Not Before|Not After|DNS:)"