Skip to content

Commit

Permalink
update certbot cert request process
Browse files Browse the repository at this point in the history
PandaRyshan committed May 8, 2024
1 parent 15d6482 commit 936fec6
Showing 5 changed files with 48 additions and 30 deletions.
File renamed without changes.
9 changes: 4 additions & 5 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@ ENV URL="https://www.infradead.org/ocserv/download/"
SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN set -x \
&& apt-get update && apt-get install -y wget make gcc \
&& apt-get update && apt-get install -y curl make gcc coreutils \
&& apt-get install --no-install-recommends -y \
xz-utils gawk pkg-config nettle-dev gnutls-bin \
libgnutls28-dev libprotobuf-c-dev libev-dev \
@@ -15,15 +15,15 @@ RUN set -x \
libradcli-dev libpam0g-dev libkrb5-dev \
certbot python3-certbot-dns-cloudflare cron iptables \
ipcalc-ng \
&& wget -qO- "${URL}" | \
&& curl -sL "${URL}" | \
grep -oE 'ocserv-([0-9]{1,}\.)+[0-9]{1,}\.tar\.xz' | \
sort -V | tail -n1 | \
xargs -I {} wget -q "${URL}{}" -O ocserv.tar.xz \
xargs -I {} curl -sLo ocserv.tar.xz "${URL}{}" \
&& tar -xf ocserv.tar.xz && cd ocserv-* \
&& ./configure \
&& make && make install && make clean \
&& cd .. && rm -rf ocserv-* ocserv.tar.xz \
&& apt-get -y remove --auto-remove --purge wget make gcc \
&& apt-get -y remove --auto-remove --purge make gcc \
&& rm -rf /var/lib/apt/lists/* \
&& rm -rf /etc/ocserv/ocserv.conf

@@ -36,4 +36,3 @@ ENTRYPOINT ["/entrypoint.sh"]

EXPOSE 443
CMD ["ocserv", "-c", "/etc/ocserv/ocserv.conf", "-f"]

16 changes: 11 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# ocserv + certbot 2 in 1 image
# ocserv with certbot support

---

@@ -16,15 +16,20 @@ The latest version is 1.3.0, and dockerhub page is [here](https://ocserv.gitlab.

### Server

* clone this repo
* clone this repo, or copy the content of `docker-compose.yml.sample` and `.env.sample`, and paste into your own docker compose file and env file
* check the environment config in `docker-compose.yml`. email address is optional and only for certs expiration remind if certs renew failed
* (optional) mount your local dir to keep your certificates and config files
* if you want get certs via cloudflare api token, please mount config file into config/ folder
* if you want to get certs via cloudflare api token, mount your own token config file
* if you want to get certs via http, please make sure 80 port is open
* run `docker-compose up -d`
* keep in mind add `listen-proxy-proto = true` in your `ocserv.conf` if you want to put ocserv in the back of proxy, like haproxy.
* if you don't provide a default user/pass, there's a new user/pass will be generated by default, and you could check it at `$HOME/initial_pass.txt` or `docker compose logs ocserv`
* added WAIT_* options in compose file, and ocserv will be run after items you provided are ready, see usage: [link](https://github.com/ufoscout/docker-compose-wait/tree/2.12.0)
* if you don't provide a default user/pass, a new user/pass will be generated by default, and you could check it at `$HOME/initial_pass.txt` or `docker compose logs ocserv`
* added WAIT_* options in compose file, and ocserv will be run after items you provided are ready, see usage: [link](https://github.com/ufoscout/docker-compose-wait)
* generate new user

```shell
docker exec <your-ocserv-container-name>
```

