From 840a18a82c27d29c6246b35b829f9c64504010dd Mon Sep 17 00:00:00 2001 From: Henti Smith Date: Sat, 10 May 2025 12:35:16 +0000 Subject: [PATCH 1/3] Add support for expand When adding mulitple hosts on a single cloudflare domain, the additional domains will be added as "Subject Alternative Name" and the certificate will need to be updated. Since the default setting in certbot is to ask, this fails. This change adds support for CERTBOT_EXPAND, which when set to true, will add the `--expand` option on the certbot run. --- src/Dockerfile | 3 ++- src/entrypoint.sh | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Dockerfile b/src/Dockerfile index eec6266..dd9df75 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -11,6 +11,7 @@ ENV CERTBOT_DOMAINS="" \ CERTBOT_EMAIL="" \ CERTBOT_KEY_TYPE="ecdsa" \ CERTBOT_SERVER="https://acme-v02.api.letsencrypt.org/directory" \ + CERTBOT_EXPAND="" \ CLOUDFLARE_API_TOKEN="" \ CLOUDFLARE_CREDENTIALS_FILE="/cloudflare.ini" \ CLOUDFLARE_PROPAGATION_SECONDS="10" \ @@ -33,4 +34,4 @@ RUN apk update && \ ENTRYPOINT ["/entrypoint.sh"] HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ - CMD [ -f "/etc/letsencrypt/live/$(echo "$CERTBOT_DOMAINS" | cut -d',' -f1)/fullchain.pem" ] \ No newline at end of file + CMD [ -f "/etc/letsencrypt/live/$(echo "$CERTBOT_DOMAINS" | cut -d',' -f1)/fullchain.pem" ] diff --git a/src/entrypoint.sh b/src/entrypoint.sh index e3b2a35..1b089b5 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -105,6 +105,13 @@ run_certbot() { debug_flag="" [ "$DEBUG" = "true" ] && debug_flag="-v" + # Check if we need to expand + if [ "$CERTBOT_EXPAND" == "true" ]; then + expand="--expand" + else + expand="" + fi + $certbot_cmd $debug_flag certonly \ --dns-cloudflare \ --dns-cloudflare-credentials "$CLOUDFLARE_CREDENTIALS_FILE" \ @@ -113,6 +120,7 @@ run_certbot() { --key-type "$CERTBOT_KEY_TYPE" \ --email "$CERTBOT_EMAIL" \ --server "$CERTBOT_SERVER" \ + $expand \ --agree-tos \ --non-interactive \ --strict-permissions From 29fbf3678195096fc7700b4bb846ed2c993ee3f2 Mon Sep 17 00:00:00 2001 From: Henti Smith Date: Sat, 10 May 2025 12:46:18 +0000 Subject: [PATCH 2/3] Update docs and Dockerfile Removed entry for CERTBOT_EXPAND in Dockerfile as it's optional. Updated docs to include CERTBOT_EXPAND --- README.md | 1 + src/Dockerfile | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e2d03fa..6cfe845 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ The following environment variables can be used to customize the Certbot contain | Variable | Description | Default Value | |------------------------|---------------------------------------------------------------------|---------------| | `CERTBOT_DOMAINS` | Comma-separated list of domains for which to obtain the certificate | - | +| `CERTBOT_EXPAND` | Expand existing certificate to add Subject Alternative Name domains | - | | `CERTBOT_EMAIL` | Email address for Let's Encrypt notifications | - | | `CERTBOT_KEY_TYPE` | Type of private key to generate | `ecdsa` | | `CERTBOT_SERVER` | The ACME server URL | `https://acme-v02.api.letsencrypt.org/directory` | diff --git a/src/Dockerfile b/src/Dockerfile index dd9df75..139a452 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -11,7 +11,6 @@ ENV CERTBOT_DOMAINS="" \ CERTBOT_EMAIL="" \ CERTBOT_KEY_TYPE="ecdsa" \ CERTBOT_SERVER="https://acme-v02.api.letsencrypt.org/directory" \ - CERTBOT_EXPAND="" \ CLOUDFLARE_API_TOKEN="" \ CLOUDFLARE_CREDENTIALS_FILE="/cloudflare.ini" \ CLOUDFLARE_PROPAGATION_SECONDS="10" \ From 63f1e6e5a19de42af5c557b4a751ba67f7db4824 Mon Sep 17 00:00:00 2001 From: Jay Rogers Date: Tue, 23 Sep 2025 