GithubBackup/MoviePilot
1
0
Fork 0
mirror of https://github.com/jxxghp/MoviePilot.git synced 2026-06-17 05:30:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(docker): reduce env logs and harden ssl cert startup

Browse Source
This commit is contained in:
jxxghp
2026-05-25 22:14:27 +08:00
parent c33c62b938
commit 91f6ad092e
3 changed files with 209 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

185
docker/cert.sh
View File

@@ -1,5 +1,14 @@
#!/bin/bash
CERT_ERREXIT_WAS_SET=false
CERT_PIPEFAIL_WAS_SET=false
if [[ "$-" == *e* ]]; then
CERT_ERREXIT_WAS_SET=true
fi
if shopt -qo pipefail; then
CERT_PIPEFAIL_WAS_SET=true
fi
set -e
set -o pipefail
Green="\033[32m"
Red="\033[31m"
@@ -18,110 +27,206 @@ function WARN() {
echo -e "${WARN} ${1}"
}
CERT_DIR="${CONFIG_DIR}/certs"
ACME_HOME="${CONFIG_DIR}/acme.sh"
ACME_DATA_DIR="${ACME_HOME}/data"
ACME_CERT_DIR="${CERT_DIR}/${SSL_DOMAIN}"
ACME_LATEST_CERT_DIR="${CERT_DIR}/latest"
NGINX_RELOAD_CMD="nginx -s reload 2>/dev/null || true"
# 恢复调用方原有 shell 选项,避免 source 本脚本后影响 entrypoint 后续流程。
function restore_shell_options() {
if ! ${CERT_PIPEFAIL_WAS_SET}; then
set +o pipefail
fi
if ! ${CERT_ERREXIT_WAS_SET}; then
set +e
fi
}
# 输出错误并恢复调用方 shell 选项,确保 source 失败时不会污染后续流程。
function exit_with_error() {
ERROR "$1"
restore_shell_options
exit 1
}
# 使用固定的 acme.sh 工作目录执行命令,避免签发、安装和续期读取不同配置目录。
function run_acme() {
LE_WORKING_DIR="${ACME_HOME}" \
LE_CONFIG_HOME="${ACME_DATA_DIR}" \
LE_CERT_HOME="${CERT_DIR}" \
"${ACME_HOME}/acme.sh" --home "${ACME_HOME}" "$@"
}
# 维护 nginx 使用的稳定证书目录链接,兼容手动证书和自动签发证书路径。
function link_latest_cert_dir() {
if [ -e "${ACME_LATEST_CERT_DIR}" ] && [ ! -L "${ACME_LATEST_CERT_DIR}" ]; then
rm -rf "${ACME_LATEST_CERT_DIR}"
fi
ln -sfn "${ACME_CERT_DIR}" "${ACME_LATEST_CERT_DIR}"
}
# 配置证书自动续期;续期任务失败不应阻断已有证书启动。
function configure_cert_renewal() {
if ! command -v cron >/dev/null 2>&1; then
WARN "未安装 cron跳过证书自动续期任务配置"
return 0
fi
if ! mkdir -p /etc/cron.d 2>/dev/null; then
WARN "无法创建 /etc/cron.d跳过证书自动续期任务配置"
return 0
fi
if ! printf "0 3 * * * root LE_WORKING_DIR=%q LE_CONFIG_HOME=%q LE_CERT_HOME=%q %q --cron --home %q\n" \
"${ACME_HOME}" \
"${ACME_DATA_DIR}" \
"${CERT_DIR}" \
"${ACME_HOME}/acme.sh" \
"${ACME_HOME}" > /etc/cron.d/acme 2>/dev/null; then
WARN "无法写入 /etc/cron.d/acme跳过证书自动续期任务配置"
return 0
fi
if ! chmod 644 /etc/cron.d/acme 2>/dev/null; then
WARN "无法设置 /etc/cron.d/acme 权限,证书自动续期任务可能不会生效"
return 0
fi
if ! pgrep -x cron >/dev/null 2>&1 && ! cron 2>/dev/null; then
WARN "cron 启动失败,证书自动续期任务可能不会生效"
fi
}
# 核心条件验证
if [ "${ENABLE_SSL}" = "true" ] && \
[ "${AUTO_ISSUE_CERT}" = "true" ] && \
[ -n "${SSL_DOMAIN}" ]; then
# 创建证书目录
mkdir -p /config/certs/"${SSL_DOMAIN}"
chown moviepilot:moviepilot /config/certs -R
mkdir -p "${ACME_CERT_DIR}"
if id moviepilot >/dev/null 2>&1; then
chown moviepilot:moviepilot "${CERT_DIR}" -R
fi
# 安装acme.sh使用官方安装脚本
if [ ! -d "/config/acme.sh" ]; then
if [ ! -f "${ACME_HOME}/acme.sh" ]; then
INFO "→ 安装acme.sh..."
# 设置安装环境变量
export LE_WORKING_DIR="/config/acme.sh"
export LE_CONFIG_HOME="/config/acme.sh/data"
export LE_CERT_HOME="/config/certs"
# 执行官方安装命令(添加错误处理)
INFO "正在下载并安装 acme.sh..."
# 构建安装命令
INSTALL_CMD="curl -sSL https://get.acme.sh | sh -s -- --install-online"
install_args=("--install-online")
if [ -n "${SSL_EMAIL}" ]; then
INSTALL_CMD="${INSTALL_CMD} --accountemail ${SSL_EMAIL}"
install_args+=("--accountemail" "${SSL_EMAIL}")
else
WARN "未设置SSL_EMAIL建议配置邮箱用于证书过期提醒"
fi
if ! eval "${INSTALL_CMD}"; then
ERROR "acme.sh 安装失败"
exit 1
if ! curl -sSL https://get.acme.sh | \
LE_WORKING_DIR="${ACME_HOME}" \