### Client

@@ -88,6 +93,7 @@ sudo systemctl restart docker.service
* [Block Visitors by Country Using Firewall](https://www.ip2location.com/free/visitor-blocker)
* [ocserv changelog](https://ocserv.gitlab.io/www/changelog.html)
* [Docker Enable IPv6 support](https://docs.docker.com/config/daemon/ipv6/)
* [Docker compose wait](https://github.com/ufoscout/docker-compose-wait)
---
15 changes: 6 additions & 9 deletions docker-compose.yml → docker-compose.yml.sample
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
services:
ocserv:
image: /ocserv:latest
image: pandasrun/ocserv:latest
container_name: ocserv
environment:
- TZ=Asia/Hong_Kong
- DOMAIN=
- EMAIL= # OPTIONAL, only for cert expiration remind
- USERNAME= # OPTIONAL, it will be generated auto
- PASSWORD=
- WAIT_HOSTS= # OPTIONAL, run ocserv after following items ready
- WAIT_PATHS=
- WAIT_FILES=
- WAIT_TIMEOUT=
- DOMAIN=${DOMAIN}
- EMAIL=${EMAIL} # OPTIONAL, only for cert expiration remind
- USERNAME=${USERNAME} # OPTIONAL, will be generated auto if not set
- PASSWORD=${USERPASS} # OPTIONAL, will be generated auto if not set
- WAIT_TIMEOUT=30 # OPTIONAL, default 30s, wait for file / host / container to be ready
ports:
- 80:80 # for certbot obtain cert via http, no need when you use dns
- 443:443
38 changes: 27 additions & 11 deletions docker-entrypoint.sh
Original file line number Diff line number Diff line change
@@ -91,13 +91,18 @@ fi
# Create certs if no local or letsencrypt certs
if [ ! -f "/etc/ocserv/server.cert" ] && [ ! -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then

IPV4=$(timeout 3 curl -s https://ipinfo.io/ip || echo "")
IPV6=$(timeout 3 curl -s https://6.ipinfo.io/ip || echo "")
if [ -z $DOMAIN ]; then

# Create self signed certificate
CN="vpn.example.com"
ORG="Organization"
DAYS=3650
IP=$(curl -s ipinfo.io/ip)
if [ -z "$IPV4" ] && [ -z "$IPV6" ]; then
echo "Failed to get public IP address"
exit 1
fi

certtool --generate-privkey --outfile ca-key.pem
cat > ca.tmpl <<-EOCA
@@ -121,26 +126,36 @@ if [ ! -f "/etc/ocserv/server.cert" ] && [ ! -f "/etc/letsencrypt/live/$DOMAIN/f
encryption_key
tls_www_server
# dns_name = "<your-hostname>"
ip_address = "$IP"
ip_address = "${IPV4:-$IPV6}"
EOSRV
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
echo "server-cert = /etc/ocserv/server-cert.pem" >> ocserv.conf
echo "server-key = /etc/ocserv/server-key.pem" >> ocserv.conf

else

if [[ -z $EMAIL ]]; then
EMAIL="foo@pandas.run"
fi

# Create letsencrypt certificate
if [ -f "/etc/ocserv/cloudflare.ini" ]; then
certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /etc/ocserv/cloudflare.ini --email $EMAIL -d $DOMAIN \
--non-interactive --agree-tos
if [[ -z $EMAIL ]]; then
certbot certonly --dns-cloudflare --non-interactive --agree-tos \
--dns-cloudflare-credentials /etc/ocserv/cloudflare.ini \
--register-unsafely-without-email \

else
certbot certonly --dns-cloudflare --non-interactive --agree-tos \
--dns-cloudflare-credentials /etc/ocserv/cloudflare.ini \
-d $DOMAIN \
--email $EMAIL \
--non-interactive --agree-tos
else
certbot certonly --non-interactive --agree-tos \
--standalone --preferred-challenges http --agree-tos --email $EMAIL -d $DOMAIN
if [[ -z $EMAIL ]]; then
certbot certonly --standalone --non-interactive --agree-tos \
-d $DOMAIN \
--register-unsafely-without-email \
else
certbot certonly --standalone --non-interactive --agree-tos \
-d $DOMAIN \
--email $EMAIL \
fi

cron_file="/var/spool/cron/crontabs/root"
@@ -182,6 +197,7 @@ fi

# Open ipv4 ip forward
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

# Enable NAT forwarding
# if you want to specific translate ip, uncomment the following line, -j MASQUERADE is dynamic way

0 comments on commit 936fec6

Please sign in to comment.