11:42:59 -0500 Subject: [PATCH 3/3] Enhance README and Dockerfile; deprecate CERTBOT_EXPAND Updated README to clarify usage of CERTBOT_DOMAINS and introduced CERTBOT_CERT_NAME for explicit certificate management. Marked CERTBOT_EXPAND as deprecated, recommending the use of CERTBOT_CERT_NAME instead. Adjusted Dockerfile to include new environment variable and set default values accordingly. --- README.md | 5 +++-- src/Dockerfile | 4 +++- src/entrypoint.sh | 17 ++++++++++------- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 6cfe845..acc4513 100644 --- a/README.md +++ b/README.md @@ -56,8 +56,9 @@ The following environment variables can be used to customize the Certbot contain | Variable | Description | Default Value | |------------------------|---------------------------------------------------------------------|---------------| -| `CERTBOT_DOMAINS` | Comma-separated list of domains for which to obtain the certificate | - | -| `CERTBOT_EXPAND` | Expand existing certificate to add Subject Alternative Name domains | - | +| `CERTBOT_DOMAINS` | Comma-separated list of domains for which to obtain the certificate (example: `example.com,www.example.com`) | - | +| `CERTBOT_CERT_NAME` | Explicit certificate name to update/modify ([See official docs →](https://eff-certbot.readthedocs.io/en/stable/using.html#changing-a-certificate-s-domains)) | - | +| `CERTBOT_EXPAND` | **DEPRECATED**: Expand existing certificate to add domains (use CERTBOT_CERT_NAME instead, [see official docs →](https://eff-certbot.readthedocs.io/en/stable/using.html#re-creating-and-updating-existing-certificates)) | `false` | | `CERTBOT_EMAIL` | Email address for Let's Encrypt notifications | - | | `CERTBOT_KEY_TYPE` | Type of private key to generate | `ecdsa` | | `CERTBOT_SERVER` | The ACME server URL | `https://acme-v02.api.letsencrypt.org/directory` | diff --git a/src/Dockerfile b/src/Dockerfile index 139a452..2a2479e 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -9,6 +9,8 @@ ARG CERTBOT_GID=9999 ENV CERTBOT_DOMAINS="" \ CERTBOT_EMAIL="" \ + CERTBOT_EXPAND=false \ + CERTBOT_CERT_NAME="" \ CERTBOT_KEY_TYPE="ecdsa" \ CERTBOT_SERVER="https://acme-v02.api.letsencrypt.org/directory" \ CLOUDFLARE_API_TOKEN="" \ @@ -33,4 +35,4 @@ RUN apk update && \ ENTRYPOINT ["/entrypoint.sh"] HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ - CMD [ -f "/etc/letsencrypt/live/$(echo "$CERTBOT_DOMAINS" | cut -d',' -f1)/fullchain.pem" ] + CMD [ -f "/etc/letsencrypt/live/$(echo "$CERTBOT_DOMAINS" | cut -d',' -f1)/fullchain.pem" ] \ No newline at end of file diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 1b089b5..6f77ee9 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -105,13 +105,16 @@ run_certbot() { debug_flag="" [ "$DEBUG" = "true" ] && debug_flag="-v" - # Check if we need to expand - if [ "$CERTBOT_EXPAND" == "true" ]; then - expand="--expand" - else - expand="" + # Build additional certbot flags using positional parameters + set -- # Reset positional parameters + + if [ -n "$CERTBOT_CERT_NAME" ]; then + set -- "$@" --cert-name "$CERTBOT_CERT_NAME" + elif [ "$CERTBOT_EXPAND" = "true" ]; then + set -- "$@" --expand fi + # Run certbot command $certbot_cmd $debug_flag certonly \ --dns-cloudflare \ --dns-cloudflare-credentials "$CLOUDFLARE_CREDENTIALS_FILE" \ @@ -120,10 +123,10 @@ run_certbot() { --key-type "$CERTBOT_KEY_TYPE" \ --email "$CERTBOT_EMAIL" \ --server "$CERTBOT_SERVER" \ - $expand \ --agree-tos \ --non-interactive \ - --strict-permissions + --strict-permissions \ + "$@" exit_code=$? if [ $exit_code -ne 0 ]; then echo "Error: certbot command failed with exit code $exit_code"