LE_CONFIG_HOME="${ACME_DATA_DIR}" \
LE_CERT_HOME="${CERT_DIR}" \
sh -s -- "${install_args[@]}"; then
exit_with_error "acme.sh 安装失败"
fi
# 验证安装是否成功
if [ ! -f "/config/acme.sh/acme.sh" ]; then
ERROR "acme.sh 安装后文件不存在,安装可能失败"
exit 1
if [ ! -f "${ACME_HOME}/acme.sh" ]; then
exit_with_error "acme.sh 安装后文件不存在,安装可能失败"
fi
INFO "acme.sh 安装成功"
fi
# 签发证书(仅当证书不存在时)
if [ ! -f "/config/certs/${SSL_DOMAIN}/fullchain.pem" ]; then
if [ ! -f "${ACME_CERT_DIR}/fullchain.pem" ] || [ ! -f "${ACME_CERT_DIR}/privkey.pem" ]; then
# 必要参数检查
REQUIRED_VARS=("DNS_PROVIDER")
for var in "${REQUIRED_VARS[@]}"; do
eval "value=\${${var}}"
[ -z "$value" ] && { ERROR "必须设置环境变量: ${var}"; exit 1; }
[ -z "$value" ] && exit_with_error "必须设置环境变量: ${var}"
done
INFO "→ 签发证书: ${SSL_DOMAIN} (DNS验证方式: ${DNS_PROVIDER})"
# 加载ACME环境变量带安全过滤
INFO "正在加载ACME环境变量..."
env | grep '^ACME_ENV_' | while read -r line; do
key="${line#ACME_ENV_}"
key="${key%%=*}"
value="${line#ACME_ENV_${key}=}"
acme_exported_vars=()
acme_original_keys=()
acme_original_values=()
acme_had_original_values=()
while IFS= read -r var_name; do
[ -z "${var_name}" ] && continue
key="${var_name#ACME_ENV_}"
value="${!var_name}"
# 过滤非法变量名
if [[ "$key" =~ ^[a-zA-Z_][a-zA-Z0-9_]*$ ]]; then
acme_original_keys+=("${key}")
if eval "[ -n \"\${${key}+x}\" ]"; then
acme_had_original_values+=("true")
acme_original_values+=("$(eval "printf '%s' \"\${${key}}\"")")
else
acme_had_original_values+=("false")
acme_original_values+=("")
fi
export "$key"="$value"
INFO "已加载环境变量: ${key}=******"
acme_exported_vars+=("${key}")
else
WARN "跳过无效变量名: ${key}"
fi
done
done < <(compgen -A variable ACME_ENV_ || true)
# 签发证书(添加错误处理)
INFO "正在签发证书..."
if ! /config/acme.sh/acme.sh --issue \
if ! run_acme --issue \
--dns "${DNS_PROVIDER}" \
--domain "${SSL_DOMAIN}" \
--key-file /config/certs/"${SSL_DOMAIN}"/privkey.pem \
--fullchain-file /config/certs/"${SSL_DOMAIN}"/fullchain.pem \
--reloadcmd "nginx -s reload" \
--force; then
ERROR "证书签发失败"
exit 1
exit_with_error "证书签发失败"
fi
INFO "正在安装证书文件..."
if ! run_acme --install-cert \
--domain "${SSL_DOMAIN}" \
--key-file "${ACME_CERT_DIR}/privkey.pem" \
--fullchain-file "${ACME_CERT_DIR}/fullchain.pem" \
--reloadcmd "${NGINX_RELOAD_CMD}"; then
exit_with_error "证书安装失败"
fi
for index in "${!acme_original_keys[@]}"; do
var_name="${acme_original_keys[$index]}"
if [ "${acme_had_original_values[$index]}" = "true" ]; then
export "${var_name}=${acme_original_values[$index]}"
else
unset "${var_name}"
fi
done
# 创建稳定符号链接
ln -sf /config/certs/"${SSL_DOMAIN}" /config/certs/latest
link_latest_cert_dir
INFO "证书签发成功"
else
link_latest_cert_dir
INFO "证书已存在,跳过签发步骤"
fi
# 配置自动更新任务
INFO "→ 配置cron自动更新..."
echo "0 3 * * * /config/acme.sh/acme.sh --cron --home /config/acme.sh && nginx -s reload" > /etc/cron.d/acme
chmod 644 /etc/cron.d/acme
service cron start
configure_cert_renewal
elif [ "${ENABLE_SSL}" = "true" ] && [ "${AUTO_ISSUE_CERT}" = "true" ] && [ -z "${SSL_DOMAIN}" ]; then
WARN "已启用自动签发证书但未设置SSL_DOMAIN跳过证书管理"
exit_with_error "已启用自动签发证书但未设置 SSL_DOMAIN无法生成 HTTPS 证书"
elif [ "${ENABLE_SSL}" = "true" ] && [ "${AUTO_ISSUE_CERT}" = "false" ]; then
INFO "SSL已启用但自动签发证书已禁用将使用手动配置的证书"
# 检查证书文件是否存在
if [ -f "/config/certs/latest/fullchain.pem" ] && [ -f "/config/certs/latest/privkey.pem" ]; then
if [ -f "${ACME_LATEST_CERT_DIR}/fullchain.pem" ] && [ -f "${ACME_LATEST_CERT_DIR}/privkey.pem" ]; then
INFO "检测到证书文件SSL配置正常"
else
WARN "未检测到证书文件,请确保手动配置了正确的证书路径"
exit_with_error "未检测到证书文件,请将 fullchain.pem 和 privkey.pem 放入 ${ACME_LATEST_CERT_DIR}"
fi
fi
fi
restore_shell_options