Merge pull request internetarchive#8847 from cdrini/8809/fix/certbot-…

…covers Fix covers nginx wrong certbot init
benbdeitch · Feb 28, 2024 · f17242e · f17242e
2 parents 2aeda27 + ca0e1f6
commit f17242e
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 35 deletions.
diff --git a/compose.production.yaml b/compose.production.yaml
@@ -91,8 +91,6 @@ services:
     volumes:
       - ./docker/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./docker/covers_nginx.conf:/etc/nginx/sites-enabled/covers_nginx.conf:ro
-      # Needed for HTTPS, since this is a public server
-      - ./docker/public_nginx.conf:/etc/nginx/sites-available/public_nginx.conf:ro
       # letsencrypt
       - letsencrypt-data:/etc/letsencrypt
       - ../olsystem/etc/cron.d/certbot:/etc/cron.d/certbot
@@ -182,8 +180,6 @@ services:
       # nginx configurations
       - ./docker/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./docker/web_nginx.conf:/etc/nginx/sites-enabled/openlibrary.conf:ro
-      # Needed for HTTPS, since this is a public server
-      - ./docker/public_nginx.conf:/etc/nginx/sites-available/public_nginx.conf:ro
       # archive web log uploads
       - ../olsystem:/olsystem
       # web log rotation

diff --git a/docker/covers_nginx.conf b/docker/covers_nginx.conf
@@ -1,4 +1,20 @@
-include /etc/nginx/sites-available/public_nginx.conf;
+# Keep in sync with web_nginx.conf
+server {
+    listen 80 default;
+    listen [::]:443 ssl http2 ipv6only=on;
+    listen 443 ssl http2;
+    server_name localhost;
+
+    ssl_certificate /etc/letsencrypt/live/covers.openlibrary.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/covers.openlibrary.org/privkey.pem;
+
+    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+    ssl_dhparam /olsystem/etc/nginx/dhparam-2048.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+    ssl_prefer_server_ciphers on;
+}
 
 server {
       listen 80;

diff --git a/docker/ol-nginx-start.sh b/docker/ol-nginx-start.sh
@@ -1,18 +1,14 @@
 #!/bin/bash
 
 # Create certs for domains missing them
-RUN_CERTBOT=0
 CERTBOT_OPTIONS=""
 for domain in $NGINX_DOMAIN; do
   CERTBOT_OPTIONS+=" -d $domain"
-  if [ ! -d "/etc/letsencrypt/live/$domain" ]; then
-    RUN_CERTBOT=1
-  fi
 done
-
-if [ "$RUN_CERTBOT" -eq 1 ]; then
-  certbot certonly --webroot --webroot-path /openlibrary/static $CERTBOT_OPTIONS
-fi
+certbot certonly \
+  --noninteractive --agree-tos \
+  -m openlibrary@archive.org \
+  --webroot --webroot-path /openlibrary/static $CERTBOT_OPTIONS
 
 # Run crontab if there are files
 if [ -n "$CRONTAB_FILES" ] ; then

diff --git a/docker/public_nginx.conf b/docker/public_nginx.conf
diff --git a/docker/web_nginx.conf b/docker/web_nginx.conf
@@ -16,7 +16,23 @@ upstream webnodes {
     server web_haproxy:7072;
 }
 
-include /etc/nginx/sites-available/public_nginx.conf;
+# Keep in sync with covers_nginx.conf
+server {
+    listen 80 default;
+    listen [::]:443 ssl http2 ipv6only=on;
+    listen 443 ssl http2;
+    server_name localhost;
+
+    ssl_certificate /etc/letsencrypt/live/openlibrary.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/openlibrary.org/privkey.pem;
+
+    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+    ssl_dhparam /olsystem/etc/nginx/dhparam-2048.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+    ssl_prefer_server_ciphers on;
+}
 
 server {
     listen 80;